Which ransomware groups are most active right now?

The most active ransomware groups change frequently based on current campaigns and threat intelligence. Real-time monitoring of ransomware groups activity helps identify emerging threats targeting your industry. Check current intelligence feeds for the latest group activities and their preferred attack vectors.

What industries are being targeted by ransomware groups?

Ransomware groups typically target high-value sectors including healthcare, finance, critical infrastructure, and manufacturing. Industry-specific targeting depends on ransomware groups activity patterns and the perceived ability to pay ransoms. Understanding which industries are targeted helps organizations prioritize their defensive strategies.

How can real-time intelligence help prevent ransomware attacks?

Real-time intelligence on ransomware groups activity enables organizations to identify indicators of compromise before attacks occur. Proactive monitoring reveals threat patterns, attack methodologies, and targeted vulnerabilities used by active groups. This intelligence allows security teams to implement targeted defenses and patch critical systems ahead of attacks.

What should I do if my organization is targeted by ransomware groups?

Immediately isolate affected systems, activate your incident response plan, and engage cybersecurity professionals. Document all ransomware groups activity on your network and report the incident to law enforcement and relevant authorities. Avoid paying ransoms and focus on recovery from clean backups while analyzing the attack for future prevention.

Ransomware Groups Activity: Real-Time Intellige…

Ransomware Report - 04/10/2026

Statistical Overview

Victim Totals

This month: 249
This quarter: 249
Year to date: 2871
Last 24h: 22

Quarterly Breakdown Q1: 2622 | Q2: 249 | Q3: 0 | Q4: 0

Q2 ransomware activity currently totals 249 victims, substantially lower than Q1's 2622. This suggests a slowdown from prior periods.

Introduction

Over the past 24 hours, PurpleOps observed 22 new ransomware victims across sectors. Qilin was the most active group, responsible for 8 new victim postings. Other groups included LeakedData, Akira, INC_Ransom, and PEAR. Legal Services, Manufacturing, and Healthcare were among the main affected sectors, with most incidents concentrated in the United States.

Ransomware Summary Table

#	Group	Victims (24h)	Sample Victims	Geos	Sectors
1	Qilin	8	Alamo heights school district, Autogalerie heister, Chalmers & kubeck (+5)	Chile, Germany	Manufacturing, Legal
2	LeakedData	3	Bowman and brooke, Cox, castle & nicholson llp, Goulston & storrs	United States	Legal
3	Akira	2	Netgain networks, Turbo international	United States	Automotive, Technology / Software
4	INC Ransom	2	Kannarr Eye Care, martek co ltd.	Taiwan, United States	Healthcare, Technology / Software
5	PEAR	2	Arkansas oral & maxillofacial surgeons, Colonial presbyterian church	United States	Healthcare, Nonprofit
6	The Gentelman	2	Gem terminal, Uk electronics	Taiwan, United Kingdom	Manufacturing, Technology / Software
7	AiLock	1	Alvi associates	United States	Construction & Engineering
8	Krybit	1	Megasurf.co.za	South Africa	Telecommunications
9	XP95	1	Afyarekod	Kenya	Technology / Software

Qilin's activity led over the past 24 hours with 8 new victims, targeting manufacturing and legal sectors in Chile and Germany. LeakedData focused on U.S.-based legal firms, while Akira targeted automotive and technology companies. Qilin also targeted the Alamo Heights School District, showing continued pressure on public-sector educational institutions.

Victim Distribution

By Country

United States: 13
United Kingdom: 2
Taiwan: 2
Chile: 1
South Africa: 1
Kenya: 1
Japan: 1
Germany: 1

By Industry

Legal Services: 4
Architecture and Planning: 1
Religious Organization: 1
Optometry: 1
Information Technology Services: 1
Industrial Maintenance and Repair: 1
Healthcare: 1
Education: 1
Civil Engineering: 1
Automotive Aftermarket Manufacturing: 1

The United States remains the main target country for ransomware operations, accounting for over half of today's recorded victims. Legal Services and various sectors within manufacturing and healthcare show a concentration of attacks. This indicates a continued focus on high-value data and critical services.

Ransomware News

Law enforcement actions against major ransomware operators and significant supply chain attacks on critical sectors shaped ransomware activity today. German federal police unmasked Daniil Shchukin as the mastermind behind REvil and GandCrab, linking him to over 130 incidents. UNC6783 actors deployed a corporate breach campaign using fake Okta login pages and live-chat social engineering to harvest credentials. A ransomware incident at Dutch health software vendor ChipSoft disrupted core patient-management platforms across 70% of Dutch hospitals. This suggests potential unauthorized data access. Separately, Gunra ransomware operators listed Eric Davis Dental as a breach victim, while Space Bears claimed a breach of Brooklands of Mornington resort. Winona County in Minnesota also reported a ransomware incident, though prior IT enhancements aided their response. Exploitable vulnerabilities are being used in active campaigns, including Docker Engine authZ bypass (CVE-2026-34040) and Ivanti EPMM (CVE-2026-1340). Threat actors are also using advanced social engineering techniques, such as fake Okta pages, and exploring AI tools to accelerate exploitation of legacy systems, particularly within healthcare. Industrial control systems remain vulnerable to supply-chain exploits due to legacy infrastructure.

Technical Takeaways

Qilin ransomware was active, targeting various sectors including education and manufacturing across multiple geographies.
Supply chain attacks remain an important vector, shown by the ChipSoft incident impacting a significant portion of Dutch hospitals.
Vulnerabilities like Docker Engine authZ bypass (CVE-2026-34040) and Ivanti EPMM (CVE-2026-1340) are actively used by threat actors.
Social engineering tactics, specifically the use of fake Okta login pages by groups like UNC6783, continue to be an effective initial access method.
Law enforcement efforts have led to the unmasking of major ransomware operators, showing success in disrupting groups like REvil and GandCrab.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active group, posting 8 new victims. Other groups included LeakedData (3 victims), Akira (2), INC_Ransom (2), and PEAR (2).

Q: What industries were most targeted by ransomware today?

Legal Services was the most targeted industry with 4 victims. Healthcare and Technology/Software also saw significant activity, each with multiple incidents. This reflects continued interest in sensitive data and critical infrastructure.

Q: Which countries experienced the highest number of ransomware attacks today?

The United States recorded the highest number of new ransomware victims, with 13 incidents. The United Kingdom and Taiwan each reported 2 victims. This indicates a global threat, though concentrated geographically.

Q: Were there any notable ransomware incidents or campaigns reported today?

Yes, Dutch hospitals faced disruptions due to a ransomware attack on health software provider ChipSoft, affecting patient-management platforms. Additionally, a campaign by UNC6783 used fake Okta pages for credential harvesting and device enrollment. This shows sophisticated social engineering.

Q: What vulnerabilities or TTPs are ransomware operators currently exploiting?

Ransomware operators are exploiting vulnerabilities such as Docker Engine authZ bypass (CVE-2026-34040) and Ivanti EPMM (CVE-2026-1340). Social engineering via fake Okta login pages also remains a common TTP for initial access campaigns.

Ransomware Groups Activity: Real-Time Intelligence Analysis