Executive Summary
The week of April 10–17, 2026, was defined as much by the resolution and aftermath of prior incidents as by new attacks. The most consequential development came on April 17, when ChipSoft — the Dutch electronic health record vendor whose compromise in week 15 disrupted 80% of Netherlands’ hospitals — confirmed that patient data had indeed been stolen. The Dutch data protection authority had by that point received 66 separate breach notifications from affected healthcare organisations, and the country’s Justice Minister used a parliamentary hearing on April 14 to issue a stark warning: the Netherlands should “expect more big hacks.” At the same time, Signature Healthcare’s Brockton Hospital in Massachusetts — paralysed since April 6 by the Anubis ransomware group — restored normal services and lifted ambulance diversions on April 15, bringing a measure of relief to one of the week’s most clinically disruptive incidents.
Against that backdrop of ongoing crises, new attacks continued to emerge across every geography. Medusa ransomware, deployed by the China-linked Storm-1175 group, was linked to fresh claims against the University of Mississippi Medical Center and Passaic County in New Jersey. Qilin claimed the German automotive parts manufacturer Herth+Buss on April 13, and posted 84 GB of data from Florida’s Clearwater Marine Aquarium on April 15–16. A separate incident struck Autovista — the European automotive analytics firm used by insurers and dealers across the continent — taking vehicle valuation platforms offline and causing what observers described as a “European automotive data blackout.” The emerging Gunra ransomware group announced itself with two Thai victims in a single day: Nok Air, a major low-cost carrier, and Thai Petroleum & Trading Co.
Microsoft’s April 14 Patch Tuesday was itself a signal of the threat environment, releasing fixes for 167 vulnerabilities including a SharePoint Server zero-day actively exploited in the wild. CISA added six new entries to its Known Exploited Vulnerabilities catalog between April 13–14, including a Microsoft Exchange flaw directly tied to Storm-1175’s Medusa campaigns. The FBI’s IC3 Annual Report, published and widely covered during the week, confirmed healthcare as the single most targeted sector for ransomware in 2025 with 460 recorded attacks — a figure that reinforces the pattern visible in week 16’s incident list.
Key Statistics:
- Global: Approximately 185 victims tracked in the trailing seven-day window ending April 15, a 5.7% increase from the prior week; Qilin and DragonForce together claimed 39 victims; top active groups: Qilin, DragonForce, Medusa/Storm-1175, Akira, SafePay, Anubis
- Europe: ChipSoft patient data theft confirmed (Netherlands); Autovista ransomware disrupts automotive sector (Europe/Australia); Qilin claims Herth+Buss (Germany); ~5+ incidents
- Asia: Gunra claims Nok Air and Thai Petroleum & Trading (Thailand); APT73/Bashe claims Philippines DPWH; ~4+ incidents
- US: Brockton Hospital services restored; Medusa claims University of Mississippi Medical Center and Passaic County; Spring Lake Park schools closed; Clearwater Marine Aquarium data exfiltrated; ~10+ incidents
- Other: Limited new confirmed incidents
1. EUROPE
1.1 Government
No new government-sector ransomware incidents were confirmed in Europe this week. The Dutch Parliament convened an extraordinary hearing on April 14 focused on the ChipSoft attack’s implications for national healthcare cybersecurity, with the Justice Minister issuing a public warning that society should prepare for further large-scale hacks targeting critical infrastructure.
1.2 Health, Municipalities & Non-commercial
The most significant European development of the week was not a new attack but the confirmation of theft. On April 17, ChipSoft officially acknowledged that patient data had been stolen during the April 7 ransomware attack that disrupted its HiX electronic health record platform. The Dutch Data Protection Authority reported receiving 66 separate breach notifications from affected healthcare organisations, including general practitioners, the Rotterdam Eye Hospital, and rehabilitation centres Rijndam and Basalt. Dutch News reported that medical data stolen in the attack included personally identifiable health information. Justice Minister Kilian delivered the parliamentary committee a sobering assessment on April 14: the Netherlands must expect more incidents of this magnitude. No ransomware group has claimed the ChipSoft attack as of publication, and the investigation continues.
The ChipSoft confirmation crystallises the supply-chain dimension that makes vendor-level attacks so damaging. By compromising a single software provider, attackers compromised the data confidentiality of patients across dozens of organisations that never suffered a direct breach — demonstrating that healthcare institutions face material risk from every third-party technology partner in their supply chain.
1.3 Business
Qilin claimed Herth+Buss on April 13, a German mid-market manufacturer of automotive spare parts and accessories. Herth+Buss supplies aftermarket parts to dealers and workshops across Europe, and the attack follows a sustained pattern of Qilin targeting German industrial companies. FalconFeeds noted the claim alongside a simultaneous posting for Desprès Mécanique Mobile, a Canadian automotive repair company, suggesting coordinated sector-focused targeting within the automotive aftermarket industry.
