Ransomware Report - 04/25/2026
Statistical Overview
Victim Totals
- This month: 606
- This quarter: 606
- Year to date: 3227
- Last 24h: 23
Quarterly Breakdown
| Q1: 2622 | Q2: 606 | Q3: 0 | Q4: 0 |
|---|
Ransomware activity in Q2 continues, with the current victim count matching the quarterly total due to the reporting period's commencement. Year-to-date figures indicate sustained threat actor operations.
Introduction
In the past 24 hours, 23 new ransomware victims were reported. The Qilin ransomware group had the most activity, with 19 new listings. Other active groups included Lamashtu, INC_Ransom, and NightSpire, affecting various sectors. Geographic targeting remained broad, with the United States experiencing the most new attacks.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 19 | Buckley powder, Cahbo produkter, Chase cooper limited (risklogix solutions) (+16) | Sweden, Japan | Financial Services, Agriculture & Food |
| 2 | Lamashtu | 2 | Applefilm-group.com, Mnfsb.com.my | Thailand, Malaysia | Media & Entertainment, Agriculture & Food |
| 3 | INC Ransom | 1 | krauseundco | United States | Professional Services |
| 4 | NightSpire | 1 | Swansea ambulance corps | United States | Healthcare |
The summary table shows notable activity from the Qilin ransomware group. It was responsible for most new victim postings, affecting organizations primarily in Financial Services and Agriculture & Food across regions like Sweden and Japan. Lamashtu was active in Southeast Asia, while INC Ransom and NightSpire each claimed one victim in the United States. For more information on Qilin's recent activities, see our Ransomware Threat Activity Report - April 22. Our daily ransomware reports often mention groups like NightSpire.
Victim Distribution
By Country
- United States: 11
- United Kingdom: 2
- Germany: 2
- Argentina: 1
- Thailand: 1
- Sweden: 1
- Philippines: 1
- Mexico: 1
- Malaysia: 1
- Japan: 1
By Industry
- Banking: 2
- Information Technology & Services: 1
- Woodworking and Cabinet Manufacturing: 1
- Retail: 1
- Public Relations: 1
- Propane Delivery and Services: 1
- Non-Profit & Charitable Organizations: 1
- Mining & Metals: 1
- Healthcare: 1
- Food Production: 1
The distribution of new victims shows a concentration in the United States across various industries, suggesting opportunistic targeting rather than a narrow sectoral focus. The global spread indicates threat actors continue to target a wide range of locations.
Ransomware News
Topline
Today's ransomware-relevant developments include critical vulnerability disclosures by CISA, the emergence of a new extortion group, and several disruptive county-level cybersecurity incidents.
Campaigns & Operations
Winona County, Minnesota, and Harrison County, West Virginia, both reported network disruptions due to cybersecurity incidents. Winona County confirmed a ransomware attack that affected vital services. ADT confirmed unauthorized access to customer data following a ShinyHunters leak threat, reportedly stemming from a vishing campaign targeting an employee's Okta SSO. A new financially motivated group, BlackFile (also tracked as CL-CRI-1116, UNC6671, and Cordial Spider), has been linked to a recent increase in data theft and extortion operations. It targets retail and hospitality firms, employing vishing tactics.
Vulnerabilities & TTPs
CISA has added four actively exploited vulnerabilities to its KEV catalog: CVE-2024-57726 and CVE-2024-57728 affecting SimpleHelp, CVE-2024-7399 in Samsung MagicINFO 9 Server, and CVE-2025-29635 in D-Link DIR-823X routers. These have reported links to DragonForce ransomware activity. BlackFile's operations heavily use vishing calls to spoof IT support, steal credentials, bypass multifactor authentication, and exfiltrate data from platforms like Salesforce and SharePoint via API functions.
Analyst Note
The continued reliance on credential theft and social engineering, demonstrated by Verizon DBIR findings on pre-compromised credentials and by new groups like BlackFile, shows initial access often relies on human factors.
Technical Takeaways
- Qilin's Expanded Targeting: Qilin's large number of new victims indicates an active and potentially expanding campaign across various financial and agricultural sectors, with a presence in Europe and Asia.
- Vishing Dominance in Initial Access: The tactics of the new BlackFile group and the ADT breach by ShinyHunters show the continued effectiveness of vishing campaigns and social engineering for initial access and credential compromise.
- Federal Mandates for Vulnerability Patching: CISA's addition of four new CVEs to the KEV catalog, some linked to DragonForce ransomware, highlights the ongoing need for federal agencies and critical infrastructure to prioritize patching known exploited flaws.
- Geographic Focus on US: Most new victim postings, including those from INC_Ransom and NightSpire, originated from the United States, showing this region remains a main target for ransomware operators.