Payload Ransomware Claims 3 Victims in 24h

Statistical Overview

Victim Totals

  • This month: 682
  • This quarter: 2225
  • Year to date: 4846
  • Last 24h: 17

Quarterly Breakdown

Q1: 2631 | Q2: 2225 | Q3: 0 | Q4: 0

Ransomware activity continues at a steady pace this quarter, maintaining the levels observed in Q1 and Q2. While Q3 has just begun, the consistent daily victim count indicates persistent threat actor operations globally.

Introduction

The past period saw 17 new ransomware victims added. Payload, INC Ransom, and Nova (RALord) were the most active groups. Attacks occurred across many sectors, including Technology/Software, Healthcare, Agriculture & Food, Nonprofit, Transportation & Logistics, and Government. Geographically, the United States, India, Germany, and Switzerland experienced significant targeting, showing ransomware operators' international activity.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Payload3Clínica la sabana, Mosaic partners, Software argeSwitzerland, ColombiaTechnology / Software, Healthcare
2INC Ransom2GSP Crop Science Pvt, Life BridgesUnited States, IndiaAgriculture & Food, Nonprofit
3Nova (RALord)2Nsw rural fire service, VslmarineIndia, AustraliaTransportation & Logistics, Government / Public Sector
4AiLock1HokuaUnited StatesReal Estate
5Akira1Precise formsUnited StatesConstruction & Engineering
6Anubis1Nachlass nordGermanyLegal
7CMD1Kohinoor MillsPakistanManufacturing
8Chaos1Ingerman.comUnited StatesReal Estate
9Krybit1Politur.gob.doDominican RepublicGovernment / Public Sector
10NightSpire1Grupo riquelmeParaguayManufacturing
11Play News1Benchmark industrial supplyUnited StatesRetail & Ecommerce
12Prinz Eugen1Prinzkpn6d3itrgcytmsmlcpt5mgwn3ihpck2hsed5cezlbtbi3wklid.onion [new leak posted on our new site]NoneProfessional Services

Payload led victim counts with three new entries, affecting Technology/Software and Healthcare organizations. INC Ransom and Nova (RALord) followed, targeting diverse sectors: Agriculture & Food, Nonprofit, Transportation & Logistics, and Government. Nova (RALord) claimed a victim within the Nsw rural fire service, a significant government/public sector entity, showing continued targeting of critical public services. For more details on this operator, refer to our analysis of Nova (RALord) ransomware activity.

Victim Distribution

By Country

  • United States: 5
  • India: 2
  • Germany: 2
  • Pakistan: 1
  • Turkey: 1
  • Switzerland: 1
  • Paraguay: 1
  • Australia: 1
  • None: 1
  • Dominican Republic: 1

By Industry

  • Textile Manufacturing: 1
  • Real Estate Development and Property Management: 1
  • Real Estate: 1
  • Non-profit Organization Management: 1
  • Industrial Supplies: 1
  • Construction: 1
  • Information Technology and Services: 1
  • IT Services: 1
  • Manufacturing: 1
  • Emergency Services: 1

While the United States accounts for the highest number of victims, ransomware activity remains globally dispersed, with significant impacts in India, Germany, and Switzerland. Industries affected are highly fragmented, indicating opportunistic targeting rather than a single sector-specific campaign, although IT Services and Manufacturing appear consistently.

Ransomware News

Topline

Ransomware activity features shifts towards supply chain attacks in the education technology sector, alongside continued data exposure incidents and new social engineering campaigns.

Campaigns & Operations

Qilin ransomware is linked to a confirmed data exposure incident at Generation Life, impacting customer personal information. One trend involves attackers shifting from direct school targets to exploiting the EdTech software supply chain, shown by alleged Shiny Hunters breaches of Instructure's Canvas LMS and Oracle PeopleSoft. These breaches affected millions of users and high-value data. Separately, cybercriminals are using the hype for GTA 6 to distribute malware, including ransomware, through fake early access websites. Europol is set to gain expanded data access and R&D capabilities to improve cybercrime and ransomware response, demonstrated by its central role in the Endgame takedown of ransomware infrastructure.

Vulnerabilities & TTPs

Attackers use accessible vectors such as phishing, social engineering, drive-by downloads, and malware disguised as legitimate updates. They then infiltrate networks for data exfiltration and encryption. EdTech supply chain attacks exploit the interconnectedness and often under-resourced security of educational institutions and their vendors, targeting sensitive data with long lifespans.

Analyst Note

These developments show a growing focus on high-value, sensitive data targets through supply chain vulnerabilities and opportunistic social engineering. Meanwhile, law enforcement agencies are improving their capabilities to counter these threats.

Technical Takeaways

  • Payload leads recent victim counts, targeting Technology/Software and Healthcare organizations across Switzerland and Colombia.
  • Ransomware activity remains geographically dispersed, with the United States as a primary target, but significant impacts are also observed in India, Germany, and Australia.
  • Government/Public Sector entities, such as Australia's Nsw rural fire service (by Nova (RALord)) and the Dominican Republic's Politur.gob.do (by Krybit), continue to be targeted.
  • Manufacturing organizations in Pakistan and Paraguay were affected, showing ongoing threats to industrial sectors.
  • The EdTech software supply chain, including major platforms like Canvas LMS and Oracle PeopleSoft, is increasingly used by threat actors to access and potentially ransom sensitive data from educational institutions.