SafePay Ransomware Targets 3 Healthcare Victims in 24h
Statistical Overview
Victim Totals
- This month: 48
- This quarter: 48
- Year to date: 5055
- Last 24h: 17
Quarterly Breakdown
Q1: 2631 | Q2: 2386 | Q3: 48 | Q4: 0
Ransomware activity shows a significant decrease this quarter compared to previous periods, with 17 new victims observed in the last 24 hours. The year-to-date total, however, indicates a persistent threat.
Introduction
In the last 24 hours, 17 new ransomware victims were reported across various platforms. The most active groups included SafePay (3 victims), Anubis (2 victims), INC_Ransom (2 victims), Stormous (2 victims), and World_Leaks (2 victims). The healthcare sector was a significant target, alongside professional services and manufacturing. The United States and Germany experienced the highest number of reported incidents.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | SafePay | 3 | Awo-suedost.de, Dia179.com, Eaglecrestlife.org | United States, Germany | Healthcare, Nonprofit |
| 2 | Anubis | 2 | Northeast pediatrics & adolescent medicine, Quest healthcare solutions | United States | Professional Services, Healthcare |
| 3 | INC Ransom | 2 | Colorado Rehabilitation and Occupational Medicine, | United Kingdom, United States | Financial Services, Healthcare |
| 4 | Stormous | 2 | Bn: higuchi-inc report error & data leak warning new, Notice | None, Japan | Professional Services |
| 5 | World Leaks | 2 | Service it, Treet group of companies | Pakistan, Brazil | Technology / Software, Manufacturing |
| 6 | APT73 | 1 | Ritavo.com | Vietnam | Professional Services |
| 7 | BlackField | 1 | Ccic.com.tw | Taiwan | Manufacturing |
| 8 | Money Message | 1 | X-copper professional | Canada | Legal |
| 9 | Payload | 1 | Tofutown | Germany | Agriculture & Food |
| 10 | Qilin | 1 | Pennant hills golf club | Australia | Professional Services |
| 11 | Space Bears | 1 | Salters propane | United States | Energy & Utilities |
SafePay was the most active group, accounting for 3 victims, primarily in the United States and Germany, targeting sectors like healthcare and nonprofit. Groups including Anubis and INC Ransom also showed activity within the healthcare sector, which remains a frequent target across ransomware operations. Geographically, attacks were broadly distributed, with activity in the United States.
Victim Distribution
By Country
- United States: 5
- Germany: 3
- Australia: 1
- Brazil: 1
- Canada: 1
- Japan: 1
- None: 1
- Pakistan: 1
- Taiwan: 1
- United Kingdom: 1
By Industry
- Healthcare: 2
- Sports and Recreation: 1
- Information Technology and Services: 1
- Legal Services: 1
- Architecture and Engineering: 1
- Food and Beverage Manufacturing: 1
- Non-profit Social Welfare: 1
- Import and Export Trading: 1
- None: 1
- Consumer Goods: 1
The United States is the most frequently targeted country, followed by Germany, suggesting broad, opportunistic targeting. Healthcare leads as the most impacted industry, with professional services and manufacturing also experiencing activity, showing the diverse range of sectors facing ransomware threats.
Ransomware News
Topline
Recent ransomware-related developments include AI-driven attack methods, persistent credential theft campaigns, and ongoing law enforcement efforts against cybercriminal groups.
Campaigns & Operations
The JADEPUFFER campaign uses an AI agent to exploit Langflow CVE-2025-3248 for unauthenticated RCE and a full ransomware kill chain. The FortiBleed credential harvesting campaign, attributed to INC and Lynx ransomware operations, targeted FortiGate firewalls and deployed ransomware after exploiting CVE-2026-35616. The Interpol impersonation campaign uses phishing to deliver ransomware via Proton Drive. ShinyHunters conducted a data breach and extortion against Medtronic. Law enforcement recently extradited Peter Stokes, an alleged member of Scattered Spider, associated with social engineering and the DragonForce encryptor. BlueHammer ransomware operations also used a Defender zero-day, CVE-2026-33825.
Vulnerabilities & TTPs
Threat actors abuse AI compute for offensive workflows, employ multi-stage infections with DNS-over-HTTPS C2, and use platform-aware phishing for remote access. TeamPCP, for example, deploys modular toolsets via phishing and stolen credentials, focusing on data theft and extortion with covert C2 channels. Recommendations for ransomware-proof backups include immutable and air-gapped storage with continuous verification.
Analyst Note
These events show an evolving threat with increasing AI-driven attacks, persistent credential theft, and diverse social engineering methods.
Technical Takeaways
- Healthcare remains a frequently targeted sector, with groups like SafePay, Anubis, and INC Ransom consistently impacting organizations.
- The United States and Germany are the most targeted geographic regions, reflecting a broad, opportunistic spread of attacks.
- Emerging threats include AI-driven ransomware operations like JADEPUFFER, which autonomously exploit vulnerabilities such as Langflow's CVE-2025-3248.
- Credential harvesting campaigns, like FortiBleed linked to INC and Lynx, continue to use vulnerabilities like CVE-2026-35616 for initial access and subsequent ransomware deployment.
- Social engineering tactics, including Interpol impersonations and MFA bombing, remain common methods for initial compromise across various threat groups.