CyberXtron
Back to Blogs
Ransomware Report - April 2026
RansomwareRansomware ReportApril 2026ThreatIntelcybersecurity

Ransomware Report - April 2026

 

Executive Summary  

In April 2026, ransomware activity recorded a total of 867 victims globally, marking a continued elevation in incident volume against the backdrop of an already heightened threat environment that has trended upward since Q4 2025. While the month-over-month trajectory reflects a broadly sustained operational tempo, the ransomware-as-a-service (RaaS) ecosystem demonstrated notable structural shifts, with geographic diversification expanding and new mid-tier operators consolidating their presence.  

The United States retained its position as the most impacted geography, accounting for 324 victims. Business Services emerged as the most heavily targeted confirmed sector with 175 victims, representing a significant shift from prior months where Manufacturing and Technology competed for the top position. Manufacturing (125 victims) and Consumer Services (80 victims) followed as primary targets.   

Qilin maintained its dominant position as the leading threat actor for a fourth consecutive month, underscoring the group's sustained operational consistency. The RaaS ecosystem continued to expand in group count and geographic reach, with victim organizations identified across more than 80 countries.  

Introduction  

This report provides an in-depth assessment of ransomware victim distribution by sector and geography during April 2026, including a comparative analysis with March 2026 to identify shifts in threat actor activity, sector targeting patterns, geographic impact, and overall victim volume. The findings are intended to support cybersecurity leaders and response teams in strengthening defensive posture and operational preparedness.  

Key Points  

  • A total of 867 ransomware victims were recorded globally in April 2026.  

  • The United States accounted for 324 victimsremaining the dominant target geography.  

  • Among confirmed sectors, Business Services (175 victims), Manufacturing (125 victims), and Consumer Services (80 victims) were the most targeted.  

  • Healthcare recorded 79 victims and Technology recorded 75 victims, reflecting sustained pressure on both sectors.  

  • The "Not Found" sector classification accounted for 64 victims, a significant reduction compared to prior months, suggesting improved attribution coverage.  

  • Qilin led all threat groups with 108 victims, holding the top position for a fourth consecutive month.  

  • TheGentlemen (86 victims) and DragonForce (65 victims) rounded out the top three operators.  

  • APT73 emerged with 62 victims as a notable high-volume actor, reflecting continued ecosystem diversification.  

  • The United Kingdom (56 victims) and Germany (50 victims) were the most impacted countries outside the United States.  

  • Victim organizations were identified across more than 80 countries, underscoring the continued global reach of ransomware operations.  

Ransomware Activity — April 2026  

Ransomware activity in April 2026 demonstrated continued and expansive global reach, with victim distribution heavily concentrated in North America and Western Europe while showing measurable growth across Asia-Pacific, Latin America, and the Middle East.  

b32f7d1809abaa3d26741396b55ab67c.png 

Qilin maintained its dominant position as the most active threat group with 108 recorded victims, extending its streak as the leading operator for a fourth consecutive month. Qilin continues to expand its affiliate base and broaden its operational reach across sectors and geographies. TheGentlemen (86 victims) followed as the second most active group, sustaining high-volume campaign activity consistent with its February surge. DragonForce (65 victims) climbed into third position, reinforcing its trajectory as a rapidly growing operator.  

APT73 (62 victims) represented one of the most notable developments of the month, establishing itself as a significant high-volume actor and reflecting continued ecosystem fragmentation and the entry of new competitive operators. Akira (49 victims) maintained its established mid-tier standing, while CoinbaseCartel (48 victims) — operating primarily through an extortion-only model bypassing traditional encryption — continued its upward trajectory from prior months.  

Incransom (39 victims) and the newly prominent PayoutsKing (39 victims) demonstrated sustained operational activity. LockBit5 (39 victims) and Nightspire (32 victims) contributed meaningfully to overall activity levels, reflecting a densely populated upper mid-tier. Emerging and steadily active groups including Krybit (23 victims), ShinyHunters (21 victims), Payload (18 victims), and Lamashtu (17 victims) further diversified the ecosystem.  

