Ransomware Report - 04/11/2026

Statistical Overview

Victim Totals

  • This month: 257
  • This quarter: 257
  • Year to date: 2879
  • Last 24h: 8

Quarterly Breakdown Q1: 2622 | Q2: 257 | Q3: 0 | Q4: 0

The second quarter started with 257 ransomware victims, bringing the year-to-date total to 2879. This continued activity shows threat actors operating globally.

Introduction

Eight new ransomware victims were reported in the last 24 hours. Qilin was the most active group with three new listings, followed by INC_Ransom with two. Krybit, LockBit, and NightSpire also reported victims. Attacks targeted sectors like Retail & Ecommerce, Manufacturing, Construction & Engineering, and Education, mainly affecting organizations in North America and Europe.

Ransomware Summary Table

# Group Victims (24h) Sample Victims Geos Sectors
1 Qilin 3 Hofland, Peuker & alexander, Sadtek Canada, Turkey Retail & Ecommerce, Manufacturing
2 INC Ransom 2 wright-ryan.com, www.campbell.edu United States Construction & Engineering, Education
3 Krybit 1 Conrepsa.ro Romania Construction & Engineering
4 LockBit 1 cegasa.com None Professional Services
5 NightSpire 1 Sahara air products United States Manufacturing

In the past 24 hours, Qilin and INC Ransom were the most active groups; they were responsible for over half of the new victim postings. Geographically, the United States had multiple new victims, with additional targets in Canada, Turkey, and Romania. Key sectors affected include Manufacturing, Retail & Ecommerce, Construction & Engineering, and Education, showing these groups target various sectors.

Victim Distribution

By Country

  • United States: 3
  • Australia: 1
  • Canada: 1
  • None: 1
  • Romania: 1
  • Turkey: 1

By Industry

  • Building Materials: 1
  • Floral and Giftware Wholesale: 1
  • None: 1
  • Construction and Contracting: 1
  • Defense, Aerospace, and Marine Engineering: 1
  • Construction: 1
  • Higher Education: 1
  • Machinery: 1

The United States had the most new victims, and activity also occurred in Canada, Romania, and Turkey. Industries like Construction & Engineering and Manufacturing continue to be hit, suggesting they remain attractive targets.

Ransomware News

Topline Two distinct incidents involving data exfiltration and public disclosure show ongoing threats to sensitive organizational data.

Campaigns & Operations INC Ransom claimed a cyberattack on NSW-based Rx Management, a pharmacy management firm, listing it on dark web leak sites and claiming the exfiltration of over 180GB of data. WorldLeaks took responsibility for exposing approximately 340,000 sensitive LAPD files, totaling 7.7 terabytes. This breach resulted from unauthorized access to a passwordless file-sharing tool used by the Los Angeles City Attorney's Office, not a direct LAPD system compromise.

Vulnerabilities & TTPs INC Ransom continues to use spear-phishing for initial access, followed by data exfiltration and extortion. The LAPD incident shows the persistent risks from misconfigured or insecure third-party file-sharing tools in public sector environments.

Analyst Note These events collectively show critical threats to sensitive data across healthcare supply chains and public institutions, often by exploiting common TTPs or vulnerabilities in third-party services.

What are the key technical takeaways from today's ransomware activity?

Key observations from the latest activity:

  • Qilin's Consistent Activity: The group remains active, showing continued targeting of different sectors in various geographies.
  • Supply Chain and Third-Party Risk: The INC Ransom attack on Rx Management shows the ongoing vulnerability of supply chains, especially in healthcare. The LAPD data leak by WorldLeaks shows the critical risk from insecure third-party tools and data transfer methods.
  • Persistent Industry Targeting: Construction & Engineering and Manufacturing sectors remain highly targeted because of their value to ransomware operators.
  • Geographic Breadth: Ransomware activity shows broad geographic activity, affecting North America and Europe, instead of hyper-focused regional campaigns.

FAQ

Q: Which ransomware groups were most active today, 04/11/2026?

A: On 04/11/2026, Qilin was the most active ransomware group with three reported victims. INC Ransom had two victims. Krybit, LockBit, and NightSpire each claimed one.

Q: What industries were targeted by ransomware on 04/11/2026?

A: Ransomware attacks on 04/11/2026 predominantly targeted the Retail & Ecommerce, Manufacturing, Construction & Engineering, and Education sectors. Other affected industries included Building Materials, Floral and Giftware Wholesale, and Professional Services.

Q: Which geographic regions experienced ransomware attacks on 04/11/2026?

A: On 04/11/2026, ransomware victims were reported in the United States (3 victims), Canada (1 victim), Romania (1 victim), and Turkey (1 victim). One victim had no specified geography.

Q: What ransomware incidents were reported on 04/11/2026?

A: Incidents included INC Ransom's alleged breach of NSW-based Rx Management, a pharmacy management firm, claiming 180GB of data was exfiltrated. WorldLeaks took responsibility for exposing approximately 340,000 sensitive LAPD files, stemming from a compromised file-sharing tool used by the Los Angeles City Attorney's Office.

Q: Were any new ransomware TTPs or vulnerabilities observed on 04/11/2026?

A: No new CVEs were specifically identified in today's reports. However, INC Ransom continued to use spear-phishing for initial access, followed by data exfiltration and extortion. The LAPD incident showed insecure third-party file-sharing tools were a significant access vector.