Ransomware Report - 04/26/2026
Statistical Overview
Victim Totals
- This month: 613
- This quarter: 613
- Year to date: 3234
- Last 24h: 7
Quarterly Breakdown
| Q1: 2622 | Q2: 613 | Q3: 0 | Q4: 0 |
|---|
Q2 ransomware activity shows a consistent pace. The 613 reported victims for the quarter reflect a steady, though slower, rate compared to Q1's peak. Current trends show ongoing activity across various sectors.
Introduction
PurpleOps observed 7 new ransomware victims in the past 24 hours, showing moderate activity in the threat environment. M3RXDLS was the most active group, with 5 new victims. Brain Cipher and Medusa each accounted for one. Targeting spanned diverse sectors, from Media & Entertainment to Healthcare Services, and multiple geographies, including the United States, United Kingdom, and Switzerland. For a broader perspective on recent trends, refer to our Ransomware Threat Activity Update - April 25.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | M3RXDLS | 5 | Airdriephysio.com, Anvilarts.org.uk, Dmschweiz.ch (+2) | Switzerland, Australia | Media & Entertainment, Technology / Software |
| 2 | Brain Cipher | 1 | Bridgeway-consulting.co.uk | United Kingdom | Construction & Engineering |
| 3 | Medusa | 1 | Walman optical | United States | Healthcare |
M3RXDLS was the most active group in the last 24 hours, posting the majority of new victims and affecting organizations across Switzerland and Australia. Brain Cipher's only observed activity involved the United Kingdom's construction sector. Medusa continued its opportunistic targeting with one reported breach in the US healthcare sector. The ongoing activity of groups like Medusa shows persistent threats, as detailed in our Ransomware Intelligence Report - March 18.
Victim Distribution
By Country
- United Kingdom: 2
- United States: 2
- Australia: 1
- Canada: 1
- Switzerland: 1
By Industry
- Property Investment and Management Consultancy: 1
- Healthcare Services: 1
- Information Technology and Services: 1
- Civil Engineering and Rail Infrastructure: 1
- Performing Arts: 1
- Automotive Services: 1
- Medical Device: 1
The victim distribution over the last 24 hours shows no single concentrated geographical or industry-specific campaign. Instead, activity suggests a distributed, opportunistic targeting approach across various countries and diverse sectors. These include Healthcare Services, a sector frequently attacked, as seen in incidents like the Qilin ransomware attack on NHS.
Ransomware News
Topline - No significant ransomware-related news or public disclosures were observed within the past 24 hours, showing a period of low public reporting on new campaigns or vulnerabilities.
Campaigns & Operations - No specific new ransomware campaigns, actor activities, or reported incidents became public during this reporting period. The lack of public reporting does not preclude ongoing covert operations.
Vulnerabilities & TTPs - There were no new CVEs or notable changes in Tactics, Techniques, and Procedures (TTPs) publicly reported as being actively exploited by ransomware operators in the last 24 hours.
Analyst Note - The absence of public news may indicate a quiet reporting cycle rather than a complete halt in activity, as ransomware operations often maintain a covert posture.
Technical Takeaways
- M3RXDLS was the most active ransomware group in the past 24 hours, responsible for 71% of newly reported victims.
- M3RXDLS targeting showed geographical diversity, affecting organizations in Switzerland and Australia.
- The Healthcare sector, including Medical Device and Healthcare Services, remains a target, with Medusa claiming a victim in the United States.
- Observed activity indicates a broad and opportunistic targeting strategy rather than a focused campaign on specific critical infrastructure or government entities.
