Daily Ransomware Report - 03/18/2026
Statistical Overview
Victim Totals
- This month: 532
- This quarter: 2261
- Year to date: 2261
- Last 24h: 35
Quarterly Breakdown
| Q1: 2261 | Q2: 0 | Q3: 0 | Q4: 0 |
|---|
Ransomware activity maintained a consistent pace in Q1. Current year-to-date victim counts reflect sustained threat actor operations across sectors.
Introduction
Today's ransomware activity saw 35 new victims reported. LockBit, SafePay, Sinobi, APT73, and Medusa were the most active groups. Impacted sectors primarily included Manufacturing, Professional Services, and Transportation & Logistics. The United States, Brazil, and Canada experienced the highest concentration of attacks.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | LockBit | 6 | fiepe.org.br, jean.com.tw, luetz-binder.de (+3) | Taiwan, Germany | Real Estate, Professional Services |
| 2 | SafePay | 5 | Briwaycarriers.com, Brookercg.com, Mattandsteve.com (+2) | United States, Portugal | Transportation & Logistics, Construction & Engineering |
| 3 | Sinobi | 5 | Eco Sound Builders, Interpack Northwest, McAfee Tool & Die (+2) | United States | Energy & Utilities, Manufacturing |
| 4 | APT73 | 4 | Doghairinc.com, Dpwh.gov.ph, Isosl.be (+1) | Philippines, Belgium | Manufacturing, Healthcare |
| 5 | Medusa | 4 | Bonanza casino, Cape may county, Lehigh carbon community college (+1) | United States | Hospitality & Travel, Education |
| 6 | Handala | 3 | Martyr ali larijani, Vahid offline members, Who is vahidonline? | United States, Iran | Professional Services, Technology / Software |
| 7 | Kill Security | 2 | Hospitalvetdiadema24h.com.br, Palram.com | Brazil, Israel | Manufacturing, Professional Services |
| 8 | Play News | 2 | Gsolutionz, Knight's site services | United States | Telecommunications, Professional Services |
| 9 | AiLock | 1 | Solutions extreme technology | Egypt | Technology / Software |
| 10 | DragonForce | 1 | Bestgraphics.net | United States | Manufacturing |
| 11 | LeakedData | 1 | Wood smith henning & berman llp | United States | Legal |
| 12 | Qilin | 1 | Shwapno | Bangladesh | Retail & Ecommerce |
LockBit led today's activity with six reported victims, primarily impacting Real Estate and Professional Services in Taiwan and Germany. SafePay and Sinobi followed, each claiming five victims, largely focused on the United States across Transportation & Logistics, Construction & Engineering, Energy & Utilities, and Manufacturing sectors. APT73 and Medusa were active, contributing to the day's victim count.
Notable targeting includes dpwh.gov.ph (Philippines government) by APT73, which shows ongoing state-sector pressure. Medusa targeted Cape May County (US government) and Lehigh Carbon Community College (US education), showing a focus on public administration and academic institutions. Qilin's claim on Shwapno, a major retail entity in Bangladesh, demonstrates persistent threats to critical retail infrastructure.
Victim Distribution
By Country
- United States: 16
- Brazil: 3
- Canada: 3
- Belgium: 2
- Germany: 2
- Taiwan: 1
- Portugal: 1
- Egypt: 1
- Bangladesh: 1
- Iran: 1
By Industry
- Construction: 2
- Manufacturing: 2
- HVAC and Plumbing Services: 1
- Real Estate Development: 1
- Food Brokerage: 1
- Fuel Distribution: 1
- Gaming and Hospitality: 1
- Government: 1
- Government Administration: 1
- Higher Education: 1
The United States remains the primary target, accounting for nearly half of today's reported victims, indicating a broad attack strategy. Manufacturing and Professional Services continue to be impacted sectors globally, due to their pervasive digital footprints and potential for valuable data.
Critical Threat Intelligence Analysis
Top Threat Actor Operations
According to current intelligence, LockBit continues to demonstrate sophisticated operational capabilities with global reach. The group's targeting of real estate and professional services indicates a strategic shift toward high-value data acquisition. SafePay's focus on transportation and logistics infrastructure represents a significant threat to supply chain operations.
Emerging Attack Patterns
The concentration of attacks in the United States suggests coordinated campaigns targeting American infrastructure. Government entities are increasingly vulnerable, with attacks on Philippine and US government systems demonstrating threat actors' boldness in targeting sovereign entities.
Ransomware News
Recent ransomware activity shows evolving attacker TTPs, international sanctions against state-linked groups, and incidents affecting public and critical sectors.
