Ransomware Report - 04/16/2026
Statistical Overview
Victim Totals
- This month: 405
- This quarter: 405
- Year to date: 3026
- Last 24h: 19
Quarterly Breakdown
| Q1: 2622 | Q2: 405 | Q3: 0 | Q4: 0 |
|---|
Q2 ransomware activity shows 405 victims this quarter. 19 new victims were recorded in the last 24 hours.
Introduction
In the past 24 hours, 19 new ransomware victims appeared, showing ongoing targeting across multiple sectors. Payload had the most activity with 5 reported incidents, followed by Akira (3), Qilin (2), and Vect (2). The United States was the most targeted nation, and Financial Services, Manufacturing, and Legal services sectors were impacted by these operations.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Payload | 5 | Franziskusschule wilhelmshaven, Marino food products pvt, Orientalweavers.com (+2) | Hong Kong, Egypt | Manufacturing, Transportation & Logistics |
| 2 | Akira | 3 | Law offices of jamesc shields, Pharmathek, R roese contracting | Italy, United States | Manufacturing, Construction & Engineering |
| 3 | Qilin | 2 | Clearwater marine aquarium, Limkon | Turkey, United States | Hospitality & Travel, Agriculture & Food |
| 4 | Vect | 2 | GUESTY, LITELLM/TRIVY CAMPAIGN (TEAMPCP), S&PGLOBAL, LITELLM/TRIVY CAMPAIGN (TEAMPCP) | United States | Financial Services, Technology / Software |
| 5 | DragonForce | 1 | Empower group | United States | Financial Services |
| 6 | Interlock | 1 | Uniwersytet warszawski | Poland | Education |
| 7 | Kairos | 1 | Friendlycare pharmacy | Australia | Retail & Ecommerce |
| 8 | Lamashtu | 1 | Biotehnos.ro | Romania | Pharmaceuticals & Biotech |
| 9 | LeakedData | 1 | Harris beach murtha | United States | Legal |
| 10 | RansomEXX | 1 | Gotip | Japan | Media & Entertainment |
| 11 | SLSH | 1 | Alert 360 opco inc. (alert360.com) | United States | Professional Services |
Payload was the most active group in the last 24 hours, listing five new victims in Manufacturing and Transportation & Logistics sectors across Hong Kong and Egypt. Akira was also active with three new victims, primarily in Manufacturing and Construction & Engineering in Italy and the United States. Qilin and Vect each added two victims; Qilin impacted Hospitality & Travel and Agriculture & Food, while Vect targeted Financial Services and Technology/Software in the United States. No critical infrastructure or government entities were listed among new victims for this period. For monitoring these threats, our Ransomware Tracking solutions offer real-time intelligence.
Victim Distribution
By Country
- United States: 8
- Romania: 1
- Turkey: 1
- Australia: 1
- Poland: 1
- Philippines: 1
- Japan: 1
- Italy: 1
- India: 1
- Hong Kong: 1
By Industry
- Financial Services: 2
- Pharmaceuticals: 1
- Property Management Software: 1
- Museums, Historical Sites, and Zoos: 1
- Legal Services: 1
- Law Practice: 1
- Home and Business Security: 1
- Construction: 1
- Food & Beverage: 1
- Pharmaceutical Retail: 1
The United States was the primary target geography, with 8 of the 19 new victims. Financial Services and Legal sectors experienced many attacks, which indicates a broad, opportunistic targeting approach.
Ransomware News
Topline
The past 24 hours showed several threats: new ransomware groups, critical vulnerability exploitation, and persistent campaigns across various sectors.
Campaigns & Operations
Several new ransomware groups - TiMC, BlackWater, and Lamashtu - have been identified, indicating changes in threat actors often tracked through Dark Web Monitoring. The VECT & TeamPCP campaign conducted a supply-chain intrusion, exploiting a global travel platform to deploy ransomware. These incidents show the need for Supply Chain Risk assessments. Kairos ransomware claimed a breach of Queensland's FriendlyCare Pharmacy, exfiltrating 113 GB of medical and personal data, similar to attacks on other Australian targets like Seagrass Boutique Hospitality Group in February 2026. A six-year, low-dollar, high-volume JanaWare ransomware campaign targeting Turkish homes and SMBs via modified Adwind RAT loaders was uncovered, often exploiting weak SMB defenses. Autovista (Germany and Australia) confirmed a ransomware disruption around April 12, while Guatemala's Laboratorio Nacional de Salud recovered from a March 9 intrusion, with internal files encrypted but no evidence of patient data compromise.
Vulnerabilities & TTPs
Exploitation remains an important vector, with a Defender zero-day chain involving BlueHammer and RedSun after CVE-2026-33825, and continued attacks using the 17-year-old Excel RCE CVE-2009-0238. Persistent brute-force attempts against SonicWall and FortiGate devices show the need for strong Credential Intelligence and hygiene, along with supply-chain and credential abuse, such as the WordPress Essential Plugin compromise. SmokedHam malvertising delivers Qilin ransomware.
Analyst Note
These developments show continued reliance on both novel and legacy vulnerabilities, the expansion of ransomware actor groups, and the persistent threat of supply-chain targeting across various attack vectors.
Technical Takeaways
- Ransomware Group Activity: Many ransomware groups, including newly identified actors like TiMC, BlackWater, and Lamashtu, alongside established players like Payload and Akira, show a fragmented but persistent threat environment.
- Persistent US Targeting: The United States continues to be the most frequently targeted country, accounting for 8 of the 19 new victims, with Financial Services and Legal sectors impacted.
- Vulnerability Exploitation: Ransomware campaigns are actively using both recent vulnerabilities like the Defender 0-Day (CVE-2026-33825) and older RCEs such as the 17-year-old Excel flaw (CVE-2009-0238).
- Supply Chain as an Attack Vector: The VECT & TeamPCP campaign's supply-chain intrusion via a global travel platform shows the ongoing risk associated with third-party dependencies.
- Geofenced, High-Volume Campaigns: The six-year JanaWare campaign targeting Turkish SMBs demonstrates a model of low-value, high-volume ransomware attacks focused on specific geographies via modified Adwind RAT.
