Settra Ransomware Tops 24h Activity With 11 New Victims

Statistical Overview

Victim Totals

  • This month: 829
  • This quarter: 2372
  • Year to date: 4993
  • Last 24h: 39

Quarterly Breakdown

Q1: 2631 | Q2: 2372 | Q3: 0 | Q4: 0

Ransomware activity remains consistent, with 39 new victims observed in the last 24 hours. The quarterly total of 2372 indicates sustained operations, and the current daily volume points to a stable, ongoing threat environment rather than an exceptional surge.

Introduction

39 new ransomware victims were recorded in the last 24 hours. The most active groups included Settra (11 victims), The_Gentlemen (8 victims), Gunra (3 victims), Medusa Locker (3 victims), and PEAR (3 victims). Affected sectors included Construction & Engineering, Professional Services, Technology/Software, and Manufacturing. The United States, France, and Canada were the most targeted geographies.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Settra11Clc-tn.com, Ilex-paysages.com, Infinedi.net (+8)France, United StatesConstruction & Engineering, Professional Services
2The Gentlemen8Centre ophtalmologique dermont, Climax technology, Comp trading co (+5)Japan, TaiwanTechnology / Software, Construction & Engineering
3Gunra3On-us, Pirámide seguros, Yuditec s.a.Venezuela, Hong KongFinancial Services, Manufacturing
4Medusa Locker3Banajah-bajapah, Forces, Penticton and district society for community livingNone, CanadaProfessional Services, Nonprofit
5PEAR3Ora group information, Sociedad latina, Spector and lenz, pcFrance, United StatesRetail & Ecommerce, Nonprofit
6Qilin3Chamco, Hemmersbach gmbh & co. kg, Kunert fashionGermany, CanadaTechnology / Software, Manufacturing
7Akira2About todd hamaker & johnson, Advanced business systemsUnited StatesProfessional Services, Technology / Software
8CMD2Medlink Georgia, Port Angeles CompositeUnited StatesManufacturing, Healthcare
9Black Nevas1Abans groupIndiaFinancial Services
10Embargo1Www.maytrucking.comUnited StatesTransportation & Logistics
11Genesis1Brooklyn defender servicesUnited StatesLegal
12INC Ransom1ItalyLegal

Settra was the most active group, with 11 new victims primarily in France and the United States across Construction & Engineering and Professional Services. The Gentlemen followed with 8 victims, targeting Technology/Software and Construction & Engineering in Japan and Taiwan. Medusa Locker and PEAR each accounted for 3 new incidents affecting Professional Services, Nonprofit, and Retail & Ecommerce sectors across Canada, France, and the United States. The targeting shows a continued focus on professional services and manufacturing, with activity in North America and Western Europe.

Victim Distribution

By Country

  • United States: 17
  • Canada: 3
  • France: 3
  • Germany: 3
  • United Kingdom: 2
  • Uruguay: 1
  • Venezuela: 1
  • India: 1
  • Hong Kong: 1
  • Italy: 1

By Industry

  • Legal Services: 2
  • Textile Manufacturing: 2
  • Lumber and Building Materials: 1
  • Accounting: 1
  • Auditing and Certification Services: 1
  • Aviation and Aerospace Component Manufacturing: 1
  • Civil Engineering: 1
  • Construction and Development: 1
  • Healthcare: 1
  • Industrial Machinery Manufacturing: 1

The United States remains the primary target country, accounting for nearly half of all new victims, followed by Canada, France, and Germany. Industry targeting is diversified, with Legal Services and Textile Manufacturing seeing multiple incidents. This reflects a broad-spectrum approach rather than hyper-specialization by most groups.

Ransomware News

Topline - Recent developments include a corporate breach by Blackfield ransomware, updated organizational tactics used by groups like Black Basta, and confirmed exploitation of a Windows Defender vulnerability by ransomware actors.

Campaigns & Operations - Blackfield ransomware breached Nidec Corporation's Taiwanese subsidiary, Nidec Chaun Choung Technology, demanding a $2 million ransom with a tiered extortion model. The attackers threatened data leakage and offered an immediate download option for $400,000. This demonstrates a data-extortion focus following a previous 2024 Nidec breach by other groups.

Vulnerabilities & TTPs - CISA confirmed ransomware gangs are exploiting the high-severity Windows Defender privilege-escalation flaw, CVE-2026-33825 (BlueHammer), to gain SYSTEM access and potentially full control of compromised machines. Separately, analysis of groups like Black Basta reveals organized, corporate-style operations. These include outsourced services, a Moscow-time call center, performance-based wages, and multi-extortion tactics that use data audits and cyber insurance as pricing signals.

Analyst Note - These incidents collectively demonstrate how ransomware operations continue to adapt by targeting infrastructure, exploiting known vulnerabilities quickly, and employing advanced organizational structures and negotiation strategies.

Technical Takeaways

  • Settra was the most active ransomware group, impacting 11 organizations across Construction & Engineering and Professional Services sectors in France and the United States.
  • The United States continues to be the most targeted geography, representing 17 of the 39 observed victims.
  • Ransomware groups show diverse industry targeting, with Legal Services, Textile Manufacturing, and various professional services experiencing multiple incidents.
  • Blackfield ransomware executed a data extortion campaign against Nidec Corporation, demanding $2 million and using a tiered payment model.
  • Ransomware operators are actively exploiting the Windows Defender privilege-escalation flaw, CVE-2026-33825, for local system control. This highlights the need for timely patching.
  • Analysis indicates that some ransomware syndicates, such as Black Basta, operate with corporate-like structures, including specialized roles, negotiation strategies, and multi-extortion tactics.