Ransomware Report - 04/29/2026
Statistical Overview
Victim Totals
- This month: 718
- This quarter: 718
- Year to date: 3337
- Last 24h: 23
Quarterly Breakdown
Q1: 2622 | Q2: 718 | Q3: 0 | Q4: 0
Ransomware activity continues into Q2, with 718 victims recorded this quarter after 2622 in Q1. This shows organizations globally face ongoing attacks.
Introduction
In the past 24 hours, 23 new ransomware victims appeared on leak sites. Aur0ra and Qilin were the most active groups, each claiming six targets. Other groups included INC_Ransom, M3RXDLS, and Blackwater. The United States remained the primary geographic target, and sectors like Transportation & Logistics, Education, and Government saw activity.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Aur0ra | 6 | Advanta genetics llc, Atlas metal industries inc, Baresque group (+3) | United States, Australia | Transportation & Logistics, Legal |
| 2 | Qilin | 6 | Basch & keegan, Construction sciences, Eduporium (+3) | United Kingdom, United States | Education, Construction & Engineering |
| 3 | INC Ransom | 2 | nbd3pl.com | United States | Transportation & Logistics, Real Estate |
| 4 | M3RXDLS | 2 | Boxtopia.co.uk, Osoftec.com | India, United Kingdom | Technology / Software, Manufacturing |
| 5 | Blackwater | 1 | Shenzhen gongjin electronics | China | Telecommunications |
| 6 | Chaos | 1 | Cadencepetroleum.com | United States | Energy & Utilities |
| 7 | Everest | 1 | Indonesia's customs analytics platform | Indonesia | Government / Public Sector |
| 8 | Insomnia | 1 | Nephrology associates | United States | Healthcare |
| 9 | Interlock | 1 | Winona county | United States | Government / Public Sector |
| 10 | SecP0 | 1 | Color communications llc | United States | Professional Services |
| 11 | World Leaks | 1 | Mediaworks kft | Hungary | Media & Entertainment |
Aur0ra and Qilin were most active today, each claiming six victims across various sectors and regions. Aur0ra focused on Transportation & Logistics and Legal firms in the United States and Australia. Qilin affected Education and Construction & Engineering in the United Kingdom and United States. Everest targeted Indonesia's customs analytics platform, showing ongoing attacks on public-sector infrastructure. For more on Qilin's recent activities, see our ransomware threat activity update.
Victim Distribution
By Country
- United States: 13
- Australia: 2
- United Kingdom: 2
- Taiwan: 1
- Maldives: 1
- Indonesia: 1
- India: 1
- Hungary: 1
- China: 1
By Industry
- Information Technology and Services: 2
- Clinical Toxicology and Molecular Diagnostics: 1
- Warehousing: 1
- Third-Party Logistics (3PL): 1
- Property Management: 1
- Oil and Gas: 1
- Legal Services: 1
- Law Firms & Legal Services: 1
- Healthcare: 1
- Government: 1
The United States was hit hardest by ransomware attacks today, accounting for over half of all new victims and showing continued targeting of North American entities. Many industries were affected, but no single sector dominated beyond IT and Legal services.
Ransomware News
Topline
Today's ransomware intelligence showed new groups appearing, critical vulnerabilities exploited, operational details of existing threats, and internal conflicts within the ransomware environment.
Campaigns & Operations
The new Vect ransomware-as-a-service (RaaS) operation uses a mature affiliate network, providing a Builder for custom encryptors across Windows, Linux, and ESXi, and is linked to TeamPCP. Meanwhile, Gelatissimo, Australia's largest gelato retailer, confirmed unauthorized network access after claims from the DragonForce ransomware group, which claims to have stolen 352.24 GB of data. Also, the M3RX ransomware group has appeared, and ShinyHunters claimed a data leak from a US interactive media company. A feud between ransomware groups 0APT and KryBit led to both leaking each other's operational data, including admin panels and access logs, offering insight into their infrastructure. Specific incidents included a ransomware attack on Pricon Microelectronics, Inc. (Philippines) affecting servers on April 22, 2026, and a confirmed encryption event at Mam Create Co., Ltd. (Japan) on April 7, 2024. For more information into M3RXDLS, review our threat activity report from April.
Vulnerabilities & TTPs
CISA added two actively exploited flaws to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a high-severity path traversal in ConnectWise ScreenConnect enabling remote code execution, and CVE-2026-32202, a Windows Shell protection mechanism failure that could allow network spoofing. Exploitation of CVE-2024-1708/1709 has been linked to Medusa ransomware campaigns. Separately, Check Point's analysis revealed that Vect 2.0 ransomware, despite its intent, acts as a data wiper for large files due to a design error, making three-quarters of encrypted data unrecoverable across Windows, Linux, and VMware ESXi environments.
Analyst Note
This activity shows the changing nature of ransomware, with RaaS offerings becoming more professional, critical vulnerabilities quickly exploited, and unexpected tactical information emerging from inter-group conflicts.
Technical Takeaways
- Dominant Groups: Aur0ra and Qilin accounted for over 50% of new ransomware victims in the last 24 hours, showing their high activity level.
- Government Targeting: Everest specifically targeted Indonesia's customs analytics platform, showing continued attacks on public sector and critical government infrastructure.
- Wiper Functionality: Vect 2.0 ransomware has been identified as acting as an accidental wiper for large files due to a design flaw, making most encrypted data unrecoverable.
- Key Vulnerability Exploitation: CISA added CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Windows Shell) to its KEV catalog. CVE-2024-1708 is noted for active exploitation in Medusa ransomware campaigns.
- Internal Group Dynamics: The public feud between 0APT and KryBit, involving data leaks of each other's infrastructure, offers insights into ransomware operational practices and affiliate models.
