Ransomware Report - 04/15/2026
Statistical Overview
Victim Totals
- This month: 386
- This quarter: 386
- Year to date: 3007
- Last 24h: 40
Quarterly Breakdown Q1: 2622 | Q2: 386 | Q3: 0 | Q4: 0
Ransomware activity continues to rise in Q2, with 386 victims identified this quarter. This follows an active Q1, showing a consistent threat environment. The past 24 hours added 40 new victims to the year-to-date total of 3007.
Introduction
In the past 24 hours, PurpleOps observed 40 new ransomware victims, showing persistent activity across various sectors. CoinbaseCartel was the most active group, responsible for 17 incidents, followed by The_Gentelman, Akira, DragonForce, and Exitium. Targeting included a broad range of industries, such as manufacturing, pharmaceuticals, energy, and construction. There were concentrations in North America, parts of Europe, and South America.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | CoinbaseCartel | 17 | Astreya, Canada goose - updated with proof, Cognizant (+14) | Mauritius, Indonesia | Media & Entertainment, Telecommunications |
| 2 | The Gentelman | 5 | Disk precision, El ordeno, Greenpharma (+2) | Ecuador, Singapore | Manufacturing, Pharmaceuticals & Biotech |
| 3 | Akira | 4 | Cir realty, Fletcher chrysler products, Indesmalla (+1) | Spain, Canada | Manufacturing, Automotive |
| 4 | DragonForce | 4 | Apply capnor, Bela - pharm, Curtis design group (+1) | Norway, Canada | Pharmaceuticals & Biotech, Professional Services |
| 5 | Exitium | 4 | Fannin cad, Gastroenterology & hepatology of cny, Marborges agroindustria (+1) | Taiwan, Brazil | Energy & Utilities, Healthcare |
| 6 | Lamashtu | 2 | Palacroix.com, Volterres.fr | France, Canada | Energy & Utilities, Automotive |
| 7 | Chaos | 1 | Itc-group.com | Canada | Construction & Engineering |
| 8 | Krybit | 1 | Hacked 0apt | None | Professional Services |
| 9 | Lynx | 1 | Stonehenge | Thailand | Construction & Engineering |
| 10 | Qilin | 1 | Gruppo icm spa | Italy | Construction & Engineering |
CoinbaseCartel was very active, accounting for 17 victims, primarily in the Media & Entertainment and Telecommunications sectors across Mauritius and Indonesia. Other groups like The_Gentelman, Akira, DragonForce, and Exitium each claimed 4-5 victims, spreading the impact across Manufacturing, Pharmaceuticals & Biotech, Energy & Utilities, and Healthcare. The geographical spread demonstrates a global ransomware threat, with North America, parts of Europe, and Southeast Asia experiencing consistent activity. No specific high-value government or critical infrastructure breaches were identified among the listed sample victims today. For more information on actor behavior, see our Ransomware Tracking solutions.
Victim Distribution
By Country
- United States: 12
- Canada: 5
- France: 3
- Italy: 3
- India: 2
- Spain: 2
- Brazil: 2
- Singapore: 1
- Taiwan: 1
- Thailand: 1
By Industry
- Construction: 3
- Real Estate: 2
- Manufacturing: 2
- Government Administration: 1
- Precision Engineering and Manufacturing: 1
- Engineering Services: 1
- Textile Manufacturing: 1
- Solar Energy: 1
- Commercial & Residential Construction: 1
- Automotive Dealership: 1
The United States remains the primary target country, with 12 reported victims, followed by Canada with 5. Industrially, attack concentration shows a focus on construction, real estate, and manufacturing sectors. This shows ongoing targeting of sectors with less mature cybersecurity defenses or significant supply chain relevance.
Ransomware News
Topline - Ransomware developments include new group activity, persistent threats to critical infrastructure, evolving evasion techniques, and specific geographic campaigns.
Campaigns & Operations - Krybit, a new Ransomware-as-a-Service (RaaS) group, claimed a breach of New Zealand IT services provider Dencom. It listed the incident on its darknet leak site with proof of data exfiltration. Separately, former Black Basta affiliates are executing rapid intrusion efforts using mass email bombing and Microsoft Teams impersonation. They primarily target executives across sectors like manufacturing, finance, and professional services to harvest privileged access. Acronis researchers identified JanaWare, a localized ransomware operation targeting Turkish users via phishing emails with malicious Java archives. It demands small payouts of $200-$400. Understanding these diverse operational models is important; learn more about Ransomware-as-a-Service (RaaS) Models.
Vulnerabilities & TTPs - The expansion of EDR killers, which abuse BYOVD (bring-your-own-vulnerable-driver) techniques, continues to enable ransomware operations. Approximately 90 unique tools and 2,500 Truesight.sys variants were observed on underground markets. The FBI's IC3 data shows that leading RaaS groups like Akira, Qilin, and Lynx exploit compromised credentials and disable backups across 16 critical infrastructure sectors, with over 2,100 incidents reported in 2025. This emphasis on initial access shows the continued evolution of Initial Access Brokers in Ransomware.
Analyst Note - These observations show the variety of ransomware operations, from sophisticated affiliate-driven intrusions and evolving defensive evasion tactics to localized campaigns, alongside continued threats to critical infrastructure.
Technical Takeaways
- The emergence and high activity of new groups like CoinbaseCartel and Krybit show a changing threat environment with new Ransomware-as-a-Service (RaaS) operations.
- Continued targeting of critical infrastructure sectors by established groups such as Akira, Qilin, and Lynx, as reported by the FBI, shows ongoing strategic threats.
- The increasing use of advanced evasion techniques, including EDR killers that use BYOVD (bring-your-own-vulnerable-driver), presents a major challenge for endpoint security.
- Diverse initial access tactics, such as mass email bombing and Microsoft Teams impersonation, are adopted by sophisticated affiliates to secure privileged access.
- Ransomware operations show fragmentation, with some groups focusing on high-volume, geographically constrained campaigns with small ransom demands, alongside larger-scale corporate targeting.
