Ransomware Report - 04/18/2026
Statistical Overview
Victim Totals
- This month: 456
- This quarter: 456
- Year to date: 3077
- Last 24h: 23
Quarterly Breakdown
Q1: 2622 | Q2: 456 | Q3: 0 | Q4: 0
Ransomware activity continues at a steady pace into Q2, with 456 victims reported so far. This early-quarter activity shows continued pressure from threat actors across various sectors.
Introduction
In the last 24 hours, PurpleOps observed 23 new ransomware victims. Leading the activity were Black Nevas with 9 reported incidents, followed by CoinbaseCartel (4) and Blackwater (3). Affected sectors included Manufacturing, Real Estate, and Healthcare, while geographically, the United States, India, Turkey, and Germany saw the highest number of new compromises. This period shows continued targeting across a diverse set of industries and regions.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Black Nevas | 9 | Bohmler einrichtungshaus gmbh, Carrera casting corp., E-con packaging private limited (+6) | China, Italy | Professional Services, Manufacturing |
| 2 | CoinbaseCartel | 4 | Altpro, Evict them for me, Mccuaig and associates engineering (+1) | France, Canada | Manufacturing, Construction & Engineering |
| 3 | Blackwater | 3 | Grupo ebd, Medical-park, Minidoka memorial hospital | Turkey, Brazil | Hospitality & Travel, Healthcare |
| 4 | INC Ransom | 2 | Mag. Fünder Hausverwaltungs GmbH, alupco.com | Austria, Saudi Arabia | Manufacturing, Real Estate |
| 5 | Kairos | 1 | Strata republic | Australia | Real Estate |
| 6 | Krybit | 1 | Rhode-hv.de | Germany | Manufacturing |
| 7 | RansomEXX | 1 | Sogo auction | Japan | Retail & Ecommerce |
| 8 | RansomHouse | 1 | Winnitex (Americas) Limited | Hong Kong | Manufacturing |
| 9 | SLSH | 1 | Marcus & millichap, inc. | United States | Real Estate |
The summary table for today's activity shows a varied threat environment. Black Nevas targeted widely across China and Italy, primarily impacting professional services and manufacturing. CoinbaseCartel concentrated on manufacturing and construction in France and Canada, while Blackwater focused on hospitality and healthcare across Turkey and Brazil. Minidoka Memorial Hospital was listed as a victim of Blackwater, showing continued threats to critical infrastructure within the healthcare sector. For more granular insights into active groups, our Ransomware Tracking platform provides real-time data.
Victim Distribution
By Country
- United States: 5
- India: 2
- Turkey: 2
- Germany: 2
- United Kingdom: 1
- Saudi Arabia: 1
- Japan: 1
- Italy: 1
- Australia: 1
- Hong Kong: 1
By Industry
- Manufacturing: 2
- Property Management: 2
- Healthcare: 2
- Software Development: 1
- Jewelry Manufacturing: 1
- Commercial Real Estate: 1
- Law Firms & Legal Services: 1
- Construction Machinery Manufacturing: 1
- Building Materials: 1
- Used Construction Machinery Auctions: 1
The distribution indicates continued prevalence of attacks in the United States, while India, Turkey, and Germany appear as secondary targets. Industrially, the persistent targeting of Manufacturing and Real Estate shows these sectors' continued vulnerability to various ransomware campaigns.
Ransomware News
Topline
Recent intelligence shows historical incident disclosure failures and new ransomware operations using advanced technical evasion tactics.
Campaigns & Operations
The City of York, Pennsylvania, did not publicly disclose a July 2025 ransomware attack that disrupted municipal email and parking services. A subsequent February 2026 investigation revealed a $500,000 settlement backed by an insurer after negotiations. This incident shows potential gaps in public incident reporting and the financial implications for affected municipalities.
Vulnerabilities & TTPs
The Payouts King ransomware is using the QEMU CPU emulator to deploy hidden Alpine Linux virtual machines on compromised hosts. This technique allows payload execution, malicious file storage, and covert remote access, bypassing conventional endpoint security measures. Campaigns linked to this operation, identified as GOLD ENCOUNTER (STAC4713 and STAC3725), exploited exposed SonicWall VPNs, the SolarWinds Web Help Desk vulnerability CVE-2025-26399, and the CitrixBleed 2 vulnerability CVE-2025-5777 on NetScaler ADC/Gateway devices. Attackers then install QEMU, launch hidden VMs with tools like AdaptixC2, Chisel, and Rclone, harvest credentials, enumerate Active Directory, and exfiltrate data. Organizations are advised to monitor for unauthorized QEMU installations and unusual SSH activity.
Analyst Note
The observed technical complexity, particularly the use of virtual machines and exploitation of known vulnerabilities, suggests a trend towards more complex evasion tactics and diversified initial access vectors. This shows the importance of strong Dark Web Monitoring for early warning of emerging TTPs.
Technical Takeaways
- Diverse Group Activity: Black Nevas, CoinbaseCartel, and Blackwater were the most active groups, collectively responsible for over 70% of reported victims in the last 24 hours, showing a distributed threat environment rather than a single dominant actor.
- Persistent Healthcare Sector Targeting: The compromise of Minidoka Memorial Hospital by Blackwater shows the ongoing threat to the healthcare sector, classified as critical infrastructure.
- Manufacturing and Real Estate Vulnerability: Manufacturing and Real Estate sectors continue to experience high targeting, accounting for 20% of today's new victims, showing persistent vulnerabilities or value proposition for ransomware groups.
- Advanced Evasion Techniques: The Payouts King ransomware's use of QEMU virtual machines to bypass endpoint security represents an advanced TTP designed to achieve stealthy persistence and execution.
- Exploitation of Known Vulnerabilities: Ransomware campaigns continue to use critical vulnerabilities such as CVE-2025-26399 (SolarWinds) and CVE-2025-5777 (CitrixBleed 2) for initial access, showing the critical need for timely patching.
