Ransomware Report - 04/14/2026

Statistical Overview

Victim Totals

  • This month: 346
  • This quarter: 346
  • Year to date: 2967
  • Last 24h: 55

Quarterly Breakdown Q1: 2622 | Q2: 346 | Q3: 0 | Q4: 0

Q2 activity, driven by April's 346 victims, includes 55 new victims observed in the last 24 hours, contributing to the year's cumulative total. This daily rate shows continued activity across multiple sectors.

Introduction

The past 24 hours saw 55 new ransomware victims. DragonForce and Lamashtu were the most active groups, each claiming 11 new victims, followed by SLSH with 7 and Qilin with 5. The United States remains the primary target, but activity is distributed across European and South American countries. Professional Services and Construction & Engineering sectors saw increased targeting.

Ransomware Summary Table

# Group Victims (24h) Sample Victims Geos Sectors
1 DragonForce 11 Advprograms.com, Breslinbuilders.com, Graphicinfo.com (+8) Canada, United States Construction & Engineering, Professional Services
2 Lamashtu 11 Beaverengineering.com, Clientsolution.it, Cnaoc.org (+8) Malaysia, Italy Healthcare, Professional Services
3 SLSH 7 Abrigo, inc., Kemper corporation, Mcgraw hill, inc. (mheducation.com) (+4) United States, Germany Media & Entertainment, Financial Services
4 Qilin 5 Alternativa de moda sas, Basalt dentistry, Frutcola olmué (+2) Chile, Colombia Healthcare, Agriculture & Food
5 Akira 4 Csa spa, La tuilerie, R l larson excavating (+1) Canada, United States Transportation & Logistics, Construction & Engineering
6 Krybit 4 Asesoriauriel.com, Palladium.gen.tr, Secran.com.br (+1) Spain, Turkey Manufacturing, Professional Services
7 Kairos 2 Colonial presbyterian church, Pullen moving United States Nonprofit, Transportation & Logistics
8 Lynx 2 cwwcontractors.com, sentrydynamics.com United States Construction & Engineering, Technology / Software
9 NightSpire 2 Bk tomorrow, D-troy logistics Turkey, United States Transportation & Logistics, Education
10 Space Bears 2 Asaniverko, Ultimate metals Belgium, United Kingdom Manufacturing, Professional Services
11 LockBit 1 studiopiu.net Italy Media & Entertainment
12 Medusa 1 Northeast missouri rural telephone United States Telecommunications

DragonForce and Lamashtu reported the most victims in the last 24 hours, collectively 22 victims across North America, Europe, and Asia. Professional Services and Construction & Engineering are frequent targets, showing these actors use a varied attack strategy. While no explicitly government or critical infrastructure entities were listed in the sample victims, the targeting of essential services like healthcare and transportation shows how vulnerable these systems are.

Victim Distribution

By Country

  • United States: 29
  • Italy: 4
  • France: 4
  • Spain: 3
  • Canada: 2
  • Turkey: 2
  • United Kingdom: 2
  • Brazil: 1
  • Chile: 1
  • Colombia: 1

By Industry

  • Manufacturing: 3
  • Construction: 2
  • Information Technology and Services: 1
  • Consumer Goods: 1
  • Dental Services: 1
  • Education Services: 1
  • Excavation and Construction: 1
  • Financial Services: 1
  • Financial Technology: 1
  • Fintech: 1

The United States recorded over half of today's ransomware victims (29), followed by attacks distributed across Europe and South America. Professional Services and Construction & Engineering show higher counts, but the industry breakdown demonstrates attacks hit sectors from manufacturing to telecommunications.

Ransomware News

Topline Ransomware intelligence today shows new malware deployments, active exploitation of known vulnerabilities, and continued insider-driven extortion attempts.

Campaigns & Operations The DragonForce ransomware group uses the Python-based ViperTunnel backdoor, which targets Windows servers in the UK and US. This often follows FAKEUPDATES infections, allowing long-term access for groups including RansomHub. Kraken Exchange recently faced an extortion attempt after an insider recorded internal system footage. The company is cooperating with law enforcement and will not negotiate. The INC Ransom group claimed Mastercom, an Australian communications provider, as a victim, releasing customer and operational data. This affects Mastercom's hundreds of clients, including local government, healthcare, and emergency services. The Interlock Ransomware Group exploited a Cisco Secure FMC zero-day (CVE-2026-20131). Medusa ransomware has also used CVE-2023-21529 against Microsoft Exchange Server.

Vulnerabilities & TTPs CISA added six known-exploited flaws to its KEV catalog. These include CVE-2026-21643 (Fortinet FortiClient EMS SQL injection) and CVE-2023-21529 (Microsoft Exchange Server deserialization), which Storm-1175 used to deploy Medusa ransomware. The Interlock Ransomware Group exploited a Cisco Secure FMC zero-day, CVE-2026-20131, to execute arbitrary Java code as root. ViperTunnel, linked to DragonForce, uses triple-layer obfuscation and creates SOCKS5 proxies for covert data exfiltration, showing complex post-compromise methods.

Analyst Note Today's reporting shows the many aspects of ransomware threats: exploitation of critical vulnerabilities, new malware, and increasing insider-facilitated attacks. PurpleOps Ransomware Tracking offers detailed information on actor behavior and victim profiles, helping organizations respond to these changes.

Technical Takeaways

  • DragonForce and Lamashtu were the most active groups, each claiming 11 new victims. These actors showed increased activity.
  • New malware, ViperTunnel, a Python-based backdoor, is used to establish persistence for DragonForce and RansomHub, often after FAKEUPDATES infections.
  • CISA added six known-exploited vulnerabilities to its KEV catalog, including a Fortinet FortiClient EMS SQL injection (CVE-2026-21643) and a Microsoft Exchange Server deserialization flaw (CVE-2023-21529) exploited by Medusa ransomware.
  • The Interlock Ransomware Group exploited a Cisco Secure FMC zero-day (CVE-2026-20131). This shows they can exploit critical software vulnerabilities.
  • The Kraken Exchange incident shows the ongoing risk from insider threats and data extortion, even without full system breaches. This points to the importance of continuous Dark Web Monitoring for leaked credentials or insider chatter.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

DragonForce and Lamashtu were the most active ransomware groups, each reporting 11 new victims. SLSH followed with 7 victims, while Qilin claimed 5 and Akira 4.

Q: Which countries were most affected by ransomware attacks today?

The United States was the most targeted country, with 29 reported victims. Italy and France each saw 4 victims, followed by Spain with 3, and Canada and Turkey each with 2.

Q: Are new vulnerabilities being exploited by ransomware operators?

Yes, new vulnerabilities are being actively exploited. CISA added six flaws to its KEV catalog, including CVE-2026-21643 in Fortinet FortiClient EMS. The Interlock Ransomware Group exploited a Cisco Secure FMC zero-day (CVE-2026-20131), and Medusa ransomware used CVE-2023-21529 in Microsoft Exchange.

Q: What is ViperTunnel and which ransomware group is it linked to?

ViperTunnel is a Python-based backdoor targeting Windows servers in the UK and US, designed for covert data exfiltration and long-term access. It is linked to DragonForce ransomware and is often deployed after FAKEUPDATES infections, sometimes providing access to groups like RansomHub.

Q: Was there any notable targeting of critical sectors or high-value organizations today?

The INC Ransom group targeted Mastercom, an Australian communications provider. They released sensitive data that affected Mastercom's clients, including local government, healthcare, and emergency services. This incident shows increased risk to critical service providers, making full Supply Chain Risk monitoring important.