Payload Ransomware Claims 3 Victims in 24h
Statistical Overview
Victim Totals
- This month: 682
- This quarter: 2225
- Year to date: 4846
- Last 24h: 17
Quarterly Breakdown
Q1: 2631 | Q2: 2225 | Q3: 0 | Q4: 0
Ransomware activity continues at a steady pace this quarter, maintaining the levels observed in Q1 and Q2. While Q3 has just begun, the consistent daily victim count indicates persistent threat actor operations globally.
Introduction
The past period saw 17 new ransomware victims added. Payload, INC Ransom, and Nova (RALord) were the most active groups. Attacks occurred across many sectors, including Technology/Software, Healthcare, Agriculture & Food, Nonprofit, Transportation & Logistics, and Government. Geographically, the United States, India, Germany, and Switzerland experienced significant targeting, showing ransomware operators' international activity.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Payload | 3 | Clínica la sabana, Mosaic partners, Software arge | Switzerland, Colombia | Technology / Software, Healthcare |
| 2 | INC Ransom | 2 | GSP Crop Science Pvt, Life Bridges | United States, India | Agriculture & Food, Nonprofit |
| 3 | Nova (RALord) | 2 | Nsw rural fire service, Vslmarine | India, Australia | Transportation & Logistics, Government / Public Sector |
| 4 | AiLock | 1 | Hokua | United States | Real Estate |
| 5 | Akira | 1 | Precise forms | United States | Construction & Engineering |
| 6 | Anubis | 1 | Nachlass nord | Germany | Legal |
| 7 | CMD | 1 | Kohinoor Mills | Pakistan | Manufacturing |
| 8 | Chaos | 1 | Ingerman.com | United States | Real Estate |
| 9 | Krybit | 1 | Politur.gob.do | Dominican Republic | Government / Public Sector |
| 10 | NightSpire | 1 | Grupo riquelme | Paraguay | Manufacturing |
| 11 | Play News | 1 | Benchmark industrial supply | United States | Retail & Ecommerce |
| 12 | Prinz Eugen | 1 | Prinzkpn6d3itrgcytmsmlcpt5mgwn3ihpck2hsed5cezlbtbi3wklid.onion [new leak posted on our new site] | None | Professional Services |
Payload led victim counts with three new entries, affecting Technology/Software and Healthcare organizations. INC Ransom and Nova (RALord) followed, targeting diverse sectors: Agriculture & Food, Nonprofit, Transportation & Logistics, and Government. Nova (RALord) claimed a victim within the Nsw rural fire service, a significant government/public sector entity, showing continued targeting of critical public services. For more details on this operator, refer to our analysis of Nova (RALord) ransomware activity.
Victim Distribution
By Country
- United States: 5
- India: 2
- Germany: 2
- Pakistan: 1
- Turkey: 1
- Switzerland: 1
- Paraguay: 1
- Australia: 1
- None: 1
- Dominican Republic: 1
By Industry
- Textile Manufacturing: 1
- Real Estate Development and Property Management: 1
- Real Estate: 1
- Non-profit Organization Management: 1
- Industrial Supplies: 1
- Construction: 1
- Information Technology and Services: 1
- IT Services: 1
- Manufacturing: 1
- Emergency Services: 1
While the United States accounts for the highest number of victims, ransomware activity remains globally dispersed, with significant impacts in India, Germany, and Switzerland. Industries affected are highly fragmented, indicating opportunistic targeting rather than a single sector-specific campaign, although IT Services and Manufacturing appear consistently.
Ransomware News
Topline
Ransomware activity features shifts towards supply chain attacks in the education technology sector, alongside continued data exposure incidents and new social engineering campaigns.
Campaigns & Operations
Qilin ransomware is linked to a confirmed data exposure incident at Generation Life, impacting customer personal information. One trend involves attackers shifting from direct school targets to exploiting the EdTech software supply chain, shown by alleged Shiny Hunters breaches of Instructure's Canvas LMS and Oracle PeopleSoft. These breaches affected millions of users and high-value data. Separately, cybercriminals are using the hype for GTA 6 to distribute malware, including ransomware, through fake early access websites. Europol is set to gain expanded data access and R&D capabilities to improve cybercrime and ransomware response, demonstrated by its central role in the Endgame takedown of ransomware infrastructure.
Vulnerabilities & TTPs
Attackers use accessible vectors such as phishing, social engineering, drive-by downloads, and malware disguised as legitimate updates. They then infiltrate networks for data exfiltration and encryption. EdTech supply chain attacks exploit the interconnectedness and often under-resourced security of educational institutions and their vendors, targeting sensitive data with long lifespans.
Analyst Note
These developments show a growing focus on high-value, sensitive data targets through supply chain vulnerabilities and opportunistic social engineering. Meanwhile, law enforcement agencies are improving their capabilities to counter these threats.
Technical Takeaways
- Payload leads recent victim counts, targeting Technology/Software and Healthcare organizations across Switzerland and Colombia.
- Ransomware activity remains geographically dispersed, with the United States as a primary target, but significant impacts are also observed in India, Germany, and Australia.
- Government/Public Sector entities, such as Australia's Nsw rural fire service (by Nova (RALord)) and the Dominican Republic's Politur.gob.do (by Krybit), continue to be targeted.
- Manufacturing organizations in Pakistan and Paraguay were affected, showing ongoing threats to industrial sectors.
- The EdTech software supply chain, including major platforms like Canvas LMS and Oracle PeopleSoft, is increasingly used by threat actors to access and potentially ransom sensitive data from educational institutions.