The more operationally disruptive European business incident was the ransomware attack on Autovista, a pan-European automotive data and analytics company whose vehicle valuation and residual value tools are used daily by insurers, manufacturers, and dealers across the continent. The Register reported the incident on April 15, with Autovista confirming that systems in both Europe and Australia were affected and customer-facing platforms had been taken offline. The Cyber Signal described the impact as a “European automotive data blackout,” reflecting how deeply embedded Autovista’s data feeds are in insurance claims processing and vehicle pricing workflows. No group has claimed the attack.
2. ASIA
2.1 Government
APT73 — also tracked as Bashe — claimed the Philippine Department of Public Works and Highways (DPWH) during the week, alleging the exfiltration of approximately 50 GB of internal documents, email records, financial data, and personal information of government employees. The Philippines’ Department of Information and Communications Technology (DICT) launched an investigation. APT73 operates a double-extortion model with countdown timers on its leak site, creating public pressure for payment. The compromise of a national infrastructure ministry responsible for roads, bridges, and public works carries significant implications for the confidentiality of government contracting data and civil engineering project documentation.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
The emerging Gunra ransomware group made a notable debut by claiming two Thai organisations on approximately April 8 — just at the boundary of the week — in what appeared to be a coordinated campaign against Thailand’s economy. Nok Air Public Company Limited, a major Thai low-cost airline, and Thai Petroleum & Trading Co., Ltd. were both listed on Gunra’s leak site. Targeting an airline and an energy trading company simultaneously suggests Gunra is pursuing high-profile, economically significant organisations in the region rather than opportunistic targeting of soft targets. CYFIRMA’s Weekly Intelligence Report of April 17 highlighted Gunra as a notable emerging threat worth tracking.
3. UNITED STATES
3.1 Government
Passaic County, New Jersey, was listed as a victim of Medusa ransomware (deployed by Storm-1175) during the week, according to Bitdefender’s Threat Debrief for April 2026. The incident adds to a growing list of US county-level governments struck by Storm-1175’s high-velocity Medusa campaigns, following Microsoft’s detailed public disclosure of the group’s tactics in week 15. Passaic County provides municipal services to roughly 530,000 residents in northern New Jersey.
Spring Lake Park School District in Minnesota suffered what officials described as a suspected ransomware attack, discovered on April 12–13. The district cancelled all classes on April 13 and remained closed the following day while law enforcement and external cybersecurity experts worked to contain the incident. Officials hoped to resume classes by April 15. No ransomware group had claimed the attack by the end of the week.
3.2 Health, Municipalities & Non-commercial
The most positive healthcare development of the week was also a direct consequence of the prior week’s worst incident. Signature Healthcare’s Brockton Hospital — which had been diverting ambulances, cancelling chemotherapy, and reverting to paper records since April 6 after the Anubis ransomware group’s attack — restored normal services on April 15, including resuming full ambulance service. The Boston Globe reported that Anubis’s one-week ransom deadline had passed; Signature Healthcare was subsequently removed from the group’s leak site, though the hospital has not confirmed whether a payment was made or the outcome of negotiations. Anubis had claimed 2 TB of patient data.
The University of Mississippi Medical Center was claimed by Medusa ransomware during the week, according to Bitdefender’s April 2026 threat debrief. UMMC is the state’s only academic medical centre and Level I trauma centre, serving Mississippi’s most critically ill and injured patients. The compromise of a regional trauma hub carries particular patient safety implications.
ACN Healthcare was listed by the Lynx ransomware group on April 10. The scope of the breach and data exfiltration claims had not been publicly detailed by the end of the week.
3.3 Business
Clearwater Marine Aquarium in Florida — known for housing Winter the dolphin, subject of the Dolphin Tale films — was listed on Qilin’s leak site on approximately April 15–16, with 84 GB of alleged exfiltrated data. BreachSense confirmed the posting. The aquarium operates as a non-profit marine life hospital and tourist attraction; the targeting of a non-profit conservation facility illustrates that Qilin’s affiliates make no operational distinction between charitable organisations and commercial enterprises when selecting victims.
Wright-Ryan Construction, a regional contractor, was claimed by the Incransom ransomware group on April 10. Netgain Networks was listed by Akira on the same day. Campbell University in North Carolina was also claimed by Incransom on April 11, marking one of the week’s few attacks on a US higher education institution.
A notable extortion incident at the boundary of ransomware and cybercrime involved McGraw-Hill Education, where a threat actor exploited a Salesforce misconfiguration to access and threaten to publish company data. While not a traditional ransomware deployment, the incident reflects the growing prevalence of data-extortion operations that dispense with encryption entirely in favour of pure theft-and-publication leverage.
4. REST OF WORLD
4.1 Government
No new government-sector incidents were confirmed in Africa, South America, Oceania, or the Middle East during the week, beyond the Philippines DPWH claim described under Asia.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
Desprès Mécanique Mobile Inc., a Canadian automotive repair company, was listed by Qilin alongside the German Herth+Buss claim — appearing to be part of the same coordinated automotive-sector campaign on April 13.
