Ransomware Report - 05/04/2026
Statistical Overview
Victim Totals
- This month: 67
- This quarter: 824
- Year to date: 3442
- Last 24h: 7
Quarterly Breakdown
Q1: 2622 | Q2: 824 | Q3: 0 | Q4: 0
The daily victim count of 7 indicates a steady pace, contributing to a solid Q2 total that, while currently lower than Q1, suggests consistent ransomware pressure across diverse sectors.
Introduction
In the last 24 hours, seven new ransomware victims have been observed, continuing a consistent operational tempo for threat actors. Key groups such as Lamashtu, DragonForce, INC Ransom, Interlock, and Qilin accounted for the majority of these incidents. The primary affected sectors included Hospitality & Travel, Financial Services, Pharmaceuticals & Biotech, and government infrastructure.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Lamashtu | 2 | Lunagroupeg.com, Royalmhotels.com | Egypt, United Arab Emirates | Hospitality & Travel, Pharmaceuticals & Biotech |
| 2 | DragonForce | 1 | Cult wines | United Kingdom | Financial Services |
| 3 | INC Ransom | 1 | The Bahamas | Professional Services | |
| 4 | Interlock | 1 | Lonestar truck group & tag truck center | United States | Transportation & Logistics |
| 5 | Qilin | 1 | City of sandstone | United States | Government / Public Sector |
| 6 | Space Bears | 1 | Johnson & johnson innovative medicine | United States | Pharmaceuticals & Biotech |
The past 24 hours show Lamashtu leading with two new victims across Egypt and the UAE, primarily targeting Hospitality & Travel and Pharmaceuticals & Biotech. Other active groups, including DragonForce, INC Ransom, Interlock, Qilin, and Space Bears, each claimed one victim, contributing to diverse attacks. Qilin's targeting of the City of Sandstone in the United States represents a focus on the government/public sector, a high-value target category due to its critical services and sensitive data, similar to recent activities as detailed in our ransomware threat activity updates.
Victim Distribution
By Country
- United States: 3
- Egypt: 1
- The Bahamas: 1
- United Arab Emirates: 1
- United Kingdom: 1
By Industry
- Pharmaceuticals and Cosmetics: 1
- Construction and Technology: 1
- Hospitality: 1
- Financial Services: 1
- Government: 1
- Pharmaceuticals: 1
- Transportation/Trucking/Railroad: 1
The distribution shows a primary focus on the United States and diversified international targeting. Ransomware groups use a broad opportunistic approach across varied industries rather than concentrating heavily on a single sector.
Ransomware News
The threat environment is dynamic, marked by new ransomware operations and the exploitation of critical vulnerabilities. This week saw World Leaks, a rebrand of Hunters International focusing on data theft, claim a breach of Hungarian media firm Mediaworks, publishing approximately 8.5 terabytes of stolen files with potential geopolitical implications. Separately, the Kairos ransomware gang exfiltrated 574GB of sensitive data, including customer PII and passport details, from Australian fine jewellery retailer Gregory Jewellers. The VECT 2.0 Ransomware-as-a-Service operation has been identified as a data-wiper targeting Windows, Linux, and ESXi environments, rendering data irrecoverable even upon ransom payment due to inherent cryptographic flaws. Insider threats continue to be a concern, with a 2020 plot against Tesla networks, involving a $1 million offer to an employee to plant malware, successfully thwarted through rapid reporting and FBI collaboration.
Technical developments include the rapid weaponization of a critical cPanel/WHM vulnerability, CVE-2026-41940, enabling authentication bypass and remote control. Threat actors quickly exploited this flaw to target government and military domains in Southeast Asia, as well as MSPs and hosting providers, using publicly available Proof-of-Concepts and deploying Mirai botnet variants and the Sorry ransomware. The Linux privilege escalation vulnerability CVE-2026-31431 (Copy Fail) and a GitHub remote code execution flaw CVE-2026-3854 have emerged as significant exposures. The ongoing proliferation of AI-powered phishing campaigns, exemplified by kits like Bluekit, continues to enhance social engineering tactics, while TeamPCP-led supply-chain compromises are distributing malware through developer tools.
These incidents collectively show a persistent blend of advanced social engineering, critical vulnerability exploitation, specialized data exfiltration, and other tactics driving current ransomware operations. This situation requires strong threat intelligence and proactive defense strategies, a topic frequently covered in our new ransomware victims reports.
Technical Takeaways
- Data-Wiping Ransomware: The analysis of VECT 2.0 shows a dangerous trend of ransomware variants designed to irrevocably destroy data, negating any recovery prospects even if a ransom is paid.
- Rapid Weaponization of Critical Vulnerabilities: The cPanel/WHM vulnerability (CVE-2026-41940) was rapidly exploited by multiple actors, including ransomware groups like Sorry, to target government entities and MSPs within 24 hours of disclosure.
- Persistent Targeting of Government and Critical Sectors: Groups like Qilin continue to target public sector institutions, as seen with the City of Sandstone incident. Broader exploitation campaigns also target government and military domains in Southeast Asia. For more context on such targeting, refer to our previous analysis on Qilin ransomware and cPanel exploitation.
- Initial Access Tactics: AI-powered phishing campaigns and supply-chain compromises via developer tools by actors like TeamPCP show a shift towards more sophisticated and scalable initial access vectors.
- Insider Threat: The thwarted Tesla plot demonstrates the persistent risk of insider threats. Employee vigilance and reporting mechanisms are important in preventing ransomware attacks.
