LockBit Claims 5 Victims in 24h Ransomware Leaks
Statistical Overview
Victim Totals
- This month: 316
- This quarter: 1861
- Year to date: 4485
- Last 24h: 13
Quarterly Breakdown
Q1: 2631 | Q2: 1861 | Q3: 0 | Q4: 0
Ransomware activity in Q2, while substantial at 1861 victims, was lower than Q1's 2631 victims. The last 24-hour period recorded 13 new victims across diverse sectors and geographies.
Introduction
Recent ransomware activity included 13 new victims, with LockBit affiliates as the most active group, responsible for five incidents. NightSpire had three new victims, while several other groups each claimed one. Targeted sectors were diverse, affecting manufacturing, government, healthcare, and technology entities in multiple global regions. The United States experienced the highest concentration of attacks. For more on current threats, see understanding LockBit's operations.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | LockBit | 5 | ag-360.ca, amc.co.th, casaandina.com.co (+2) | Thailand, Colombia | Manufacturing, Construction & Engineering |
| 2 | NightSpire | 3 | Blue nile medical center, Silsbee police department, Waxworks inc | United States | Government / Public Sector, Healthcare |
| 3 | DragonForce | 1 | Ink | United Kingdom | Professional Services |
| 4 | Nova (RALord) | 1 | Bandung | Indonesia | Government / Public Sector |
| 5 | SLSH | 1 | Coe.int | France | Government / Public Sector |
| 6 | Securotop | 1 | Charisma media | United States | Media & Entertainment |
| 7 | Shadowbyt3s | 1 | Tinypulse nintendo (nintendo.com) nintendo_file_tree.txt | United States | Technology / Software |
LockBit had five reported victims, targeting manufacturing and construction & engineering firms primarily in Thailand and Colombia. NightSpire had three victims, affecting U.S. government/public sector and healthcare entities, including the Silsbee Police Department and Blue Nile Medical Center. Other groups such as DragonForce, Nova (RALord), SLSH, Securotop, and Shadowbyt3s each had one victim. This suggests fragmented and opportunistic targeting across industries and geographies. SLSH, for example, impacted an international organization (Coe.int), and Shadowbyt3s listed Nintendo.com.
Victim Distribution
By Country
- United States: 5
- Canada: 1
- Colombia: 1
- Finland: 1
- France: 1
- Germany: 1
- Indonesia: 1
- Thailand: 1
- United Kingdom: 1
By Industry
- Real Estate: 1
- Hardware and Construction Materials: 1
- Machinery Manufacturing: 1
- International Organization: 1
- Construction: 1
- Regulatory Body: 1
- Industrial Equipment Maintenance: 1
- Design: 1
- Healthcare: 1
- Law Enforcement: 1
The United States remains the primary target country, with many incidents reported. Industry targeting is diverse, with no single dominant sector, suggesting a mix of opportunistic and broad attack vectors, particularly affecting critical functions such as law enforcement and healthcare. This diversity shows the relevance of monitoring ransomware trends targeting critical infrastructure.
Ransomware News
Topline
No significant new ransomware developments or campaign shifts were observed within the recent collection period.
Campaigns & Operations
No new campaigns, shifts in operator tactics, or significant incidents involving named threat actors were identified.
Vulnerabilities & TTPs
There were no reports of newly exploited vulnerabilities or changes in adversary tradecraft this period.
Analyst Note
Current activity remains consistent with previously observed patterns, without immediate indications of emerging threats.
Technical Takeaways
- LockBit remains the most active ransomware group recently, with five new victims across diverse sectors.
- The United States is the most frequently targeted country, accounting for five out of 13 recorded incidents.
- Ransomware targeting shows high industry diversity, affecting sectors from Manufacturing and Construction to Government, Healthcare, and Technology.
- NightSpire targeted critical sectors, including Government/Public Sector and Healthcare, in the United States.
- The overall ransomware activity for the current quarter, though substantial, was lower than the previous quarter.
LockBit Targeting Patterns and Sector Impact
LockBit affiliates continue to demonstrate sophisticated target selection across multiple industries. In this 24-hour window, their five victims spanned manufacturing and construction sectors across Thailand and Colombia, reflecting deliberate geographic diversification.
- Manufacturing remains a top target due to operational disruption leverage
- Construction & Engineering firms often lack mature incident response capabilities
- Affiliates exploit exposed RDP endpoints and unpatched VPN appliances
- Double extortion tactics pressure victims through data leak threats
Organizations in these sectors should prioritize ransomware readiness assessments and offline backup validation to reduce exposure to affiliate-driven campaigns.
Geographic Concentration of Ransomware Attacks
The United States recorded the highest attack concentration in this reporting period, consistent with long-term trends. NightSpire's three US-based victims included a medical center and a police department, highlighting critical infrastructure targeting.
- Indonesia and Thailand reflect growing Asia-Pacific exposure
- United Kingdom faced DragonForce activity in professional services
- Colombia continues to appear in Latin American targeting patterns
Regional variance suggests affiliates operate across time zones to maximize disruption windows. Global defenders should monitor threat intelligence feeds for emerging geographic clusters and coordinate with sector-specific ISACs for timely indicator sharing.
Defending Against Multi-Group Ransomware Campaigns
When multiple ransomware groups are simultaneously active, defenders face compounded detection and response challenges. This 24-hour period involved at least five distinct threat actors, each employing varied tactics.
- Implement network segmentation to contain lateral movement
- Deploy endpoint detection and response (EDR) with behavioral analysis
- Enforce multi-factor authentication on all remote access points
- Conduct tabletop exercises simulating concurrent ransomware incidents
- Maintain tested, immutable backups stored offline or in air-gapped environments
Proactive threat hunting and cross-team coordination remain essential as ransomware-as-a-service ecosystems lower the barrier for new affiliates to launch high-impact attacks.
