Daily Ransomware Report - 04/04/2026
Statistical Overview
Victim Totals
- This month: 116
- This quarter: 116
- Year to date: 2738
- Last 24h: 24
Quarterly Breakdown
| Q1: 2622 | Q2: 116 | Q3: 0 | Q4: 0 |
|---|
Ransomware activity remains consistent, with 116 victims recorded in Q2 so far. The year-to-date total exceeds 2700. In the past 24 hours, 24 new victim disclosures show daily activity across various threat groups.
Introduction
In the last 24 hours, 24 new ransomware victims appeared across various sectors and geographies. LockBit was the most active group, with nine new compromises, followed by DragonForce and INC_Ransom. Targeting focused on entities in the United States, Italy, and France, with activity in the construction and manufacturing sectors.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | LockBit | 9 | aplast.ro, defcon5italy.com, meyzietp.com (+6) | Italy, Portugal | Government / Public Sector, Pharmaceuticals & Biotech |
| 2 | DragonForce | 5 | Aug pharma, G plants, Kopran (+2) | India, Vietnam | Manufacturing, Professional Services |
| 3 | INC Ransom | 4 | BERGE-BAU GmbH & Co. KG, Community Connections, Infonet Media d.o.o. (+1) | Slovenia, United States | Legal, Healthcare |
| 4 | Anubis | 1 | Shine aviation | Australia | Transportation & Logistics |
| 5 | BQTLock | 1 | Metro hospital usa | United States | Healthcare |
| 6 | Krybit | 1 | Lkc.ac.bw | Botswana | Education |
| 7 | NightSpire | 1 | Advanced vehicle assemblies | United States | Automotive |
| 8 | Nova (RALord) | 1 | Emco electric international | United States | Manufacturing |
| 9 | The Gentelman | 1 | Jrk.com | United States | Real Estate |
LockBit remains highly active, accounting for over a third of new victims today. Their targeting in Italy and Portugal impacted government/public sector and pharmaceuticals. DragonForce operated significantly in Asia, affecting manufacturing and professional services in India and Vietnam. INC Ransom focused on the United States and Slovenia, with legal and healthcare entities among their targets. Several groups, including Anubis and BQTLock, posted single victims, showing active threats beyond top operators. No critical infrastructure or governmental high-value targets appeared among newly listed victims.
Victim Distribution
By Country
- United States: 6
- Italy: 3
- France: 2
- Australia: 2
- Portugal: 1
- Vietnam: 1
- United Kingdom: 1
- Thailand: 1
- Slovenia: 1
- Romania: 1
By Industry
- Construction: 3
- Manufacturing: 2
- Pharmaceutical Manufacturing: 2
- Glass Manufacturing: 1
- Real Estate: 1
- Legal Services: 1
- Healthcare: 1
- Electrical/Electronic Manufacturing: 1
- Behavioral Health Services: 1
- Automotive Manufacturing: 1
The United States consistently records the most ransomware incidents. Europe also saw significant activity, particularly Italy and France. In industry, the construction sector had the most new victims, followed by manufacturing and pharmaceutical manufacturing. This suggests broad, opportunistic targeting rather than a narrow sectoral focus.
Ransomware News
Topline
The TeamPCP hacking group has been attributed to a major data breach affecting the European Commission. This shows ongoing threats to governmental and international entities.
Campaigns & Operations
CERT-EU identified the TeamPCP hacking group as responsible for a data breach impacting the European Commission. Attackers exfiltrated approximately 92 GB of compressed data from 42 internal clients and 29 EU entities. The incident, detected on March 24, involved the compromise of an AWS API key tied to the Europa.eu platform, with the stolen data appearing on the ShinyHunters dark web on March 28. TeamPCP is also known for its involvement in the LiteLLM attack on Mercor and for various worm-driven ransomware, data exfiltration, and cryptomining campaigns.
Vulnerabilities & TTPs
Initial access was gained through a compromised AWS API key, likely facilitated by a Trivy supply-chain compromise. Attackers obtained management rights on the AWS key, although no lateral movement to other EC2/AWS accounts has been detected following the breach.
Analyst Note
This incident shows the importance of strong supply-chain security and API key management to protect high-value targets from advanced threat actors.
Technical Takeaways
- LockBit continues as the most active ransomware group, consistently posting new victims across various sectors.
- The United States is the primary geographical target. European nations like Italy and France also experience significant ransomware activity.
- Construction and manufacturing sectors are regularly impacted, which suggests broad targeting across commercial enterprises.
- New groups with single victim disclosures, such as Anubis and BQTLock, appear, showing an active and accessible ransomware-as-a-service market.
- Attackers continue to use compromised credentials and supply-chain vulnerabilities, as shown by the TeamPCP breach, to gain initial access to high-value targets.
