Ransomware Report - 04/17/2026

Statistical Overview

Victim Totals

  • This month: 433
  • This quarter: 433
  • Year to date: 3054
  • Last 24h: 28

Quarterly Breakdown

Q1: 2622 - Q2: 433 - Q3: 0 - Q4: 0


Ransomware activity continues its consistent pace into Q2. The 24-hour victim count aligns with the overall monthly accumulation. Year-to-date figures show a persistent threat situation, maintaining pressure across various sectors.

Introduction

In the past 24 hours, ransomware activity saw 28 new victims added to public leak sites. SafePay, SLSH, and LockBit were the most active groups. Geographically, the United States and Germany recorded the highest number of reported incidents. Attacks targeted diverse sectors, including professional services, retail, and transportation, reflecting a broad opportunistic approach by threat actors.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1SafePay9Abfall-kreis-kassel.de, Bbalawgroup.com, Cheeky.com.ar (+6)Malaysia, GermanyConstruction & Engineering, Professional Services
2SLSH87-eleven, inc. (7-eleven.com), Aman resorts (aman.com), Carnival corporation & plc (carnivalcorp.com) (+5)Switzerland, United StatesFinancial Services, Retail & Ecommerce
3LockBit3bardehle.com, erstransportes.com.br, murni.co.idIndonesia, BrazilTransportation & Logistics, Legal
4INC Ransom2bgcsnv.org, treelawoffice.comUnited StatesNonprofit, Legal
5Crypto241Qatar biomedical research institute (qbri)QatarPharmaceuticals & Biotech
6DragonForce1Medicalnetworks cj gmbh & co. kgGermanyTechnology / Software
7Krybit1Putzbaer.berlinGermanyProfessional Services
8LeakedData1Fagen friedman & fulfrost llpUnited StatesLegal
9Qilin1Hbx groupSpainTechnology / Software
10Termite1Https://www.lanap.com/United StatesManufacturing

SafePay accounted for the highest volume of new victims, showing widespread activity across diverse geographies like Malaysia and Germany. SLSH targeted large corporate entities, including 7-Eleven, Aman Resorts, and Carnival Corporation. A significant incident included Crypto24's compromise of the Qatar Biomedical Research Institute (qbri), showing persistent threats to research and biotechnology sectors. Monitoring these activities is a key part of effective Ransomware Tracking.

Victim Distribution

By Country

  • United States: 9
  • Germany: 4
  • Canada: 2
  • Spain: 2
  • United Kingdom: 2
  • Switzerland: 1
  • Argentina: 1
  • Qatar: 1
  • Malaysia: 1
  • Ireland: 1

By Industry

  • Insurance and Financial Services: 2
  • Legal Services: 2
  • IT Services and IT Consulting: 2
  • Retail: 1
  • Retail (Convenience Stores): 1
  • Plumbing and Heating Services: 1
  • Nonprofit Organization: 1
  • Medical Equipment Manufacturing: 1
  • Legal Practice: 1
  • Law Firms & Legal Services: 1

The United States and Germany remain main targets, which indicates a continued focus on high-economy regions. Industry distribution shows a continued, diversified attack surface. Financial, legal, and IT services face consistent pressure, suggesting opportunistic rather than highly specialized targeting in many cases.

Ransomware News

Topline

The past 24 hours show a complex threat environment with sophisticated credential theft campaigns, evolving malware, and ransomware operations impacting critical sectors globally.

Campaigns & Operations

Threat actor 'Mr. Raccoon' (UNC6783) has been observed executing real-time, live-chat social engineering against IT help desks to harvest credentials and bypass MFA, subsequently leading to data exfiltration and ransom demands. Ransomware groups such as Apt73, PayoutsKing, and WorldLeaks were identified breaching financial firms in March 2026, engaging in data exfiltration and double extortion, particularly within the Korean and global financial sectors. Disruptions caused by ChipSoft ransomware were reported across Dutch and Belgian hospitals, showing ongoing risks to healthcare infrastructure. Separately, a seemingly benign adware operation by Dragon Boss Solutions LLC escalated into an "AV killer" in March 2025, disabling major antivirus products and establishing persistence on over 23,500 computers across 124 countries, creating a persistent entry point for follow-on malware such as ransomware. The dismantling of the W3LL phishing platform by the FBI and Indonesian authorities indicates ongoing efforts against pervasive phishing operations.

Vulnerabilities & TTPs

Fortinet has addressed critical vulnerabilities, including CVE-2026-39808 and CVE-2026-39813 for FortiSandbox (and CVE-2026-25836 for Cloud), which could enable remote code execution and credential access. Lazarus Group used a watering hole technique exploiting the AnySign4PC vulnerability to achieve remote code execution against financial entities. Threat actors increasingly use Telegram and dark web forums for covert communications, with banking Trojans and infostealers like LummaC2 and Vidar remaining common attack methods. Analysis of this activity often involves detailed Dark Web Monitoring.

Analyst Note

These incidents show attackers are using more sophisticated initial access methods and consistently try to compromise credentials. Malware capabilities are also evolving quickly to help deploy ransomware.

Technical Takeaways

  • Geographic Concentration: The United States and Germany consistently experience the highest volume of reported ransomware incidents. These regions remain important targets for threat actors.
  • Diversified Sector Targeting: While specific sectors like financial and legal services are impacted, the overall distribution shows opportunistic targeting across a wide array of industries rather than hyper-specialization.
  • Persistent Credential Theft: Campaigns like 'Mr. Raccoon' (UNC6783) show that social engineering against help desks and the subsequent harvesting of credentials remain key initial access methods for ransomware operations. This shows the importance of strong Credential Intelligence.
  • Evolving Malware Capabilities: The transformation of adware into an "AV killer" by Dragon Boss Solutions LLC demonstrates an increasing trend of malware designed to neutralize defensive mechanisms, making conditions favorable for ransomware deployment.
  • Critical Vulnerability Exploitation: The ongoing patching of critical vulnerabilities, such as Fortinet's CVEs, and the exploitation of flaws like AnySign4PC by state-sponsored groups, show the continuous need for strict patch management to reduce ransomware entry points.