Several smaller collectives including Gunra (16), SilentRansomGroup (14), WorldLeaks (13), Everest (12), and numerous single-digit operators rounded out a threat landscape defined by both concentration at the top and broad-based distribution across the mid and lower tiers.  

Ransomware Activity — March 2026 vs. April 2026  

Ransomware activity increased from approximately 834 victims in March 2026 to 867 victims in April 2026, reflecting continued upward pressure on the global ransomware baseline.  

d26d02e32e03fca20f077702a71026ef.png 

Qilin extended its lead, recording 108 victims in April compared to 141 in March, reflecting a moderation after March's peak but continuing its dominance for a fourth consecutive month. TheGentlemen rose from 50 victims in March to 86 in April, signaling a renewed surge consistent with the group's historically volatile campaign cadence. DragonForce continued its aggressive trajectory, rising from 59 to 65 victims, reinforcing its status as a consistently growing operator.  

APT73 emerged prominently in April with 62 victims after limited visibility in prior months, representing one of the most significant new entrants in the current reporting cycle. Akira recovered modestly from 75 to 49 victims — a decline from its March rebound, suggesting tactical recalibration or increased defensive resistance in targeted verticals. CoinbaseCartel continued its rapid growth trajectory, rising from 34 to 48 victims, while PayoutsKing (39 victims) established itself as a notable mid-tier operator.  

Overall, April 2026 reflected continued structural resilience in the RaaS ecosystem, with no single operator dominating at the level seen in prior months and a broader distribution of activity across a growing number of groups. The total number of active threat actors increased to approximately 57 identified groups in April.  

Industry Impact in April 2026 — Ransomware Continues to Target Critical Sectors  

In April 2026, ransomware attacks demonstrated a notable shift in sectoral targeting patterns compared to prior months, with Business Services displacing Manufacturing from the top position for the first time in the current reporting cycle.  

 

 

Business Services recorded the highest confirmed victim count at 175, a substantial increase reflecting continued attacker interest in professional services organizations — including law firms, consulting firms, and managed service providers — whose client data and operational dependencies create acute extortion leverage. Manufacturing followed with 125 victims, maintaining its status as a primary target due to supply-chain interdependencies and the acute operational pressure created by downtime. Consumer Services (80 victims) and Healthcare (79 victims) recorded significant volumes, with Healthcare continuing its pattern as a high-priority target given the sensitivity of patient data and regulatory obligations associated with breaches.  

Technology (75 victims) remained a major target, reflecting persistent attacker interest in intellectual property, cloud infrastructure exposure, and SaaS integration vulnerabilities. Financial Services (42 victims) and Construction (40 victims) sustained consistent targeting of compliance-heavy and capital-intensive environments. Transportation and Logistics (35 victims), Agriculture and Food Production (34 victims), and Public Sector (32 victims) all recorded meaningful activity.  

Energy (30 victims) and Education (23 victims) continued as secondary targets. Hospitality and Tourism (20 victims) and Telecommunications (13 victims) rounded out the confirmed sector distribution. A total of 64 incidents fell under "Not Found" attribution — a significant reduction compared to the 321 unattributed incidents recorded in March, indicating improved sector attribution coverage in underground reporting channels.  

The April distribution reinforces attackers' demonstrated preference for industries where data sensitivity, operational disruption, and regulatory exposure can be leveraged simultaneously to maximize ransom pressure.  

Geographical Distribution of Victims  

The United States remained the most targeted country in April 2026 by a substantial margin, accounting for 324 victims. North America continued to represent the global epicenter of ransomware activity, though the US share of globally attributed incidents declined relative to prior months, reflecting the continued broadening of geographic targeting.  

20117fa562a1f8f2f8d374ce78ec790a.png 

The United Kingdom (56 victims) recorded a significant increase from March, reinforcing sustained pressure on British organizations particularly in professional and financial services. Germany (50 victims) maintained substantial exposure within Western Europe. France (30 victims), Italy (26 victims), and Canada (22 victims) also experienced notable targeting.  

In the Asia-Pacific region, Australia (20 victims) and Japan (13 victims) sustained consistent exposure, while Thailand (16 victims), Taiwan (9 victims), Singapore (9 victims), and Hong Kong (9 victims) reflected continued growth in regional ransomware activity. India (10 victims) maintained its position as a primary Asia-Pacific target.  

