Qilin Ransomware Activity Dominates Healthcare
Statistical Overview
Victim Totals
- This month: 126
- This quarter: 1672
- Year to date: 4297
- Last 24h: 27
Quarterly Breakdown
Q1: 2631 | Q2: 1672 | Q3: 0 | Q4: 0
While quarterly totals show a decrease from Q1, the consistent emergence of new victims indicates ongoing threat actor activity, particularly from Qilin, Play News, and Akira. Ransomware operations continue to impact many sectors globally.
Introduction
Twenty-seven new ransomware victims were disclosed in the last 24 hours. Qilin was the most active group, responsible for nine of these new listings. Other groups that added victims include Play News with four, and Akira and World_Leaks each with three. Healthcare, automotive, and the public sector were the primary targets, and the United States remained the most affected geography. Further analysis on Qilin's activities can be found in our detailed Qilin ransomware update.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 9 | Avcon jet, Central florida cosmetic & family dentistry, Interspa betriebsverwaltungsgesellschaft (+6) | Germany, Austria | Healthcare, Hospitality & Travel |
| 2 | Play News | 4 | Corley mfg, Dallis law firm, The chapel (+1) | United States | Nonprofit, Legal |
| 3 | Akira | 3 | Kennon worldwide, Oaks park, T/cci manufacturing | United States, None | Automotive, Hospitality & Travel |
| 4 | World Leaks | 3 | Access dental, Ch karnchang public, United auto supply | United States, Thailand | Healthcare, Automotive |
| 5 | LockBit | 2 | sierravistahospital.com, wessels.group | United States, Netherlands | Healthcare, Transportation & Logistics |
| 6 | NightSpire | 2 | First mutual holdings, Krum public library | United States, Zimbabwe | Government / Public Sector, Financial Services |
| 7 | AiLock | 1 | Groupe sécurité clb | Canada | Government / Public Sector |
| 8 | DragonForce | 1 | Reha-activ | Germany | Healthcare |
| 9 | INC Ransom | 1 | Stuga Machinery | United Kingdom | Manufacturing |
| 10 | Securotop | 1 | Kriete truck centers | United States | Transportation & Logistics |
Qilin led in new victim disclosures, focusing on healthcare and hospitality. Targets include Central Florida Cosmetic & Family Dentistry by Qilin, sierravistahospital.com by LockBit, and Access Dental by World_Leaks, showing a continued emphasis on the healthcare sector. The Krum Public Library, listed under NightSpire, is also a critical public sector target. Insights into Akira's campaigns are available in our Akira ransomware intelligence, and World_Leaks's activities are detailed in our active ransomware groups report.
Victim Distribution
By Country
- United States: 15
- Canada: 3
- Germany: 2
- Zimbabwe: 1
- Austria: 1
- United Kingdom: 1
- Thailand: 1
- Slovenia: 1
- None: 1
- Netherlands: 1
By Industry
- Behavioral Health Services: 1
- Financial Services: 1
- Truck Transportation: 1
- Religious Institutions: 1
- Public Library: 1
- Motor Vehicle Parts Manufacturing: 1
- Medical Practice: 1
- Law Firms & Legal Services: 1
- Industrial Machinery & Equipment: 1
- Healthcare: 1
The United States remains the most targeted country by a wide margin because of its large economic footprint and diverse digital infrastructure. Industry targeting shows a fragmented distribution, with healthcare-related entities, automotive, and public sector organizations often appearing among the affected.
Ransomware News
Topline
Ransomware developments include both proactive law enforcement actions against criminal infrastructure and ongoing attacks by established and new threat groups targeting diverse sectors.
Campaigns & Operations
The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is known for its data-theft driven extortion model. It employs a fast-flux DNS botnet to conceal its infrastructure and primarily targets data-rich sectors such as law firms.
Separately, the Karl Auto Group experienced a cyberattack that disrupted its Iowa dealerships. RansomHouse claimed responsibility for encrypting Karl Chevrolet systems and potentially exposing sensitive customer data. The Krum Public Library in Texas reported a ransomware incident that disrupted its computer services, leading to an extortion demand and forensic investigation.
Vulnerabilities & TTPs
SRG's operational security relies on a fast-flux DNS botnet that rotates multiple A-record IPs via public resolvers tied to residential ISPs, using ECS spoofing to mask geographic diversity. In a law enforcement action, a global operation led by the Netherlands and France, with Europol and Eurojust, dismantled First VPN. This Russian-language service provided anonymized infrastructure for ransomware operators, and the operation seized 33 servers and took down associated domains.
Technical Takeaways
- Qilin is currently the most active ransomware group, frequently targeting the healthcare sector.
- The United States remains the primary geographical target for ransomware operations.
- At least ten distinct ransomware groups disclosed victims.
- Tradecraft, such as the Silent Ransom Group's fast-flux DNS botnet, continues to be employed by threat actors.
- International law enforcement efforts are disrupting critical services, like First VPN, used by ransomware operators for operational security.
