Ransomware Report - 04/13/2026
Statistical Overview
Victim Totals
- This month: 292
- This quarter: 292
- Year to date: 2914
- Last 24h: 22
Quarterly Breakdown Q1: 2622 | Q2: 292 | Q3: 0 | Q4: 0
Ransomware activity remains consistent. A significant portion of this quarter's victims emerged in the last 24 hours, driven by several active groups.
Introduction
The past 24 hours saw 22 new ransomware victims reported. DragonForce, APT73, and CoinbaseCartel were the most active groups. The United States accounted for the majority of new targets, and the Retail and Energy & Utilities sectors were affected. This sustained activity shows ongoing challenges across various industries and regions.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | DragonForce | 7 | Affordable oil, Edtg.com, Edtg.com (+4) | Switzerland, Germany | Manufacturing, Energy & Utilities |
| 2 | APT73 | 4 | Ifmis.go.ke, Olpro.com.my, Phb.com (+1) | Malaysia, Kenya | Government / Public Sector, Construction & Engineering |
| 3 | CoinbaseCartel | 3 | Carters, Helzberg, Ralph lauren | United States | Retail & Ecommerce |
| 4 | LockBit | 3 | decaturdiagnosticlab.net, marti.do, nucleodediagnostico.mx | Dominican Republic, Mexico | Healthcare, Energy & Utilities |
| 5 | Qilin | 2 | Després mécanique mobile, Herth+buss | Canada, Germany | Automotive |
| 6 | Akira | 1 | Demera demera cameron | United States | Professional Services |
| 7 | Everest | 1 | K subsea group | Singapore | Energy & Utilities |
| 8 | INC Ransom | 1 | bdac.com.au | Australia | Nonprofit |
| 9 | RansomHouse | 1 | Transaction Packing Inc | United States | Manufacturing |
DragonForce leads new victim postings with seven entities primarily in manufacturing and energy across Switzerland and Germany. APT73 attacked government and construction sectors in Malaysia and Kenya. Retail and e-commerce remained a focus, with CoinbaseCartel hitting three victims in the United States. No specific government, military, or critical infrastructure entities were named as victims by these groups in the past 24 hours' leak site activity.
Victim Distribution
By Country
- United States: 11
- Malaysia: 2
- Germany: 2
- Singapore: 1
- Switzerland: 1
- Australia: 1
- Mexico: 1
- Kenya: 1
- Italy: 1
- Dominican Republic: 1
By Industry
- Retail: 3
- Offshore Energy Services: 1
- Travel and Tourism: 1
- Packaging and Containers Manufacturing: 1
- Medical Laboratory Services: 1
- Manufacturing: 1
- Heating Oil Delivery: 1
- Financial Services: 1
- Fashion: 1
- Accounting: 1
The United States remains the primary target geography, with a significant concentration of attacks. Industry targeting is diversified, though Retail and various manufacturing sub-sectors are recurring targets.
Ransomware News
Topline The last 24 hours saw significant ransomware-related developments, including high-profile data breaches, active exploitation of vulnerabilities by threat actors, and ongoing law enforcement efforts against cybercrime infrastructure.
Campaigns & Operations Rockstar Games confirmed a cyberattack where ShinyHunters claimed a breach via third-party access, demanding payment or data leak. China-linked actor Storm-1175 is actively deploying Medusa ransomware by exploiting zero-days like CVE-2025-10035 and CVE-2026-23760, alongside N-day vulnerabilities in enterprise applications. INC Ransom claimed a cyber incident against the Bendigo and District Aboriginal Co-operative (BDAC), which the organization confirmed. Spring Lake Park Schools canceled classes following a suspected ransomware incident. Broader reports covered ransomware impacts on Dutch healthcare vendor ChipSoft and the Qilin-led attack on Germany's Die Linke. Law enforcement made an arrest in Thailand of Noah Christopher, the alleged operator of DDoS-for-hire platforms Fluxstress and Neldowner, facing extradition for ransomware and DDoS crimes.
Vulnerabilities & TTPs Threat actors are using various vulnerabilities, including critical Ivanti CVE-2026-1340, Marimo CVE-2026-39987, and Fortinet CVE-2026-35616, as well as an active Adobe Reader zero-day. AI-related threats are growing, with techniques such as GrafanaGhost exfiltrating data via indirect prompt injection and AI Agent Traps manipulating autonomous AI agents. The dark web is decentralizing, shifting from forum-centric crime to tool- and infrastructure-based models following law enforcement actions and internal instabilities like BreachForums' collapse.
Analyst Note These events demonstrate persistent threats, including supply chain vulnerabilities, rapid exploitation of newly discovered flaws, and the adaptive evolution of cybercrime infrastructure.
Technical Takeaways
- DragonForce showed the highest activity in the last 24 hours, focusing on manufacturing and energy sectors across Europe.
- APT73 appears to be targeting government and construction entities in Malaysia and Kenya.
- Retail and E-commerce continue to face significant pressure, shown by CoinbaseCartel's recent activity in the United States.
- Threat actors like Storm-1175 deploy Medusa ransomware through rapid exploitation of both zero-day (CVE-2025-10035, CVE-2026-23760) and N-day vulnerabilities in common internet-facing applications.
- Threats continue to emphasize third-party and supply chain vulnerabilities, with observed impacts on cloud analytics platforms and IT service providers.
FAQ
Q: Which ransomware groups were most active in the last 24 hours?
DragonForce was the most active group, posting 7 new victims. Following closely were APT73 with 4 victims, and CoinbaseCartel and LockBit each with 3 new victims reported in the last 24 hours.
Q: What industries were most targeted by ransomware today?
Retail saw 3 new victims, making it the most targeted industry. Other impacted sectors included Offshore Energy Services, Travel and Tourism, Packaging and Containers Manufacturing, Medical Laboratory Services, and various other manufacturing and professional services.
Q: What regions saw the most ransomware attacks reported today?
The United States experienced the highest number of new ransomware victims, with 11 reported. Malaysia and Germany each recorded 2 new victims, while several other countries, including Singapore, Switzerland, and Australia, each had one.
Q: Are there any new vulnerabilities or specific TTPs being exploited by ransomware operators?
Yes, threat actor Storm-1175 is actively exploiting zero-day vulnerabilities, including CVE-2025-10035 and CVE-2026-23760, to deploy Medusa ransomware. Additionally, vulnerabilities such as Ivanti CVE-2026-1340, Marimo CVE-2026-39987, and an Adobe Reader zero-day are under active exploitation by various threat actors.