Executive Summary
The week of April 17–24, 2026, was marked above all by volume and by two developments that point toward where ransomware is heading. Qilin posted over 30 new victims across six continents in a seven-day period, claiming targets ranging from Denso — a global automotive components manufacturer supplying Toyota — to Manulife Wealth in Canada and the City of Napoleon in Ohio. That breadth of targeting, spanning critical manufacturing, financial services, municipal government, and healthcare in a single week, illustrates why Qilin has become the world’s most prolific ransomware operation.
The week’s most technically significant story came from a previously unknown group calling itself Kyber. BleepingComputer and Rapid7 reported on April 22 that Kyber had conducted a confirmed attack on a multi-billion-dollar US defence contractor and IT services provider using a Windows variant that properly implements Kyber1024 post-quantum cryptography — a combination of X25519 key exchange and AES-CTR symmetric encryption. While the group’s ESXi variant falsely claims the same capability but reverts to ChaCha8 with RSA-4096, the Windows implementation is technically credible. This represents the first confirmed production deployment of post-quantum cryptography in a ransomware campaign, raising the prospect that victims who retain encrypted data in the hope that future quantum computers will allow recovery without paying may find that strategy foreclosed.
Trigona’s return was the week’s second notable tradecraft development. The group was effectively disabled in October 2023 when Ukrainian hacktivists seized its infrastructure, but Symantec’s analysis published April 23 confirmed that Trigona has been conducting fresh attacks since at least March 2026, now equipped with a custom exfiltration tool called uploader_client.exe that rotates TCP connections after every two gigabytes of transferred data and restricts uploads to authenticated sessions. The tool significantly complicates forensic reconstruction of what data was stolen.
Silent Ransom Group continued its focused campaign against US and UK law firms, posting four firms during the week — Jackson Lewis, Rutan & Tucker, Fagen Friedman & Fulfrost, and Chartwell Law — while CoinbaseCartel, which exfiltrates rather than encrypts, posted 13 victims in a single batch including French energy giant Engie, US telecommunications infrastructure company Commscope, and the Indonesian Ministry of Agriculture.
Key Statistics:
- Global: 100+ victims posted across all groups in the April 17–24 window; Qilin alone accounts for approximately 30% of confirmed activity; active groups include Qilin, Akira, DragonForce, TheGentlemen, CoinbaseCartel, INC Ransom, Silent Ransom Group, and newly emerged Kyber
- Europe: Double-digit victims across Germany, France, UK, Denmark, Ireland, Spain, Greece, Austria, Belgium, Switzerland, Sweden, and Poland; notable groups: Qilin, Akira, DragonForce, CoinbaseCartel, TheGentlemen
- Asia: High-profile manufacturing and energy targets; Denso (Japan), Star Energy Geothermal Salak (Indonesia), Indonesian Ministry of Agriculture among victims; groups: Qilin, RansomHouse, CoinbaseCartel, TheGentlemen
- US: Municipal government, healthcare, law, manufacturing, and telecom all targeted; Incyte Corporation (biopharma), Commscope (telecom), Rheem (manufacturing), TruGreen (services) among notable victims; Kyber claims unnamed defence contractor
- Other: Canada, Colombia, Brazil, Peru, Australia, Saudi Arabia all affected; Manulife Wealth (Canada), Cooperativa de Hospitales de Antioquia (Colombia), Peru LNG among notable victims
1. EUROPE
1.1 Government
No ransomware incidents affecting European government agencies or ministries were confirmed during the week. The political and regulatory context from week 16 — the Dutch Parliament’s extraordinary hearing on ChipSoft and the Justice Minister’s warning that the Netherlands should “expect more big hacks” — continued to shape the policy debate, but no new government-sector incidents emerged.
1.2 Health, Municipalities & Non-commercial
European healthcare organisations sustained a concentrated wave of ransomware activity during the week. In Germany, medicalnetworks CJ GmbH & Co. KG — an integrated healthcare solutions provider — was claimed by DragonForce on April 17, while Pharmathek, a developer of automated pharmaceutical warehouse systems, was listed by Akira the same day. The near-simultaneous targeting of a healthcare IT integrator and a pharmacy automation specialist reflects the sector’s attractiveness to ransomware operators: both companies sit at the intersection of clinical workflows and digital infrastructure, giving attackers leverage across multiple downstream healthcare organisations.
