World Leaks Ransomware Claims 6 New Victims in 24h
Statistical Overview
Victim Totals
- This month: 219
- This quarter: 1764
- Year to date: 4388
- Last 24h: 31
Quarterly Breakdown
Q1: 2631 | Q2: 1764 | Q3: 0 | Q4: 0
Cumulative figures show fewer reported victims this quarter compared to the previous one. New ransomware incidents remain a daily occurrence, demonstrating the persistent threat from diverse ransomware operators.
Introduction
In the past 24 hours, 31 new ransomware victims were reported across various sectors. World_Leaks, PEAR, Akira, LockBit, and Play News were the most active groups by victim count. Beyond these immediate trends, recent intelligence provides a detailed operational profile of the "The Gentlemen" ransomware group, including their ransomware-as-a-service model and alleged links to a significant healthcare breach. Qilin affiliates have also exploited critical vulnerabilities, showing how threats continue to evolve.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | World Leaks | 6 | Apollo pipes, Centra sota cooperative, First federal savings & loan (+3) | United States, India | Financial Services, Manufacturing |
| 2 | PEAR | 4 | Alpha it, Bayou electrical services, K & e distributing (+1) | Jamaica, Norway | Construction & Engineering, Retail & Ecommerce |
| 3 | Akira | 3 | Associated investor services, Port air express, The midland theatre | United States | Transportation & Logistics, Financial Services |
| 4 | LockBit | 3 | delano.k12.mn.us, probat.com, sweetome.com | Germany, China | Manufacturing, Education |
| 5 | Play News | 2 | Mundt and associates, Rainbow distributors usa | United States | Manufacturing, Transportation & Logistics |
| 6 | Space Bears | 2 | Cattani, Lösing filtertechnik | Germany, Italy | Manufacturing, Technology / Software |
| 7 | TripleX | 2 | Bni.co.id bank of indonesia free data., Law offices us immigrationonline.com | Indonesia, United States | Legal, Financial Services |
| 8 | Chaos | 1 | Airespring.com | United States | Telecommunications |
| 9 | DragonForce | 1 | Sayre associates | United States | Construction & Engineering |
| 10 | Embargo | 1 | Auburn electrical construction company | United States | Construction & Engineering |
| 11 | Fulcrum | 1 | gsg | Singapore | Education |
| 12 | INC Ransom | 1 | FIZA | Czech Republic | Professional Services |
World_Leaks was the top ransomware group in the recent 24-hour period with six victims, followed by PEAR (4) and Akira (3). Manufacturing, Financial Services, and Construction & Engineering were key sectors targeted. The United States remains the primary geographical target, accounting for half of the reported incidents. Notable victims include a large banking institution in Indonesia, listed by TripleX, and an education entity (delano.k12.mn.us) impacted by LockBit. Further insights into some of these groups can be found in our look at active ransomware groups, including World_Leaks ransomware activity and Akira's exploitation of VPN vulnerabilities.
Victim Distribution
By Country
- United States: 16
- India: 4
- Germany: 2
- China: 1
- United Kingdom: 1
- Sweden: 1
- Singapore: 1
- Norway: 1
- Jamaica: 1
- Italy: 1
By Industry
- Financial Services: 2
- Education: 2
- Banking: 1
- Wholesale Hardware, Plumbing, Heating Equipment: 1
- Transportation and Logistics: 1
- Traffic Signal Equipment Distribution: 1
- Telecommunications: 1
- Performing Arts: 1
- Non-Profit & Charitable Organizations: 1
- Legal Services: 1
Attacks remain concentrated in the United States, followed by India. Industry targeting is diversified, but critical sectors such as Financial Services, Education, Banking, Manufacturing, and Construction & Engineering remain a focus.
Ransomware News
Topline - Recent intelligence shows the operational dynamics of "The Gentlemen" ransomware, active exploitation of critical vulnerabilities, and challenges in victim validation.
Campaigns & Operations - "The Gentlemen" operates as a ransomware-as-a-service (RaaS) with a 90/10 revenue split for affiliates. It frequently targets internet-facing VPNs and firewalls for initial access. The group's administrator is reportedly linked to the Hastalamuerte/Zeta88 persona, potentially identifying Alexander Andreevich Yapaev. The group has been highly active, with hundreds of victims since mid-2025. This includes a significant ransomware-style intrusion at Rajagiri Hospital in India, which resulted in the exfiltration of over 800 GB of patient and administrative data. Separately, the Qilin ransomware group recently listed The Banyans Healthcare on its leak site. This entry was later clarified as a misattribution due to shared branding, which demonstrates the need for rigorous victim validation in threat intelligence.
Vulnerabilities & TTPs - Public reporting confirms active exploitation of CVE-2026-50751, a critical authentication bypass in Check Point VPN Remote Access, by Qilin ransomware affiliates. This vulnerability allows unauthenticated attackers to establish VPN sessions without valid credentials. Veeam Backup & Replication has also patched CVE-2026-44963, a critical remote code execution (RCE) flaw (CVSS 9.4) that permits authenticated domain users to execute arbitrary code on the Backup Server. Immediate patching is necessary because ransomware groups have historically exploited similar Veeam flaws. Post-compromise activity associated with CVE-2026-50751 has included data exfiltration via Rclone and potential Tox protocol usage.
Analyst Note - Detailed profiling of new and active RaaS operators, coupled with critical vulnerability exploitation, shows a persistent threat environment where rapid patching and strong validation processes are essential.
Technical Takeaways
- Ransomware-as-a-Service (RaaS) Model: "The Gentlemen" group operates a RaaS model, offering affiliates a 90/10 revenue split. This indicates a professionalized ransomware ecosystem.
- Initial Access Vectors: "The Gentlemen" primarily gain initial access by exploiting internet-facing VPNs and firewalls, a common tactic for many ransomware groups.
- Healthcare Sector Targeting: "The Gentlemen" have been linked to a major data exfiltration and encryption incident at Rajagiri Hospital, showing continued ransomware pressure on healthcare entities.
- Critical Vulnerability Exploitation: Qilin affiliates are exploiting CVE-2026-50751, an authentication bypass in Check Point VPN. This demonstrates rapid weaponization of newly disclosed critical vulnerabilities.
- Supply Chain Risk (Backup Solutions): The patched CVE-2026-44963 in Veeam Backup & Replication, a critical RCE flaw, emphasizes the importance of securing backup infrastructure. Ransomware groups frequently use such vulnerabilities.
- Threat Intelligence Validation: The misattribution incident involving Qilin and The Banyans Healthcare shows the critical need for meticulous validation of victim listings to prevent misinformation.
How World Leaks Ransomware Operates
World Leaks operates as a ransomware-as-a-service (RaaS) platform, enabling affiliates to deploy attacks across multiple sectors. Key operational characteristics include:
- Double extortion tactics: Data is exfiltrated before encryption, increasing pressure on victims
- Targeted sectors: Financial services and manufacturing remain primary targets
- Leak site infrastructure: Victims are publicly listed to compel ransom payment
- Geographic spread: Active across North America and South Asia simultaneously
Understanding their attack chain helps organizations prioritize defenses. See our guide on ransomware defense strategies for actionable mitigation steps.
Protecting Your Organization From Active Ransomware Groups
With 31 new victims reported in a single 24-hour window, proactive defense is critical. Organizations should implement the following measures immediately:
- Patch management: Qilin affiliates actively exploit unpatched vulnerabilities — prioritize critical CVEs
- Network segmentation: Limit lateral movement opportunities for ransomware operators
- Offline backups: Maintain immutable, tested backups to reduce recovery time
- Threat intelligence feeds: Monitor active groups like Akira, PEAR, and World Leaks for targeting shifts
Stay updated with our ransomware group tracker to monitor evolving threats in real time.
Why Ransomware Victim Counts Are Rising
The quarterly data reveals a troubling pattern — 1,764 victims this quarter continues a sustained wave of ransomware activity globally. Several factors are driving this trend:
- RaaS expansion: Lower barriers to entry allow more affiliates to launch attacks
- Healthcare and financial targeting: High-value data makes these sectors prime targets
- Underreporting: Actual victim counts likely exceed published figures significantly
- Evolving evasion techniques: Groups like "The Gentlemen" demonstrate increasingly sophisticated operational security
Tracking these trends is essential for security teams building resilient incident response programs.