In Latin America, Brazil (14 victims) and Mexico (15 victims) led regional activity, with Colombia (7 victims) and Argentina (6 victims) also recording incidents. In the Middle East, United Arab Emirates (4 victims) and Saudi Arabia (3 victims) maintained consistent exposure.  

Notably, in April researches identified victims across more than 80 countries, including a substantial number of new or previously lower-volume geographies across Africa, Southeast Asia, Eastern Europe, and the Caribbean. A total of 37 incidents were attributed to "Other/Not Found," reflecting residual incomplete geographic attribution in public leak disclosures.  

Threat actors continued to prioritize regions with advanced digital infrastructure, higher ransom payment capacity, and mature enterprise environments, while simultaneously demonstrating increased opportunistic targeting across emerging markets.  

Major Ransomware Breaches Across Global Sectors — April 2026  

During April 2026, ransomware and cyber-extortion activity produced a number of significant confirmed or claimed incidents across critical industries and regions.  

Technology and Media — North America  

ShinyHunters claimed one of the month's most prominent breaches against Rockstar Games, the developer behind the Grand Theft Auto franchise. The group did not breach Rockstar's systems directly; instead, it exploited authentication tokens extracted from Anodot, a third-party cloud monitoring service provider, to access Rockstar's Snowflake cloud data warehouse instances. The attack chain was effectively invisible to Rockstar's security team, as access originated through a trusted integration using valid credentials. ShinyHunters issued a ransom deadline of April 14, 2026, threatening to leak stolen data if demands were not met. Rockstar confirmed that "a limited amount of non-material company information" was accessed via the third-party breach, stating there was no impact on operations or players. The incident is part of a broader ShinyHunters campaign systematically exploiting SaaS integration trust chains across dozens of organizations through the same Anodot entry point.  

Education and E-Learning — United States

ShinyHunters claimed responsibility for a breach at Udemy, one of the world's largest online learning platforms, listing the company on its dark web leak site on April 24, 2026, with a ransom deadline of April 27. The group claimed to have exfiltrated over 1.4 million records containing personally identifiable information — including names, physical addresses, phone numbers, employer information, and instructor payout details — and threatened to release the data if demands were not met. Following the expiry of the deadline, the stolen dataset was subsequently leaked publicly and was indexed by Have I Been Pwned on April 26, 2026. The incident is part of ShinyHunters' broader 2026 campaign exploiting SaaS platform integrations and Salesforce-linked infrastructure across dozens of organizations simultaneously.

Automotive Data and Analytics — Europe and Australia  

Autovista Group, a critical provider of data, analytics, and industry insights for the European automotive sector, confirmed a significant ransomware attack in early April 2026 that forced the company to disable several customer-facing platforms, effectively cutting off essential pricing and valuation data for the automotive supply chain. The UK-headquartered company, whose brands include Eurotax, Glass's, Rødboka, and Schwacke, engaged external cybersecurity experts to contain the attack, which disrupted operations across Europe and Australia. The incident disrupted vehicle valuation services for dealerships, insurers, and fleet management firms across the continent, and no threat actor had publicly claimed responsibility at time of reporting.  

Cloud Hosting and Developer Infrastructure — United States

Vercel, a widely used cloud application hosting and deployment platform, disclosed a confirmed security breach on April 19, 2026, originating from a supply chain compromise at Context.ai, a third-party AI productivity tool used by a Vercel employee. Attackers exploited OAuth tokens stolen via Lumma Stealer infostealer malware to take over the employee's Google Workspace account and pivot into Vercel's internal environments, where they bulk-extracted environment variables — including API keys, database credentials, and cloud access keys — from a limited subset of customer projects that were not encrypted at rest. A threat actor attempted to sell the stolen data on BreachForums, claiming it could be used to mount a large-scale downstream supply chain attack. Vercel confirmed the breach, engaged incident response experts including Mandiant, notified law enforcement, and subsequently identified additional customer accounts compromised prior to the April incident. Vercel's core infrastructure, Next.js, and Turbopack projects were confirmed unaffected.

