Daily Ransomware Report - 04/03/2026
Statistical Overview
Victim Totals
- This month: 104
- This quarter: 104
- Year to date: 2726
- Last 24h: 39
Quarterly Breakdown
| Q1: 2622 | Q2: 104 | Q3: 0 | Q4: 0 |
|---|
The 39 new victims reported in the last 24 hours contribute to the cumulative Q2 total. This activity shows a consistent tempo of ransomware operations as the quarter progresses, following many incidents in Q1.
Introduction
Today's report identifies 39 new ransomware victims across various sectors and geographies. LockBit remains the most active group, accounting for 17 new incidents, followed by NightSpire with 7 victims. Construction, Insurance, and Government were key affected sectors, while the United States continues to be the most targeted nation.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | LockBit | 17 | abuhatim.com, aplast.ro, awvgrazerfeld.at (+14) | Austria, Australia | Insurance, Energy & Utilities |
| 2 | NightSpire | 7 | Association ocacia, Dubosson frères sa, Neptune mechanical, inc. (+4) | Turkey, Switzerland | Agriculture & Food, Construction & Engineering |
| 3 | Akira | 4 | American vintage home, briggs plumbing products, genco manufacturing, american vintage home, associates of clifton park., Charles river insurance, Westamerica communications (+1) | United States | Insurance, Construction & Engineering |
| 4 | INC Ransom | 3 | BERGE-BAU GmbH & Co. KG, Infonet Media d.o.o., roodtrucking.com | Slovenia, United States | Construction & Engineering, Transportation & Logistics |
| 5 | AiLock | 2 | Berning & söhne gmbh, Piet vijverberg | Netherlands, Germany | Manufacturing, Agriculture & Food |
| 6 | BQTLock | 1 | Metro hospital usa | United States | Healthcare |
| 7 | DragonForce | 1 | Asmar schor & mckenna | United States | Legal |
| 8 | Interlock | 1 | Community college of beaver county | United States | Education |
| 9 | Nova (RALord) | 1 | Wolf technology group | United States | Technology / Software |
| 10 | Payload | 1 | United finance egypt | Egypt | Financial Services |
| 11 | Qilin | 1 | Faulkner county sheriff's office | United States | Government / Public Sector |
LockBit continues widespread targeting, affecting entities in Austria and Australia, primarily across insurance and energy sectors. NightSpire was active in Turkey and Switzerland, focusing on agriculture and construction. Akira and INC Ransom maintained their presence with multiple victims in the United States. Targeting today included the Faulkner County Sheriff's Office in the United States by Qilin, showing ongoing pressure on local government entities, and Metro Hospital USA by BQTLock, demonstrating persistent threats to the healthcare sector.
Victim Distribution
By Country
- United States: 14
- Italy: 5
- France: 3
- Turkey: 2
- Czech Republic: 2
- Egypt: 2
- Germany: 2
- Slovenia: 1
- Switzerland: 1
- Portugal: 1
By Industry
- Construction: 3
- HVAC and Plumbing Services: 2
- Education: 2
- Insurance: 2
- Manufacturing: 2
- Information Technology Services: 1
- Media and Broadcasting: 1
- Carpentry and Woodworking: 1
- Defense and Aerospace: 1
- Research Services: 1
The United States consistently experiences the highest volume of attacks. Today's distribution indicates a significant concentration within the Construction and HVAC sectors, as well as Education. This suggests ongoing targeting of specific operational infrastructures and service providers across diverse economies.
Ransomware News
Topline
Ransomware-related developments today feature an expanded supply-chain attack, confirmed political party breaches, and ongoing legal repercussions from past incidents.
Campaigns & Operations
The TeamPCP campaign's blast radius has expanded, using a compromised Trivy version in the European Commission's cloud and web infrastructure to access AWS environments, affecting thousands of victims. Qilin ransomware confirmed a breach of the German political party Die Linke on March 27, threatening the publication of sensitive internal data. Separately, Iran-linked Pay2Key has been observed employing ransomware as a cover for disruptive operations. A former core infrastructure engineer admitted to an extortion plot locking thousands of Windows devices at his employer.
Vulnerabilities & TTPs
Active exploitation of CVE-2026-3055 on Citrix NetScaler ADC/Gateway is currently leaking session data, while a TrueConf zero-day, CVE-2026-3502, has been used against Southeast Asian governments. Ransomware's evolution now frequently involves multi-extortion campaigns, incorporating data exfiltration and public release threats, with triple extortion extending to victim's customers or partners.
Analyst Note
These incidents demonstrate persistent supply-chain risks, state-aligned cyber activity, and the complex nature of multi-extortion ransomware TTPs. Organizations must bolster defenses against data exfiltration and rapid recovery.
Technical Takeaways
- LockBit remains active, responsible for 17 new victim postings across a diverse range of sectors and geographical locations.
- Government, Healthcare, and Education sectors experienced breaches today, specifically targeting a US sheriff's office (Qilin), a US hospital (BQTLock), and a US community college (Interlock).
- The expanded TeamPCP supply-chain attack shows the risk associated with compromised software within cloud and CI/CD environments.
- Multi-extortion tactics, including data exfiltration and threats to public release, continue to be a dominant trend in ransomware operations, as discussed in recent analysis.
- New vulnerabilities, CVE-2026-3055 (Citrix NetScaler) and CVE-2026-3502 (TrueConf), are undergoing active exploitation, demonstrating the rapid weaponization of newly disclosed flaws.
