Ransomware Report - 04/20/2026
Statistical Overview
Victim Totals
- This month: 488
- This quarter: 488
- Year to date: 3109
- Last 24h: 17
Quarterly Breakdown
Q1: 2622 | Q2: 488 | Q3: 0 | Q4: 0
Ransomware activity in Q2 currently stands at 488 victims. The 17 new victims identified in the last 24 hours indicate ongoing opportunistic and targeted operations by various groups.
Introduction
The past 24 hours recorded 17 new ransomware victims. Everest and Qilin were the most active groups, responsible for six and four incidents, respectively. Financial services, healthcare, and legal sectors were impacted across key geographies, particularly the United States and France. This activity shows the persistent and diversified targeting strategies ransomware operators use.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Everest | 6 | Citizens bank, Complete aircraft group, Frost bank (+3) | Spain, United States | Financial Services, Transportation & Logistics |
| 2 | Qilin | 4 | City'pro, Cooperativa de hospitales de antioquia - cohan, Gueguen avocats (+1) | France, United States | Education, Healthcare |
| 3 | Payload | 2 | Al sulaiti law firm, Better house | Qatar, Egypt | Real Estate, Legal |
| 4 | Akira | 1 | Integra architecture | Canada | Construction & Engineering |
| 5 | BlackShrantac | 1 | Banister primary school | United Kingdom | Education |
| 6 | Krybit | 1 | Imbriefamilylaw.com | United States | Legal |
| 7 | Lamashtu | 1 | Jesin.com.my | Malaysia | Real Estate |
| 8 | PEAR | 1 | Roger d. mason ii, p.a. | United States | Legal |
Everest was the most active group, claiming six victims. They mainly targeted financial services, including Citizens Bank and Frost Bank in the United States, and transportation and logistics entities across the US and Spain. Qilin followed with four victims, affecting education and healthcare, notably Cooperativa de hospitales de antioquia - cohan. For more details on this group's operations, explore our Qilin ransomware victims and attack analysis. Legal services faced attacks from multiple groups, including Payload, Krybit, and PEAR. Akira's single victim, Integra Architecture, shows its continued but less frequent targeting; insights into their methods are available in our Akira ransomware TTP analysis.
Victim Distribution
By Country
- United States: 6
- France: 2
- United Kingdom: 2
- Canada: 1
- Colombia: 1
- Egypt: 1
- Indonesia: 1
- Malaysia: 1
- Qatar: 1
- Spain: 1
By Industry
- Legal Services: 3
- Architecture and Planning: 1
- Healthcare and Pharmaceutical Distribution: 1
- Real Estate Development: 1
- Education and Training: 1
- Law Firms & Legal Services: 1
- E-commerce: 1
- Property Development: 1
- Aerospace and Unmanned Aerial Systems: 1
- Aviation Solutions: 1
The United States recorded the highest number of new victims, confirming its status as a primary target for ransomware. Legal services saw concentrated attacks in the last 24 hours, suggesting either opportunistic targeting or a specific campaign focus.
Ransomware News
Topline
Recent intelligence indicates confirmed data breaches, alleged ransomware incidents affecting critical services, and active exploitation of multiple vulnerabilities.
Campaigns & Operations
The Kairos ransomware group claims to have breached NSW-based Strata Republic, exfiltrating 441GB of data, including sensitive personal and financial records, with a five-day publication deadline set. A ransomware attack on Hsinchu Logistics in Taiwan significantly disrupted operations, rendering systems inoperable and forcing manual processes. Cloud development platform Vercel also confirmed a security incident involving unauthorized access to internal systems. An attacker claiming to be ShinyHunters offered stolen access keys, source code, and employee data for a reported $2 million ransom.
Vulnerabilities & TTPs
The Hsinchu Logistics incident occurred amidst active exploitation of three Microsoft Defender zero-day vulnerabilities, including CVE-2026-33825, and a Fortinet FortiSandbox vulnerability (CVE-2026-39808) with public proof-of-concept. Attackers in this incident used Payouts King malware, designed to evade endpoint and EDR solutions by concealing itself within QEMU-VMs and employing Alpine-Linux-based backdoors.
Analyst Note
These events show the persistent targeting of supply chain entities, the urgency of strong vulnerability management, and the increasing sophistication of evasion techniques threat actors use.
Technical Takeaways
- Financial Institutions Targeted: Everest's activity against major banks like Citizens Bank and Frost Bank shows a continued high-value focus on the financial sector.
- Healthcare Sector Threats: Qilin's compromise of Cooperativa de hospitales de antioquia - cohan highlights ongoing threats to healthcare infrastructure.
- Legal Services as a Target: Multiple groups, including Payload, Krybit, and PEAR, demonstrate legal services firms remain a frequent target, likely due to sensitive client data.
- Zero-Day Exploitation: The Hsinchu Logistics incident involved active exploitation of CVE-2026-33825 and CVE-2026-39808, showing the immediate risk of unpatched vulnerabilities.
- Advanced Evasion: Payouts King malware, used in QEMU-VMs with Alpine-Linux backdoors, showcases advanced methods to bypass detection.