In France, STERIMED — a manufacturer of medical packaging and sterilisation products used across hospital supply chains — was claimed by Qilin on April 21. The attack on a sterilisation supplier is operationally significant because disruption to packaging integrity or supply continuity can affect the safety of surgical instruments and single-use devices. In Denmark, Nordenta, a subsidiary of the Swedish listed company LIFCO that operates dental clinics, was claimed by the relatively new Kairos group on April 20.
1.3 Business
Qilin drove most of the week’s European business-sector activity. In Germany, the group posted Marc Cain — a premium fashion brand — on April 24, along with Huonker GmbH (manufacturing) and SEL Safety Engineering Lab on April 21 and April 20 respectively. Akira separately targeted Gumpp Kunststoffe, a technical textiles and plastics manufacturer, on April 23. France produced the week’s single most consequential European target: Engie, the multinational energy utility employing over 170,000 people across 70 countries, was listed by CoinbaseCartel on April 20. CoinbaseCartel conducts data exfiltration rather than encryption, but the implied access to internal data at one of Europe’s largest energy companies carries significant implications for critical infrastructure security.
In the United Kingdom, Qilin posted Clearview Intelligence and Point Four EPoS Solutions, while Silent Ransom Group claimed Chartwell Law — continuing its concentrated campaign against legal services firms. Atkinson Ritson Solicitors was also listed under Qilin. In Ireland, The Go Solution and SmartSystems were among Qilin and TheGentlemen’s victims respectively, while Italian winery Marchesi di Barolo — one of the most historic producers in Piedmont — and Belgian manufacturer Anderlues were both posted by TheGentlemen in the group’s large April 19 batch. Spain’s Industrial Carrocera Arbuciense and Equatorial Coca-Cola Bottling were listed by Qilin and WorldLeaks respectively. Greece’s Primius Law Firm was claimed by DragonForce on April 22, while Austria’s Mag. Fünder Hausverwaltungs GmbH and Sweden’s Dorotea Sweden were both listed by INC Ransom.
2. ASIA
2.1 Government
The Indonesian Ministry of Agriculture — Kementerian Pertanian — was listed by CoinbaseCartel on April 23. Given CoinbaseCartel’s model of extended persistent access followed by data publication, the claim implies the group may have had access to the ministry’s systems for months before surfacing the listing. The ministry is responsible for agricultural policy and food security for a nation of 280 million people; exposure of internal communications, procurement data, and policy documents carries significant diplomatic and economic sensitivity.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
The most significant Asian victim of the week was Denso Corporation, the Japanese automotive components manufacturer that is Toyota’s largest supplier and ranks among the world’s biggest automotive parts producers. Qilin posted Denso on April 24. An attack of this profile on a Tier 1 automotive supplier replicates the template of the February 2022 Conti attack on Kojima Industries — which forced Toyota to halt all domestic production for a day — and will prompt scrutiny of the automotive sector’s supply-chain resilience in Japan and globally.
Star Energy Geothermal Salak, an Indonesian geothermal power operator, was claimed by RansomHouse on April 24, the same group that listed Chinese battery manufacturer Jiangsu Zenergy Battery Technologies on April 21. In China, Uniview Technologies — a security camera and surveillance equipment manufacturer — was posted by TheGentlemen on April 23. Kolin Turkey, one of Turkey’s largest diversified industrial conglomerates operating across construction, tourism, and infrastructure, was claimed by Qilin on April 21. HBX Group in Singapore, a travel technology platform, was listed by Qilin on April 17. Playmates Toys in Hong Kong was posted by CoinbaseCartel on April 20. India’s Flipo Group was claimed by Qilin on April 24.
3. UNITED STATES
3.1 Government
Two US municipal governments appeared on ransomware leak sites during the week. The City of Napoleon, Ohio, was listed by Qilin on April 23. Rusk County, Wisconsin — whose county website ruskcountywi.us was specifically referenced in the Qilin posting on April 21 — became another example of the group’s willingness to target small county-level governments with limited cybersecurity resources. Both incidents follow the pattern established by Medusa/Storm-1175 in prior weeks, confirming that multiple ransomware operations are simultaneously pursuing local government targets as relatively accessible entry points.
