Ransomware Report - 04/27/2026
Statistical Overview
Victim Totals
- This month: 674
- This quarter: 674
- Year to date: 3294
- Last 24h: 62
Quarterly Breakdown
| Q1: 2622 | Q2: 674 | Q3: 0 | Q4: 0 |
|---|
Ransomware activity continues into Q2 at a steady pace, with 62 new victims recorded in the last 24 hours. The current quarter's total of 674 victims shows consistent operations from various threat groups.
Introduction
In the past 24 hours, 62 new ransomware victims were identified. Lapsus (14), DragonForce (13), APT73 (8), The_Gentelman (7), and Qilin were the most active groups (6 victims). The United States had the largest share of new targets. Affected sectors included Education, Pharmaceuticals & Biotech, and Financial Services. For broader context on recent trends, see our Ransomware Threat Activity Update from April 26.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Lapsus | 14 | Adidas extranet, Astrazeneca corp, Checkmarx.com (+11) | Switzerland, Spain | Education, Pharmaceuticals & Biotech |
| 2 | DragonForce | 13 | Andrewtjohnson.com, Aotco.com, Avalonflooring.com (+10) | United States, Australia | Pharmaceuticals & Biotech, Financial Services |
| 3 | APT73 | 8 | Algosaibi-gtb.com, Alx-pc.com, Arrawdah.org.sa (+5) | Egypt, Saudi Arabia | Pharmaceuticals & Biotech, Transportation & Logistics |
| 4 | The Gentelman | 7 | Acfa regionale de calgary, Beaconhouse school system, Colegio notre dame campinas (+4) | Brazil, Japan | Education, Technology / Software |
| 5 | Qilin | 6 | A & a building material, Exclusive networks, Inspira (+3) | Japan, None | Education, Technology / Software |
| 6 | INC Ransom | 5 | BELFOR, MTCI, Selex-Gruppo Commerciale (+2) | United States, Italy | Professional Services, Construction & Engineering |
| 7 | LockBit | 2 | planetsport.ma, pricon.com.ph | Philippines, Morocco | Retail & Ecommerce, Manufacturing |
| 8 | AiLock | 1 | Raich sp. z o.o. | Poland | Telecommunications |
| 9 | Krybit | 1 | Narteks tekstil a.s | Turkey | Manufacturing |
| 10 | PEAR | 1 | Mesquite plumbing inc. | United States | Construction & Engineering |
| 11 | Payload | 1 | Rural municipality of gimli | Canada | Government / Public Sector |
| 12 | PayoutsKing | 1 | Sunsource | United States | Transportation & Logistics |
Lapsus was the most active group today, impacting entities in Switzerland and Spain, predominantly in Education and Pharmaceuticals. DragonForce and APT73 also showed high activity, targeting Pharmaceuticals, Financial Services, and Transportation in the United States, Australia, Egypt, and Saudi Arabia. A significant target was the Rural municipality of Gimli by Payload in Canada, showing continued interest in government and public sector entities. Qilin also continued its operations, as detailed in our Ransomware Threat Activity Update from April 25, with 6 new victims today.
Victim Distribution
By Country
- United States: 20
- France: 5
- United Kingdom: 4
- Canada: 4
- Germany: 3
- Singapore: 2
- Italy: 2
- Japan: 2
- Saudi Arabia: 2
- Spain: 1
By Industry
- Manufacturing: 3
- Healthcare: 3
- Retail: 3
- Education: 3
- Insurance: 2
- Textile Manufacturing: 2
- Non-profit Organization: 2
- Software Development: 2
- Oil and Gas: 2
- Healthcare Information Services: 1
The United States remains the primary target region, followed by France, the UK, and Canada. Attacks were broadly distributed across Manufacturing, Healthcare, Retail, and Education, suggesting active groups are not focusing on a single sector.
Ransomware News
Topline
Ransomware and extortion activity continued in the past 24 hours, with BlackFile, ShinyHunters, and the Coinbase Cartel using diverse tactics. A Check Point report also pointed out vulnerabilities and operational insights into the threat environment.
Campaigns & Operations
BlackFile, linked to The Com and tracked as UNC6671/Cordial Spider, actively escalates extortion by impersonating IT support through voice-phishing and social engineering. It compromises credentials and moves laterally within SaaS platforms and internal repositories. This group has used seven-figure ransom demands and tactics such as swatting executives. Medtronic confirmed a breach of its corporate IT environment after the ShinyHunters extortion group claimed to steal over 9 million records; no impact on patient safety was reported. Hudson Rock's investigation into the Coinbase Cartel shows it operates as an extortion-only group. It bypasses encryption by using aged infostealer credentials to access cloud and file-sharing infrastructure. An estimated 80% of its 164 victims had prior infostealer infections. Check Point's daily threat report also mentioned The Gentlemen ransomware-as-a-service.
Vulnerabilities & TTPs
Vulnerabilities and supply-chain compromises include Vercel's breach via a Context.ai compromise exploiting stolen OAuth tokens, a Bitwarden supply-chain compromise involving a malware-tainted npm release, and a Google Ads malvertising operation that stole over $1.27 million impersonating crypto platforms. Active exploitation windows for relevant CVEs include CVE-2026-40372 (Microsoft ASP.NET Core), CVE-2026-28950 (Apple iOS/iPadOS), CVE-2026-33626 (LMDeploy), and CVE-2025-29635 (D-Link DIR-823X).
Analyst Note
These incidents show the pervasive threat of credential compromise, supply-chain vulnerabilities, and the growing trend of extortion-only operations across various attack surfaces. For a full overview of today's broader threat environment, refer to our Cyber Operations Threat Briefing for April 27.
Technical Takeaways
- Lapsus maintained high activity, accounting for 14 new victims across Education and Pharmaceuticals in Europe.
- The Coinbase Cartel uses a pure extortion model, employing stale infostealer credentials for initial access rather than traditional encryption.
- Public sector entities remain a target; Payload compromised a Canadian rural municipality.
- Voice-phishing and social engineering, as seen with BlackFile, continue to be effective initial access methods for data exfiltration.
- Several active CVEs, including CVE-2026-40372 and CVE-2026-28950, demonstrate the ongoing exploitation of known vulnerabilities in enterprise and mobile environments.