Ransomware Report - 04/30/2026
Statistical Overview
Victim Totals
- This month: 750
- This quarter: 750
- Year to date: 3369
- Last 24h: 32
Quarterly Breakdown
Q1: 2622 | Q2: 750 | Q3: 0 | Q4: 0
The first month of Q2 has seen 750 reported ransomware victims, indicating a significant pace of activity that could exceed Q1's total if current trends persist.
Introduction
In the last 24 hours, PurpleOps observed 32 new ransomware victims. Qilin was responsible for seven reported incidents, followed by The_Gentelman with five. Financial Services and Manufacturing were the main sectors impacted, and the United States registered the highest number of new attacks.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 7 | Abazia spa, Antica sartoria, Edenshaw developments (+4) | Philippines, Colombia | Pharmaceuticals & Biotech, Financial Services |
| 2 | The Gentelman | 5 | Diviso grupo financiero, Fabritius, Forsheda stlverktyg (+2) | Sweden, Turkey | Financial Services, Retail & Ecommerce |
| 3 | PayoutsKing | 3 | Data exchange corporation, Epcon communities, Scs engineers | United States | Professional Services, Manufacturing |
| 4 | INC Ransom | 2 | Arban & Carosi, Iowa Spring Manufacturing & Sales | United States | Manufacturing |
| 5 | Krybit | 2 | Weiss-pm.de, Zsiclife.co.zm | Germany, Zambia | Professional Services, Insurance |
| 6 | Nova (RALord) | 2 | Bimtrazer, Reschio | Italy, Chile | Technology / Software, Real Estate |
| 7 | Akira | 1 | Atf aerospace | United States | Manufacturing |
| 8 | Aur0ra | 1 | Bayou title, inc. | United States | Real Estate |
| 9 | Black Nevas | 1 | Speed group (speed north america, speed south america, speed line south africa, speed france) | France | Manufacturing |
| 10 | Blackwater | 1 | Compass housing alliance | United States | Nonprofit |
| 11 | Everest | 1 | Morae | United States | Legal |
| 12 | NightSpire | 1 | Progressive oral surgery & implantology | United States | Healthcare |
Qilin continues to show activity, targeting sectors like pharmaceuticals and financial services across multiple geographies including the Philippines and Colombia. The_Gentelman also remained active, impacting financial services and retail in Sweden and Turkey. For more information on the groups operating this month, refer to our latest ransomware groups report for April 29 and a proactive threat update on Qilin. A broader view on Q2 trends can be found in our active ransomware groups Q2 report.
Victim Distribution
By Country
- United States: 16
- Italy: 3
- Zambia: 1
- Belgium: 1
- Turkey: 1
- Sweden: 1
- Poland: 1
- Philippines: 1
- Peru: 1
- Papua New Guinea: 1
By Industry
- Financial Services: 3
- Manufacturing: 3
- Real Estate: 2
- Retail: 2
- Advertising Services: 1
- Insurance: 1
- Spring and Wire Product Manufacturing: 1
- Pediatric Dentistry: 1
- Non-profit Organizations: 1
- Legal Services: 1
The United States remains the primary target for ransomware operators, accounting for half of all reported victims in the last 24 hours. Financial Services and Manufacturing continue to be consistently targeted across various regions.
Ransomware News
Topline
The past 24 hours saw several critical ransomware incidents affecting public services, educational institutions, and industrial technology firms, and a regional threat analysis showed significant increases in ransomware activity.
Campaigns & Operations
Taiwanese firm Syntec Technology Co., Ltd. disclosed a ransomware attack around April 29, 2026, which triggered immediate incident response measures, with preliminary assessments indicating no material impact on operations or confidential data leakage. Concurrently, Austria's B3-Schulzentrum in Bruck an der Mur experienced a cyberattack on April 29, 2026, where attackers demanded ransom and claimed exfiltration of sensitive student data, prompting containment and recovery efforts. In the United States, Adams County, Mississippi, offices were disrupted for over a week by a ransomware attack, traced to a Windows 7 PC in its sanitation department, leading to significant IT infrastructure overhaul costs.
Vulnerabilities & TTPs
The Adams County incident shows the risk posed by legacy operating systems like Windows 7 as initial access vectors. Separately, an analysis of the Australia and New Zealand ICS threat environment for Q4 2025 indicated a 1.6x increase in ransomware, primarily driven by internet-origin threats and coinciding with phishing campaigns that increased worm and spyware activity in operational technology environments.
Analyst Note
These incidents show the persistent threat to diverse sectors, including critical public services and education, and the ongoing challenge from outdated systems and prevalent phishing tactics.
Technical Takeaways
- Qilin ransomware group continues activity, impacting Pharmaceuticals & Biotech and Financial Services across multiple countries.
- Financial Services and Manufacturing sectors are consistently high-value targets for various ransomware groups, including The_Gentelman and PayoutsKing.
- The United States remains the most targeted region, accounting for 50% of new victims in the past 24 hours.
- Observed incidents confirm the use of legacy operating systems, such as Windows 7, as initial compromise vectors in public sector attacks.
- Regional threat reports indicate a sustained increase in internet-origin ransomware attacks, often linked to phishing campaigns, affecting industrial control systems.
