Ransomware Report - 04/09/2026

Statistical Overview

Victim Totals

  • This month: 228
  • This quarter: 228
  • Year to date: 2850
  • Last 24h: 42

Quarterly Breakdown Q1: 2622 | Q2: 228 | Q3: 0 | Q4: 0

Q2 started with 228 victims in the first nine days of April. This is a faster pace compared to the Q1 average and shows increased ransomware operations.

Introduction

The last 24 hours saw 42 new ransomware victims added to leak sites. CoinbaseCartel led activity with 8 reported victims, followed by XP95 (6), Akira (5), PEAR (4), and ALP-001 (3). Key sectors targeted include Legal Services, Manufacturing, Healthcare, and Professional Services, with the United States and the United Kingdom experiencing the highest concentration of attacks.

Ransomware Summary Table

# Group Victims (24h) Sample Victims Geos Sectors
1 CoinbaseCartel 8 Balfour beatty, Correios, Eastech (+5) Taiwan, Brazil Manufacturing, Construction & Engineering
2 XP95 6 Gcra, Healthdaq, Nnpc hmo (+3) South Africa, Nigeria Professional Services, Education
3 Akira 5 Imagemaster, Mn health insurance network, Newman & marquez (+2) Germany, United States Insurance, Legal
4 PEAR 4 Family psychological associates, Powell, powell & powell, p.a., Siegel lewitter malkani (+1) United States Healthcare, Legal
5 ALP-001 3 Aviwest.com, Inatech.com, Nepgroup.com United States, United Kingdom Media & Entertainment, Technology / Software
6 TiMc 3 Debene s.a. - página principal, Oncologica, Seidor Argentina, United Kingdom Healthcare, Manufacturing
7 APT73 2 Asunim.co, Egov.sc United Kingdom, Seychelles Government / Public Sector, Energy & Utilities
8 LockBit 2 comunidadandina.org, fondonorma.org.ve Peru, Venezuela Government / Public Sector, Professional Services
9 Qilin 2 A roettgers, Nan liu enterprises Taiwan, United States Manufacturing
10 Anubis 1 Signature healthcare United States Healthcare
11 Beast 1 Irmler.org Germany Legal
12 BlackShrantac 1 Mowilex Indonesia Manufacturing

The past 24 hours show varied threats. CoinbaseCartel targeted Manufacturing and Construction & Engineering, impacting Brazil's national postal service (Correios). XP95 remained active in Professional Services and Education, mainly in African nations. Akira continued to target US and German entities in Insurance and Legal sectors. Government and public sector organizations in Seychelles (Egov.sc), Peru (comunidadandina.org), and Venezuela (fondonorma.org.ve) also faced breaches attributed to APT73 and LockBit, showing continued threats to public sector infrastructure.

Victim Distribution

By Country

  • United States: 18
  • United Kingdom: 5
  • Brazil: 2
  • France: 2
  • Germany: 2
  • South Africa: 2
  • Spain: 2
  • Taiwan: 2
  • Venezuela: 1
  • Peru: 1

By Industry

  • Legal Services: 4
  • Software Development: 3
  • Broadcast Media Production and Distribution: 2
  • Healthcare: 2
  • Hospitals and Health Care: 1
  • Renewable Energy: 1
  • Architecture, Engineering, and Consulting: 1
  • Corporate Services: 1
  • Electronics Manufacturing: 1
  • Health Insurance Brokerage: 1

Ransomware News

Topline Ransomware activity continues with new incidents, new groups appearing, and the exploitation of critical vulnerabilities.

Campaigns & Operations The Anubis ransomware group claimed exfiltration of 57 GB from Australia's Shine Aviation, exposing operational and employee data. Around April 7, 2026, Sumitomo Metal Mining disclosed a ransomware incident at its Philippine subsidiary, Coral Bay Nickel Corporation, impacting two servers. In the US, the Minnesota National Guard was deployed to Winona County following a cyberattack that disrupted essential services; authorities are investigating potential links to previous incidents. ASEC's latest digest highlights KryBit ransomware as a new actor, alongside targeted operations by Gunra against South Korean pharmaceutical firms and DragonForce against an Egyptian drug production company.

Vulnerabilities & TTPs CISA issued a directive for federal agencies to patch Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, including CVE-2026-1340 and CVE-2026-1281. These are actively exploited for unauthenticated remote code execution. New RaaS extortion tactics also involve attackers posing as "Wall Street consultants" to manipulate victim risk perception during negotiations.

Technical Takeaways

  • Geographic Focus: The United States continues to experience the highest volume of attacks, accounting for 18 out of 42 victims in the last 24 hours.
  • Industry Concentration: Legal services (4 victims), software development (3 victims), and manufacturing (multiple entries) show particular vulnerability.
  • Emerging Threats: KryBit has been identified as a new ransomware actor on the dark web, indicating a diversifying threat environment.
  • Vulnerability Exploitation: Active exploitation of Ivanti EPMM vulnerabilities, specifically CVE-2026-1340 and CVE-2026-1281, remains a key vector for initial access.
  • Extortion Tactics: Ransomware-as-a-Service (RaaS) affiliates are employing psychological manipulation, posing as consultants to influence victim payment decisions.

FAQ

Q: Which ransomware groups were most active in the past 24 hours?

CoinbaseCartel was the most active group, reporting 8 new victims. Other active groups include XP95 with 6 victims, Akira with 5 victims, PEAR with 4 victims, and ALP-001 with 3 victims.

Q: What industries were most frequently targeted by ransomware today?

Legal Services was the most targeted industry with 4 reported victims. Software Development, Broadcast Media Production and Distribution, and Healthcare also saw activity, each with multiple victim disclosures.

Q: What regions saw the most ransomware attacks on 04/09/2026?

The United States was the primary target region, reporting 18 victims. The United Kingdom followed with 5 victims, while Brazil, France, Germany, South Africa, Spain, and Taiwan each reported 2 victims.

Q: Were any critical vulnerabilities actively exploited by ransomware operators today?

Yes, CISA has ordered federal agencies to patch Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2026-1340 and CVE-2026-1281, which are actively exploited to achieve unauthenticated remote code execution on internet-exposed appliances.

Q: What new ransomware groups or notable campaigns were observed today?

KryBit has emerged as a new ransomware actor on the dark web. Targeted campaigns by Gunra against South Korean pharmaceutical companies and DragonForce against an Egyptian drug production firm highlight sector-specific extortion trends.