Daily Ransomware Report - 04/07/2026
Statistical Overview
Victim Totals
- This month: 148
- This quarter: 148
- Year to date: 2770
- Last 24h: 21
Quarterly Breakdown Q1: 2622 | Q2: 148 | Q3: 0 | Q4: 0 Ransomware activity in Q2 started with 148 victims recorded in the first week, including 21 new incidents in the last 24 hours.
Introduction
Ransomware groups posted 21 new victims on various leak sites in the past 24 hours. Akira, Brain Cipher, and Qilin were the most active, each claiming three new victims. These groups primarily targeted the Manufacturing, Technology/Software, and Professional Services sectors, with the United States remaining the most frequently impacted nation.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Akira | 3 | Akm consulting engineers, Aqua-serv© engineers, Gauthier connectique | United States, France | Energy & Utilities, Manufacturing |
| 2 | Brain Cipher | 3 | Endeavourautomotive.co.uk, Eworldme.com, Soundinsurance.ca | Canada, United Arab Emirates | Technology / Software, Insurance |
| 3 | Qilin | 3 | Muller technology, Operinter, Pacific building solutions (pbs) | Spain, Fiji | Manufacturing, Construction & Engineering |
| 4 | Audit | 2 | Joycity, Kawasaki motors philippines corporation | Philippines, South Korea | Media & Entertainment, Automotive |
| 5 | Play News | 2 | Crystal point, Morphosis | United States | Technology / Software, Professional Services |
| 6 | Anubis | 1 | Tesla systems | None | Technology / Software |
| 7 | Bravox | 1 | Aculab ?? | United Kingdom | Telecommunications |
| 8 | Krybit | 1 | Ccckeito.edu.hk | Hong Kong | Education |
| 9 | Linkc | 1 | Sajet products | United States | Manufacturing |
| 10 | Nova (RALord) | 1 | International business solution de méxico | Mexico | Professional Services |
| 11 | SafePay | 1 | Academyhealth.org | United States | Healthcare |
| 12 | Space Bears | 1 | Brooklands of mornington | Australia | Hospitality & Travel |
Today's summary table shows Akira, Brain Cipher, and Qilin are the most active ransomware groups. They show a diversified targeting approach across manufacturing, technology, and professional services. Victim organizations are distributed globally, with concentration in North America and Western Europe. Qilin also claimed responsibility for an attack on Germany's political party Die Linke, indicating public-sector institutions are also targeted.
Victim Distribution
By Country
- United States: 7
- United Kingdom: 2
- Switzerland: 1
- United Arab Emirates: 1
- Australia: 1
- Spain: 1
- South Korea: 1
- Philippines: 1
- None: 1
- Mexico: 1
By Industry
- Aerospace Manufacturing: 2
- Industrial Machinery & Equipment: 1
- Industrial Water Treatment: 1
- Health Services Research and Policy: 1
- Golf Course: 1
- Computer Software: 1
- Civil Engineering: 1
- Architecture and Design: 1
- Telecommunications: 1
- Retail Motor Vehicles: 1 The United States remains the primary target for ransomware attacks, accounting for the highest victim count today. Affected industries are widely distributed, showing an opportunistic approach instead of a narrow sectoral focus.
Ransomware News
Topline
- Recent intelligence shows advanced EDR evasion techniques, rapid zero-day exploitation by a Medusa affiliate, and German authorities identifying historical ransomware group leaders.
Campaigns & Operations Microsoft linked Storm-1175, a China-based Medusa ransomware affiliate, to fast campaigns using both N-day and zero-day exploits within days of disclosure. These campaigns targeted healthcare, education, professional services, and finance across Australia, the United Kingdom, and the United States. At the same time, Qilin claimed responsibility for a cyberattack on Germany's political party Die Linke, framing the incident as hybrid warfare. German Federal Police identified Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk as the leaders of the past GandCrab and REvil ransomware operations.
Vulnerabilities & TTPs
Storm-1175's campaigns use multi-exploit chains, including weaponizing GoAnywhere MFT CVE-2025-10035 and SmarterTools SmarterMail CVE-2026-23760. Both Qilin and Warlock ransomware operators are using bring-your-own-vulnerable-driver (BYOVD) techniques. Qilin uses DLL side-loading to deploy a malicious DLL (msimg32.dll) that uses rwdrv.sys and hlpdrv.sys to disable over 300 EDR solutions.
Analyst Note
- The observed sophisticated evasion techniques and zero-day exploitation by active groups, along with continued efforts to identify historical ransomware operators, demonstrate the adaptive and persistent ransomware threat environment.
Technical Takeaways
- Zero-Day Exploitation: The Medusa ransomware affiliate, Storm-1175, has demonstrated rapid exploitation of zero-day vulnerabilities, specifically CVE-2025-10035 and CVE-2026-23760, for initial access and persistence.
- EDR Bypass Techniques: Qilin and Warlock ransomware groups are using advanced Bring-Your-Own-Vulnerable-Driver (BYOVD) tactics, using legitimate drivers to disable over 300 EDR solutions.
- Geopolitical Targeting: Qilin's attack on Germany's Die Linke political party shows continued targeting of public sector entities. This may indicate operations with geopolitical motives.
- Persistent US Focus: The United States continues to experience the highest volume of reported ransomware victimizations, indicating a consistent targeting priority.
- Broad Sectoral Reach: Today's ransomware incidents span a diverse range of industries, including Aerospace Manufacturing, Energy & Utilities, and Technology/Software. These incidents show wide-ranging opportunistic or capability-driven targeting.
FAQ
Q: Which ransomware groups were most active today?
A: Akira, Brain Cipher, and Qilin were the most active, each posting three new victims in the last 24 hours. These groups were followed by Audit and Play News, each with two reported victims.
Q: What industries were predominantly targeted?
A: Targeted industries include Manufacturing, Technology/Software, and Professional Services. Other sectors affected were Energy & Utilities, Insurance, Media & Entertainment, and Automotive.
Q: What regions saw the most ransomware attacks today?
A: The United States recorded the highest number of new victims, with seven reported. Other affected regions included the United Kingdom, United Arab Emirates, Canada, Spain, and Australia.
Q: Were any notable victims or critical sectors affected today?
A: Qilin claimed responsibility for an attack on Germany's Die Linke political party, representing a public sector institution.
Q: Are there any new vulnerabilities being exploited by ransomware operators?
A: Microsoft identified the Medusa ransomware affiliate Storm-1175 exploiting zero-day vulnerabilities, specifically GoAnywhere MFT CVE-2025-10035 and SmarterTools SmarterMail CVE-2026-23760, as part of their campaigns.
