2 New Ransomware Victims in Diverse Sectors

2 New Ransomware Victims in Diverse Sectors

Statistical Overview

Victim Totals

• This month: 146
• This quarter: 1692
• Year to date: 4317
• Last 24h: 2

Quarterly Breakdown

Q1: 2631 | Q2: 1692 | Q3: 0 | Q4: 0

Current ransomware activity shows a low volume of new victims but adds to larger quarterly and year-to-date totals. New incidents target various global locations.

Introduction

In the last 24 hours, two new ransomware victims were disclosed. Blackwater and Medusa Locker each claimed one victim. Targets included hospitality & travel and education sectors, in China and Costa Rica. Reports also indicated operations affecting U.S. law firms and an Indian healthcare institution.

Ransomware Summary Table

Ransomware activity during this period shows few new victims claimed by specific groups. Blackwater took one victim in China's hospitality and travel sector. Medusa Locker, a group that targets various industries, listed an education sector victim in Costa Rica. Learn more about this group's operations in our Medusa Locker ransomware victims analysis. Blackwater also listed a new victim, aligning with trends discussed in our Q2 ransomware intelligence report.

Victim Distribution

By Country

• China: 1
• Costa Rica: 1

By Industry

• Travel and Tourism: 1
• Education: 1

Even with few new victim disclosures, the distribution points to broad, opportunistic targeting across different regions and industries. Activity this period included the education sector, a frequent ransomware target as detailed in our report on Genesis Group ransomware victims. This shows ransomware groups continue to spread out their victim profiles instead of focusing on specific sectors.

Ransomware News

Topline

Recent ransomware developments show social engineering tactics remain effective and critical sectors face ongoing threats.

Campaigns & Operations

The Silent Ransom Group (UNC3753, Luna Moth, Chatty Spider) targets U.S. law firms and professional services. This campaign uses invoice-themed phishing, which makes victims call back impostor IT support. These calls lead to remote sessions where attackers install tools like AnyDesk for initial access and data exfiltration. The group often demands extortion within 30 minutes of data theft. Separately, the Chandrapur Cancer Care Foundation in India experienced a ransomware attack around June 1, 2026. This encrypted patient and administrative databases, severely disrupting operations.

Vulnerabilities & TTPs

The Silent Ransom Group's methods include voice phishing, using various remote access tools (AnyDesk, Zoho Assist, Bomgar, SuperOps) for system control, and tools like WinSCP or Rclone for data exfiltration. They minimize forensic traces by sharing commands via Privnote and using fast-flux infrastructure with residential IPs. No specific CVEs were linked to these incidents.

Analyst Note

These incidents show sophisticated social engineering attacks remain effective. Organizations, especially in sectors like legal and healthcare, need strong defenses.

Technical Takeaways

• Ransomware activity has a broad targeting scope, affecting various sectors and geographies with low victim volumes.
• Operators like Blackwater and Medusa Locker continue to claim victims in hospitality, travel, and education.
• The Silent Ransom Group uses sophisticated social engineering, including voice phishing and impersonation, to gain remote access and quickly exfiltrate data from professional services firms.
• Attackers use common remote access (AnyDesk, Zoho Assist) and data exfiltration (WinSCP, Rclone) tools, and evasion tactics like Privnote and fast-flux infrastructure.
• Attacks on critical infrastructure, such as the Chandrapur Cancer Care Foundation, show the severe operational impact and the need for strong offline backups and incident response plans.

Ransomware Groups Behind Recent Attacks

Understanding the threat actors behind these incidents is critical for defenders. Blackwater is a relatively emerging ransomware group that has begun targeting hospitality and travel organizations across Asia. Medusa Locker, by contrast, is a well-established ransomware-as-a-service (RaaS) operation known for:

• Targeting small-to-mid-sized organizations in education and healthcare
• Using phishing and RDP exploitation as primary vectors
• Demanding ransoms typically ranging from $10,000 to $50,000
• Operating double-extortion tactics to pressure victims

Learn more in our ransomware group profiles and Medusa Locker attack patterns deep dives.

Sectors Most Targeted by Ransomware in 2025

The hospitality and education sectors continue to attract ransomware operators due to historically weaker cybersecurity postures and valuable personal data. Key trends observed year-to-date include:

• Education: Schools and universities face budget constraints limiting security investment
• Hospitality & Travel: High volumes of payment card and passport data make these targets lucrative
• Healthcare: Ongoing pressure to pay ransoms quickly to restore critical systems
• Legal Services: Law firms targeted for sensitive client data and confidentiality leverage

These patterns align with our 2025 ransomware sector analysis, which tracks shifting attacker priorities across industries.

How Organizations Can Defend Against Ransomware

Despite low single-day victim counts, cumulative 2025 totals exceeding 4,300 victims highlight the persistent ransomware threat. Organizations in targeted sectors should prioritize:

• Implementing offline and immutable backups tested regularly
• Patching RDP and VPN vulnerabilities promptly
• Deploying endpoint detection and response (EDR) solutions
• Training staff to recognize phishing attempts
• Establishing an incident response plan before an attack occurs

Proactive defense remains far less costly than ransomware recovery. Explore our ransomware prevention checklist for actionable guidance tailored to small and mid-sized organizations.