Consumer Services and Entertainment — Global  

DragonForce claimed a 352.24 GB data theft from Australian ice-cream franchise Gelatissimo, with the company confirming unauthorized access to its network and launching an investigation. The stolen data allegedly included employee details, partial tax file numbers, financial records, and visa application data. This incident reflects continued attacker opportunism across consumer-facing organizations, with mid-sized retail and franchise brands increasingly drawn into the crosshairs of high-volume ransomware operators.  

Public Sector and Critical Infrastructure — Canada and Regional  

The Rural Municipality of Gimli in Canada was targeted by the Payload ransomware group, demonstrating continued attacker interest in government and public sector entities at the municipal level — a pattern consistent with broader observed trends of ransomware operators targeting local government bodies where IT resources and defensive posture are typically limited.   

These incidents collectively underscore ransomware groups' continued emphasis on supply chain exploitation, data exfiltration as the primary extortion lever, and the broadening of target profiles to include data-as-a-service providers whose disruption creates cascading downstream impact.  

Recommendations — April 2026 Ransomware Outlook  

To mitigate the ongoing and intensifying ransomware threat, organizations should continue strengthening defensive resilience through layered controls. The April incidents highlight several critical vectors requiring immediate attention, including third-party SaaS integration vulnerabilities, cloud token security, and supply chain dependencies.  

  • Deploy advanced EDR/XDR solutions and continuously monitor for indicators of compromise across endpoint, network, and cloud telemetry. Apply behavioral detection capabilities to identify abnormal data access patterns, particularly in cloud data warehouses and SaaS integrations.  

  • Enforce rigorous third-party and supply-chain risk management. The Rockstar and Autovista incidents both illustrate how a single compromised upstream provider can expose downstream organizations with no direct breach required. Organizations must audit and monitor all third-party integrations, enforce token lifecycle management, and validate the security posture of all connected SaaS platforms.  

  • Implement phishing-resistant MFA across all remote access channels and review session-token lifecycles to mitigate adversary-in-the-middle and token hijacking attacks.  

  • Enforce rapid patch management for VPNs, cloud services, exposed web applications, and third-party software dependencies, including package repositories and monitoring tools.  

  • Segment enterprise networks to limit lateral movement and reduce blast radius following initial compromise. Maintain offline, encrypted, and regularly tested backup systems protected from network-accessible compromise.  

  • Extend visibility into cloud environments, including Snowflake, SharePoint, and other cloud data platforms that may be accessed by multiple third-party integrations simultaneously. Implement data-centric encryption to ensure data remains protected regardless of where it resides or how it is accessed.  

  • Conduct regular incident response exercises and ransomware simulation drills calibrated to current threat actor TTPs, with specific scenarios addressing supply chain and SaaS integration attack vectors.  

Conclusion  

The ransomware landscape in April 2026 reflected continued elevation in victim volumes against a sustained high baseline, with 867 globally recorded victims and activity spanning more than 80 countries. The United States remained disproportionately affected, while the United Kingdom, Germany, France, and Australia experienced notable targeting within their respective regions.  

Sectoral distribution in April marked a significant shift, with Business Services displacing Manufacturing from the top position for the first time in recent reporting cycles — a development consistent with observed attacker interest in professional services organizations holding high-value client data. Manufacturing, Consumer Services, Healthcare, and Technology continued to represent primary targets, with Education and Public Sector sustaining consistent secondary exposure.  

The emergence of APT73 as a high-volume operator, the continued growth of CoinbaseCartel's extortion-only model, and the persistence of ShinyHunters' supply chain exploitation campaigns collectively signal an ecosystem in active evolution — one where traditional encryption-based ransomware increasingly coexists with data-theft-only extortion models that require no malware deployment.  

Ransomware remains a persistent, adaptive, and strategically driven threat. The structural resilience of the RaaS ecosystem, the growing sophistication of supply chain and SaaS integration attacks, and the demonstrated willingness to target a broadening range of geographies and sectors underscore the need for sustained investment in detection, response, and recovery capabilities across all industries and organizational sizes.  

  

Elevate your security—get curated threat insights in your inbox.