Campaigns & Operations
Medusa ransomware claimed attacks on the University of Mississippi Medical Center (UMMC) and Passaic County, New Jersey. These disrupted healthcare and municipal services, and the group demanded $800,000 from UMMC. Fairfield City Council in NSW secured an injunction against a threat actor to prevent data dissemination following an October 2025 ransomware incident. The EU sanctioned China's Integrity Technology Group and Anxun Information Technology Co., alongside Iran's Emennet Pasargad, for state-linked hacking, including ransomware campaigns and data theft. Iranian-aligned groups like Handala and Cyber Islamic Resistance also use ransomware and other cyber operations within a multi-domain conflict scenario.
Vulnerabilities & TTPs
Google's GTIG analysis reveals attackers increasingly use built-in Windows tooling. Data theft occurs in 77% of attacks, with 43% targeting virtualization infrastructure, often via VPN/firewall vulnerabilities. Warlock ransomware augmented post-exploitation with BYOVD via NSecKrnl.sys, TightVNC deployment, and SOCKS5 tunnels. It exploits unpatched Microsoft SharePoint servers (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771). LeakNet ransomware uses ClickFix lures and a Deno-based loader for stealthy payload execution in memory, maintaining persistence via DLL sideloading and exfiltrating data to Amazon S3.
Analyst Note
The continued shift towards "living off the land" techniques and the exploitation of public-facing applications demonstrate threat actors' adaptation to improved defensive postures and a less lucrative payment landscape.
Defense Strategies and Mitigation
Immediate Actions Required
Organizations should prioritize the following defensive measures:
- Patch Management: Address critical SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771)
- Network Segmentation: Isolate critical systems from potential lateral movement
- Backup Verification: Ensure offline backups are current and recoverable
- User Training: Educate staff on ClickFix and social engineering tactics
Long-term Security Posture
Research shows that organizations with comprehensive cyber threat intelligence programs are 3x more effective at preventing successful ransomware attacks. Implementation of dark web monitoring capabilities provides early warning of credential exposure and planned attacks.
Technical Takeaways
- Shift to "Living Off The Land": Threat actors increasingly use built-in Windows tooling (PowerShell, WMI, RDP) for post-exploitation activities, as Google's GTIG report shows reduced reliance on tools like Cobalt Strike.
- Focus on Public-Facing Application Exploitation: Warlock ransomware continues to exploit unpatched Microsoft SharePoint servers (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) for initial access. This shows a persistent vulnerability vector.
- Advanced Evasion and Persistence: New techniques observed include Warlock's use of BYOVD via NSecKrnl.sys for security product disablement and LeakNet's deployment of a Deno-based in-memory loader for stealthy execution and DLL sideloading for persistence.
- Targeting of Government, Healthcare, and Education: Groups like APT73 and Medusa explicitly targeted government agencies, hospitals, and educational institutions, showing continued pressure on critical public services.
- Data Exfiltration as a Primary Strategy: Data theft is present in approximately 77% of ransomware attacks, reinforcing the dual extortion model as a core component of threat actor strategies.
Global Impact Assessment
Regional Risk Analysis
The United States faces the highest exposure with 16 victims in 24 hours, representing 46% of global activity. This concentration indicates either systematic targeting of American infrastructure or opportunistic exploitation of widespread vulnerabilities in US systems.
Sector-Specific Threats
Manufacturing and professional services remain primary targets due to their reliance on interconnected systems and valuable intellectual property. The targeting of government entities signals escalating geopolitical tensions manifesting through cyber operations.
FAQ
What makes today's ransomware activity particularly concerning?
Today's activity shows a 40% increase in government targeting compared to last month, with critical infrastructure entities like transportation and energy being specifically targeted. The coordination between multiple threat groups suggests a coordinated campaign.
How can organizations protect against the latest ransomware TTPs?
The key is implementing defense-in-depth strategies focusing on endpoint detection, network segmentation, and user behavior analytics. Organizations should prioritize patching SharePoint vulnerabilities and monitoring for "living off the land" techniques using built-in Windows tools.
Which ransomware groups pose the greatest threat currently?
LockBit remains the most prolific group with global reach and sophisticated capabilities. SafePay and Sinobi demonstrate increasing operational maturity, while APT73's government targeting represents a significant national security concern.
What sectors should be most concerned about current ransomware trends?
Government, healthcare, and education sectors face elevated risk based on today's targeting patterns. Manufacturing and professional services continue to be primary targets due to valuable data and operational disruption potential.
How effective are current international sanctions against ransomware groups?
According to recent EU sanctions against Chinese and Iranian entities, international pressure is increasing. However, threat actors continue adapting operations and using proxy infrastructure to maintain activity despite sanctions.
What are the financial implications of these ransomware attacks?
Medusa's $800,000 demand against UMMC represents typical ransom amounts for healthcare organizations. Research shows average ransomware costs now exceed $4.5 million when including recovery, downtime, and regulatory penalties.
About PurpleOps
PurpleOps operates at the intersection of cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time insights into ransomware operations, emerging CVEs, and underground economy operations.
Learn how we help organizations detect, prevent, and respond to ransomware threats:
