Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted 82 publicly disclosed ransomware incidents across 20 countries, with the U.S. most affected (51 incidents) and healthcare the most targeted sector (31%). The report attributed publicly claimed attacks to 24 ransomware groups, led by Shiny Hunters (8) and Qilin (6), while noting 41% of incidents were not yet attributed; it also cited individual victim disclosures/claims involving Nova Biomedical (PII exposure affecting 10,764 people), Hosokawa Micron (files accessed; Everest claimed ~30GB theft), and Iron Mountain (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential).
Separately, Huntress described how investigation of a “routine” RDP brute-force success led to discovery of credential-hunting behavior and geo-distributed infrastructure consistent with a ransomware-as-a-service ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of heightened cyber risk following the February 2026 U.S./Israel-Iran escalation (Operation Epic Fury), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential wiper activity, DDoS, targeted intrusions, supply-chain risk, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
AhnLab publishes April 2026 ransomware trends report
AhnLab’s ASEC released an April 2026 ransomware report summarizing activity observed via ransomware leak sites and damaged-system counts. The report said attacks continued across industries worldwide, highlighted critical infrastructure sectors such as manufacturing, healthcare, and finance, and noted activity from groups including Qilin, DragonForce, and INC Ransom alongside emerging threats.
ESRC publishes Q1 2026 ransomware trends report
ESRC released a first-quarter 2026 ransomware report stating that 73 groups were responsible for 2,565 confirmed incidents globally and that South Korea recorded 17 cases, about double the year-earlier period. The report identified Qilin as the most active group, said healthcare was the most targeted sector, and highlighted incidents affecting Covenant Health and Stryker as examples of ransomware-driven disruption.
AhnLab publishes March 2026 ransomware trends report
AhnLab’s ASEC released a March 2026 ransomware report describing continued attacks across critical sectors including manufacturing, healthcare, and finance, with activity from groups such as Qilin, The Gentlemen, and INC Ransom. The report also said ransomware operators increasingly combined encryption with exposure and blackmail via dedicated leak sites and warned that post-December 2025 victim statistics use a changed aggregation methodology.
Huntress maps infrastructure tied to ransomware-access operations
Using pivots from the brute-force source IP, TLS certificate analysis, and related domains such as specialsseason[.]com and 1vpns[.]com, Huntress identified a wider geo-distributed infrastructure network. Third-party references linked one observed IP to Hive ransomware and BlackSuite, leading Huntress to assess the activity as connected to a ransomware-as-a-service ecosystem and/or initial access broker operations.
Victim network isolated after malicious enumeration is confirmed
After confirming post-compromise malicious activity, Huntress contained the incident by isolating the affected environment across the network. The response stopped the intrusion before the investigation expanded to the attacker’s broader infrastructure.
Huntress investigates brute-force compromise of exposed RDP server
Huntress Tactical Response Team responded to what appeared to be routine brute-force activity against an internet-exposed RDP server and confirmed a successful compromise of a single account. The intruder then performed domain enumeration and manually searched for password-related files using Notepad rather than relying mainly on common credential-dumping techniques.
Victim organizations dispute some February extortion claims
BlackFog reported several disputed cases in February 2026 where threat actors claimed large-scale exfiltration but victims said impact was limited or that they found no evidence of compromise. Examples cited included Iron Mountain, HP/Poly, Epworth HealthCare, Atlas Air, and Safran Group.
February attacks cause broad data theft and operational disruption
BlackFog highlighted that February ransomware incidents affected sectors including healthcare, education, transportation, finance, hospitality, government, and critical infrastructure. Reported impacts included theft of personally identifiable information, protected health information, financial records, and operational disruption at organizations such as BridgePay, Conpet, Sapienza University of Rome, and the University of Mississippi Medical Center.
BlackFog identifies leading ransomware groups active in February
BlackFog said 24 ransomware groups were linked to publicly claimed attacks during February 2026, led by ShinyHunters with eight incidents and Qilin with six. It also noted that 41% of attacks remained unattributed.
February 2026 records 82 publicly disclosed ransomware incidents
BlackFog reported that February 2026 saw 82 publicly disclosed ransomware and cyber extortion incidents across 20 countries. Healthcare was the most targeted sector, and the United States accounted for 51 of the reported incidents.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
April 2026 Threat Trend Report on Ransomware - ASEC
asec.ahnlab.com
Open source2026년 1분기 랜섬웨어 동향보고서
blog.alyac.co.kr
Open sourceMarch 2026 Ransomware Trends Report - ASEC
asec.ahnlab.com
Open sourceThe State of Ransomware: February 2026 | BlackFog
blackfog.com
Open sourceHow a Brute Force Attack Unmasked a Ransomware Infrastructure Network
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Activity Updates: January 2026 Trends, Milkyway Variant, and Lakelands Public Health Incident
Ransomware reporting in early February highlighted both broad **January 2026** activity and specific new developments. BlackFog tracked **91 publicly disclosed ransomware attacks** to open 2026, with **healthcare** the most targeted sector (27 incidents) and nearly **half (49%)** of recorded attacks not publicly claimed by a known group; among claimed activity, **Qilin** led with eight incidents and the **U.S.** accounted for 58% of disclosed attacks. Separately, CYFIRMA reported identifying a ransomware strain dubbed **Milkyway**, which encrypts files and appends the `.milkyway` extension, presents a full-screen ransom message, and uses typical extortion pressure (including threats to leak stolen data), with recovery generally dependent on offline/secure backups absent cryptographic flaws. A healthcare-specific incident in Ontario was also disclosed: **Lakelands Public Health** reported a cybersecurity intrusion discovered **Jan 29** and reported **Feb 3**, which disrupted internal systems and some public services during containment while stating infectious disease and clinical appointment systems were not impacted. The **Lynx** ransomware group publicly claimed responsibility by listing the organization on a leak site and implying data theft; Lakelands Public Health engaged a specialized cybersecurity firm and worked with law enforcement and forensics to validate the claim and determine scope. UpGuard characterized Lynx as a **RaaS** operation and an alleged successor to the **INC** ransomware group, consistent with double-extortion tactics (encryption plus threatened data exposure).
Mar 21, 2026
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
Mar 31, 2026
Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to **ransomware/data-extortion** activity with material operational or privacy impact. **Air Côte d’Ivoire** confirmed a cyberattack affecting parts of its information systems after **INC ransomware** claimed theft of **208 GB** and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, **University of Mississippi Medical Center (UMMC)** reported a ransomware incident that forced statewide clinic closures and disrupted access to **Epic** electronic medical records, prompting engagement with the **FBI** and **CISA** and use of downtime procedures to sustain patient care. Separately, **Conduent**’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least **~25 million** people affected across multiple states and exposure of sensitive PII (including **SSNs** and health/insurance data). **Wynn Resorts** also confirmed an unauthorized party accessed and stole employee data after being listed by the **ShinyHunters** extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted. Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving **Burger King France** and **Wendy’s UK**; **Qilin** ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (**MediMap**) taken offline after apparent unauthorized access and **patient record tampering** (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s *Operation Olalampo*, Google Ads cloaking via **1Campaign**, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Mar 21, 2026