Ransomware Report - 04/22/2026
Statistical Overview
Victim Totals
- This month: 539
- This quarter: 539
- Year to date: 3160
- Last 24h: 19
Quarterly Breakdown
| Q1: 2622 | Q2: 539 | Q3: 0 | Q4: 0 |
|---|
Q2 ransomware activity started with 539 victims, adding to the year-to-date total of 3160. This figure indicates ransomware groups maintain their operational tempo, consistent with prior quarter trends. See our analysis of the most active ransomware groups for details on recent group activities.
Introduction
Over the last 24 hours, PurpleOps observed 19 new ransomware victims across various groups and sectors. Qilin emerged as the most active threat actor with 6 reported victims, followed by Akira and DragonForce. Geographically, the United States saw the highest number of incidents, while the Professional Services and Manufacturing sectors were prominently targeted. To understand the broader context of Q2 activity, refer to our Q2 victim report.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 6 | Heartland steel products, Huonker gmbh, Industrial carrocera arbuciense (+3) | Turkey, Spain | Construction & Engineering, Technology / Software |
| 2 | Akira | 2 | Kubiak melton & associates, S4k entertainment | United States | Media & Entertainment, Professional Services |
| 3 | DragonForce | 2 | Primius law firm, The galliher law firm | United States, Greece | Legal |
| 4 | AiLock | 1 | Premcom | United Kingdom | Professional Services |
| 5 | Anubis | 1 | Tractial | France | Financial Services |
| 6 | Genesis | 1 | K2 electric, inc | United States | Construction & Engineering |
| 7 | LeakedData | 1 | Rutan & tucker, llp | United States | Legal |
| 8 | LockBit | 1 | bladex.com | Panama | Financial Services |
| 9 | PEAR | 1 | Kinsmen telemiracle | Canada | Nonprofit |
| 10 | RansomHouse | 1 | Jiangsu Zenergy Battery Technologies Group Co., Ltd. | China | Manufacturing |
| 11 | Securotop | 1 | Synergy engineering | Canada | Manufacturing |
| 12 | World Leaks | 1 | Equatorial coca-cola bottling | Morocco | Manufacturing |
Qilin was most active today, impacting diverse sectors including construction and technology across Turkey and Spain. Akira and DragonForce maintained a presence, primarily targeting U.S.-based entities in Media & Entertainment, Professional Services, and Legal sectors. No high-value critical infrastructure or government entities were identified among the sample victims today. However, the diverse geographic and industry targeting shows ransomware operations are persistent and opportunistic. Our detailed analysis of Qilin ransomware victims and attacks provides more information on this group's tactics.
Victim Distribution
By Country
- United States: 7
- Canada: 3
- Spain: 1
- United Kingdom: 1
- Turkey: 1
- Panama: 1
- Morocco: 1
- Greece: 1
- Germany: 1
- France: 1
By Industry
- Manufacturing: 2
- Legal Services: 2
- Warehousing and Storage: 1
- Office Technology Solutions: 1
- Law Practice: 1
- Entertainment: 1
- Electrical Contracting: 1
- Accounting: 1
- Printing and Direct Mail Services: 1
- Construction and Contracting: 1
The United States continues to be the primary target for ransomware groups, accounting for over a third of today's observed victims. Industry-wise, Professional Services (including Legal and Accounting) and Manufacturing show a concentrated targeting trend, reflecting ongoing threat actor focus on organizations with valuable intellectual property or client data.
Ransomware News
Topline
Recent developments highlight persistent ransomware threats, including supply chain vulnerabilities, new campaign discoveries, significant legal actions against affiliates, and ongoing policy discussions.
Campaigns & Operations
The "The Gentlemen" ransomware operation has been linked to a SystemBC C2 server, revealing a botnet exceeding 1,570 victims globally. It uses SOCKS5 tunnels and custom RC4-encrypted protocols for payload delivery. At the same time, SafePay dumped a 237-gigabyte dataset from Favelle Favco's Australian operations, comprising passport scans and sensitive industrial data. This shows risks to personnel identity and critical assets in construction. Separately, a former DigitalMint ransomware negotiator, Angelo John Martino III, pleaded guilty to conspiring with BlackCat/ALPHV affiliates, extorting approximately $75.3 million from five U.S. victims by using confidential negotiation intelligence.
Vulnerabilities & TTPs
A surge in attacks exploiting Bomgar Remote Support (now BeyondTrust) RMM has been observed, using CVE-2026-1731, an unauthenticated remote code execution flaw. This vulnerability allows attackers to run arbitrary OS commands and pivot into upstream servers, demonstrating rapid lateral movement capabilities, as seen in incidents affecting dental software providers and MSPs where LockBit ransomware was deployed.
Analyst Note
These incidents show the critical challenges from supply chain vulnerabilities, insider threat potential, the continuous evolution of ransomware tactics and infrastructure, and they also bring policy debates regarding hospital ransomware to the forefront.
Technical Takeaways
- Qilin's Sustained Activity: Qilin remains an active threat actor, capable of multi-sector targeting across diverse geographies.
- Supply Chain Vulnerability Exploitation: The exploitation of Bomgar Remote Support (CVE-2026-1731) shows the ongoing risk from unpatched RMM solutions and their potential for widespread downstream impact.
- Insider Threat & Negotiation Risks: The plea of a former ransomware negotiator exposes vulnerabilities within incident response, emphasizing the critical need for vetted partners and secure negotiation practices.
- Persistent Targeting of Professional Services: Legal, accounting, and consulting firms continue to be attractive targets for ransomware groups, indicating the value of their sensitive client data and operational disruption potential.
- Evolution of Ransomware-as-a-Service (RaaS) Infrastructure: The "The Gentlemen" operation using SystemBC shows RaaS capabilities, including multi-OS targeting and advanced lateral movement techniques.
FAQ
Q: Which ransomware groups were most active in the last 24 hours?
Qilin was the most active ransomware group in the last 24 hours, with 6 reported victims. Akira and DragonForce were also active, each claiming 2 new victims during this period.
Q: Which industries were most targeted by ransomware today?
Today, the Professional Services sector (including Legal Services, Law Practice, and Accounting) and Manufacturing were among the most targeted industries, each accounting for 2 reported victims. Construction & Engineering also saw activity.
Q: What regions saw the most ransomware attacks in the past 24 hours?
The United States experienced the highest concentration of ransomware attacks in the last 24 hours, with 7 victims. Canada followed with 3 victims, while Spain, the United Kingdom, and Turkey each reported 1 victim.
Q: Are there any new CVEs being exploited by ransomware operators that were reported today?
Yes, a new wave of attacks is actively exploiting CVE-2026-1731, an unauthenticated remote code execution flaw in Bomgar Remote Support (now BeyondTrust) RMM. This vulnerability allows attackers to run arbitrary OS commands and pivot into downstream systems, with LockBit ransomware observed in deployments using this flaw.