5. THREAT ACTOR ACTIVITY
Qilin remained the world’s most prolific ransomware operation by confirmed victim count, extending its run of dominance into week 16. New victims included Herth+Buss (Germany, automotive manufacturing), Clearwater Marine Aquarium (US, 84 GB), Desprès Mécanique Mobile (Canada), and Limkon (April 17). Together with DragonForce, Qilin accounted for 39 of the approximately 185 victims tracked in the April 8–15 window — roughly 21% of global activity. The group continues to deploy vulnerable driver exploitation (BYOVD) to disable over 300 EDR tools, a technique documented alongside the Warlock group in week 15, making Qilin detections substantially harder for security operations teams relying on endpoint detection.
Medusa / Storm-1175 had a operationally significant week. On April 13, CISA added CVE-2023-21529 — a Microsoft Exchange vulnerability — to its Known Exploited Vulnerabilities catalog, directly tied to Storm-1175’s Medusa deployment chain. The addition came alongside five other flaws including a Windows CLFS privilege escalation bug and a 14-year-old VBA remote code execution vulnerability still being actively exploited. Federal agencies were given an April 27 remediation deadline. Confirmed Medusa victims during the week included the University of Mississippi Medical Center and Passaic County, New Jersey — consistent with Microsoft’s disclosure in week 15 that Storm-1175 moves from initial Exchange access to full Medusa deployment often within 24 hours.
APT73 / Bashe claimed the Philippines DPWH using its characteristic double-extortion countdown approach. The group has been expanding its focus toward government and public-sector targets in Southeast Asia, where cybersecurity capabilities in national ministries often lag behind those of private-sector organisations.
Gunra emerged as a group to watch after claiming two high-profile Thai targets on approximately April 8. CYFIRMA highlighted the group in its April 17 intelligence report as a newly active threat with apparent geographic focus on Southeast Asian energy and transport sectors.
DragonForce continued posting at high volume, with Ransom-DB’s daily digest recording 12 DragonForce victims in a single day during the week. The group has now surpassed 438 claimed organisations. DragonForce is believed to be absorbing former RansomHub affiliates following law enforcement disruptions to that operation.
NightSpire had 74 confirmed victims in Q1 2026 and 175 total across 28 industries. AttackIQ published a detailed emulation profile for NightSpire on April 14, enabling defenders to test their controls against the group’s specific techniques, tactics, and procedures. Huntress also released an indicator-of-compromise analysis during the week.
Microsoft Patch Tuesday (April 14) patched 167 vulnerabilities, the largest single-month release of 2026 to date. The most significant was CVE-2026-32201, a SharePoint Server spoofing vulnerability actively exploited in the wild that can be chained with ransomware delivery post-exploitation. Defenders should treat SharePoint Server patching as a time-sensitive priority.
The FBI IC3 2025 Annual Report, released April 6 and receiving major coverage throughout week 16, quantified what incident reports have long suggested: healthcare was the single most targeted sector for ransomware in 2025, with 460 attacks and 182 data breaches — 642 cyber events in total. The top ransomware variants by FBI complaint volume were Akira, Qilin, INC/Lynx/Sinobi, BianLian, Play, RansomHub, LockBit, DragonForce, SafePay, and Medusa — a list that maps closely to the groups active in week 16.
6. KEY TAKEAWAYS
The ChipSoft patient data confirmation should be read alongside the FBI’s healthcare statistics as a coherent warning: healthcare data theft is no longer a risk to be theorised about, it is a routine operational outcome of ransomware attacks on the sector. When a healthcare software vendor is compromised, the resulting data exposure cascades across every connected institution. The 66 breach notifications filed with the Dutch regulator — all arising from a single vendor compromise — illustrate the multiplicative damage that supply-chain attacks inflict on sectors with high interconnectivity and concentrated technology dependencies.
Storm-1175’s confirmed targeting of the University of Mississippi Medical Center, combined with CISA’s urgency-tier KEV addition of the Exchange vulnerability used as initial access, presents defenders with a narrow remediation window. The group’s documented 24-hour dwell time from initial access to Medusa deployment means that unpatched Exchange instances facing the internet should be treated as actively compromised until proven otherwise. Organisations in healthcare, education, and local government — Storm-1175’s preferred sectors — should validate their Exchange patching posture immediately.
The Spring Lake Park school closure and the Passaic County municipal compromise, occurring in the same week, reinforce a pattern that has persisted throughout 2026: local governments and school districts continue to be harvested as soft targets. These organisations face a structural disadvantage — underfunded IT departments, aging infrastructure, and limited access to enterprise-class security tooling — that ransomware operators exploit systematically. The national-level response required for Winona County in week 15 and the school closures in week 16 suggest that meaningful improvement requires policy intervention, not just organisational investment.
Gunra’s simultaneous targeting of a Thai airline and petroleum trading company is consistent with a deliberate strategy of maximising economic leverage through sector disruption rather than opportunistic soft-target selection. Defenders in Southeast Asian critical infrastructure — aviation, energy, maritime logistics — should treat the Gunra emergence as an indicator that the region faces increasing attention from ransomware operators who have already exhausted low-hanging fruit in Western markets.