Ransomware Report - 04/21/2026

Statistical Overview

Victim Totals

  • This month: 520
  • This quarter: 520
  • Year to date: 3141
  • Last 24h: 32

Quarterly Breakdown

Q1: 2622Q2: 520Q3: 0Q4: 0

Ransomware activity in Q2 continues to accumulate, with the current month's victim count already reaching 520. This trajectory suggests a sustained threat environment, following a strong Q1.

Introduction

The past 24 hours saw 32 new ransomware victims added to leak sites, showing persistent global activity. Qilin emerged as the most prolific group, claiming 11 victims. Akira, CoinbaseCartel, and The_Gentelman each claimed 4 victims. Geographically, the United States, France, and Spain were mostly targeted, with the Manufacturing and Telecommunications sectors impacted.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Qilin11Atkinson ritson solicitors limited, Avitrans, B&e juice (+8)Spain, NoneFinancial Services, Agriculture & Food
2Akira4Alva manufacturing, Arctic home living, Mac construction & excavating (+1)United StatesPharmaceuticals & Biotech, Construction & Engineering
3CoinbaseCartel4Commscope, Engie, Playmates toys (+1)France, United StatesTelecommunications, Energy & Utilities
4The Gentelman4Champion homes, Euro creations, Smartsystems (+1)Thailand, United StatesTelecommunications, Construction & Engineering
5Anubis2Samuel i. white, pc, ViaquestUnited StatesHealthcare, Legal
6Chaos1Polycorp.comCanadaManufacturing
7DragonForce1Champion homesAustraliaConstruction & Engineering
8Embargo1Cipsoft.comGermanyMedia & Entertainment
9INC Ransom1rheemUnited StatesManufacturing
10Kairos1Nordenta (a daughter company of lifco)DenmarkManufacturing
11Morpheus1GGIMyanmarInsurance
12Nova (RALord)1Charles conseil coordination (3ccc)FranceProfessional Services

The past 24 hours saw Qilin lead with 11 new victims, targeting broadly across Financial Services and Agriculture & Food. Several groups, including Akira, CoinbaseCartel, and The Gentelman, each claimed 4 victims, contributing to activity across various sectors. CoinbaseCartel targeted critical infrastructure entities like Commscope (Telecommunications) and Engie (Energy & Utilities). This shows persistent risks to vital services, a trend we monitor as part of our ransomware intelligence Q2 overview.

Victim Distribution

By Country

  • United States: 14
  • France: 3
  • Spain: 2
  • Germany: 2
  • Switzerland: 1
  • United Kingdom: 1
  • Thailand: 1
  • Australia: 1
  • None: 1
  • Myanmar: 1

By Industry

  • Manufacturing: 3
  • Telecommunications: 2
  • Packaging and Containers: 1
  • Retail & Wholesale: 1
  • Product Safety and EMC Compliance: 1
  • Legal Services: 1
  • Healthcare Services: 1
  • Government: 1
  • Engineering Services: 1
  • Construction: 1

The United States is the primary target country, accounting for nearly half of all new victims in the last 24 hours. Manufacturing and Telecommunications sectors show a concentration of attacks, indicating exploitation of industrial and communication infrastructure.

Ransomware News

Threat intelligence today shows ongoing legal actions against ransomware affiliates, persistent exploitation of vulnerabilities, and changing tactics of established groups.

Angelo Martino, a former ransomware negotiator for BlackCat (ALPHV) affiliates, pleaded guilty to charges related to 2023-2025 attacks. He admitted to sharing confidential victim negotiation details. This conviction shows the legal risks for individuals involved in the ransomware ecosystem. Meanwhile, The Gentlemen ransomware group has expanded its operations by integrating SystemBC for bot-powered payload delivery and covert proxying, using Mimikatz for credential harvesting and Group Policy for lateral movement in targeted corporate environments. Additionally, the administration of Sprendlingen-Gensingen (Germany) reported a ransomware attack on April 16, 2026, causing network shutdown and an ongoing forensic investigation.

A reported uptick in compromised Bomgar RMM instances followed exploitation of CVE-2026-1731, with attackers deploying ransomware like LockBit LB3 and installing remote tools for reconnaissance and lateral movement. Observations indicate that approximately 70% of intrusions begin with VPN authentication, showing the need for strong cyber hygiene, including multi-factor authentication (MFA) and diligent patching. Ransomware trends show operations as a franchised, supply-chain-driven ecosystem, using tactics like data theft, double extortion, and Bring Your Own Vulnerable Driver (BYOVD) to bypass security solutions.

This activity shows the ongoing challenge from ransomware's changing operational models and the importance of a layered defense strategy.

Technical Takeaways

  • Group TTP Evolution: The Gentlemen ransomware now uses SystemBC for bot-powered attacks, alongside Mimikatz and RPC-based remote execution for lateral movement. This shows a mature toolchain.
  • Vulnerability Exploitation: Active exploitation of Bomgar RMM instances specifically targets CVE-2026-1731, leading to ransomware deployment and further network compromise.
  • Initial Access Vector Dominance: Huntress data indicates that roughly 70% of intrusions begin with VPN authentication. This reinforces VPNs as a primary initial access vector for ransomware actors.
  • Insider Threat Mitigation: The guilty plea of a former BlackCat ransomware negotiator shows the insider threat and the value of intelligence around negotiation tactics and insurance limits for threat actors.
  • Ecosystem Sophistication: Ransomware operations are increasingly supply-chain-driven, incorporating techniques like BYOVD, AI-assisted malware, and double extortion, requiring full defensive strategies.