3.2 Health, Municipalities & Non-commercial
Incyte Corporation, a NASDAQ-listed biopharmaceutical company with over $4 billion in annual revenue, was claimed by DragonForce on April 22. Incyte develops oncology and immunology therapeutics, and a compromise of its research systems, clinical trial data, or proprietary compound libraries would represent a significant theft of intellectual property. Virginia Health Services was listed by WorldLeaks on April 23. Salimetrics, a salivary bioscience research company supporting clinical diagnostics, was posted by Akira on April 21.
The nonprofit sector was also represented: Priests for Life, a US Catholic advocacy organisation, was listed by Qilin on April 24 — a reminder that Qilin affiliates show no preference for commercially significant targets over charitable or religious organisations when selecting victims.
3.3 Business
Silent Ransom Group posted three US law firms during the week — Jackson Lewis, one of the country’s largest employment law firms with over 900 attorneys; Rutan & Tucker, a prominent California business and real estate firm; and Fagen Friedman & Fulfrost, which specialises in legal services to US school districts and educational institutions. The concentration on legal services is a defining feature of Silent Ransom Group, which counts 95 of its 106 total known victims as US-based business and financial services organisations. The consistent targeting of law firms reflects the sector’s combination of sensitive client data, typically modest cybersecurity investment relative to the value of the information held, and strong financial incentive for clients to avoid public disclosure of a breach.
Among manufacturing and infrastructure targets, Rheem — one of the United States’ largest manufacturers of water heaters, boilers, and HVAC systems — was claimed by INC Ransom on April 20. Commscope, a major supplier of telecommunications network infrastructure including cabling, antennas, and connectivity systems used by carriers globally, was posted by CoinbaseCartel on April 20. Integer Holdings, which manufactures medical devices and is a major supplier to the cardiac rhythm management and neurostimulation markets, was listed by CoinbaseCartel on April 23. Aptim, a large US engineering and construction services firm with significant federal government contracts, was also posted by CoinbaseCartel on the same date. The clustering of CoinbaseCartel postings on April 20 and April 23 suggests a batch-publishing approach rather than newly initiated compromises.
TruGreen, the United States’ largest residential and commercial lawn care services company with millions of customer households, was listed by INC Ransom on April 22. Nanometrics, a semiconductor metrology company serving chip fabricators, was claimed by Qilin on April 19. Teamster Local 773 was listed by INC Ransom on April 22.
4. REST OF WORLD
4.1 Government
The Indonesian Ministry of Agriculture listing under CoinbaseCartel (described above in section 2.1) is the week’s primary government-sector incident outside Europe and the US.
4.2 Health, Municipalities & Non-commercial
Cooperativa de Hospitales de Antioquia, a Colombian hospital cooperative providing healthcare services across the Antioquia department, was listed by Qilin on April 20. Latin America’s healthcare sector has seen increasing ransomware attention in 2026, and the targeting of a cooperative that spans multiple hospital facilities amplifies the potential patient safety impact. In Brazil, TheGentlemen’s April 19 batch included Greenpharma — a pharmaceutical company — and Laboratório Santa Luzia, a clinical laboratory, alongside Americo Advogados. Lessard Dental in Edmonton, Canada, was listed by the Beast ransomware group with an estimated attack date of April 10.
The Roman Catholic Archdiocese of St. John in Canada was claimed by Qilin on April 21 — a religious institution with no obvious commercial leverage, reflecting the opportunistic breadth of Qilin’s targeting criteria.
4.3 Business
Canada produced several notable business-sector victims. Manulife Wealth — a subsidiary of Manulife Financial, one of Canada’s largest insurance and financial services groups — was listed by Qilin on April 23. Sea Air International Forwarders, a Canadian freight logistics company, was claimed by Qilin on April 21. Integra Architecture in Vancouver was listed by Akira on April 20.
Peru LNG, which operates Peru’s sole LNG export terminal and is a major source of national energy export revenue, was posted by CoinbaseCartel on April 23 alongside Peruvian technology company Sanna Web and Brazilian telecom Sea Telecom Br. Australia saw three Kairos and DragonForce victims: Champion Homes — a Sydney residential builder — was claimed by DragonForce on April 21; Gregory Jewellers and Strata Republic were both listed by Kairos on April 22 and April 17 respectively. Saudi Arabia’s Aluminum Products Company was claimed by INC Ransom on April 17. In South Africa, food ingredients supplier Sunspray Food was included in TheGentlemen’s April 19 batch. Venezuela’s meditron.com.ve, a medical equipment distributor, was claimed by Payload on April 23.
5. THREAT ACTOR ACTIVITY
Qilin was the dominant ransomware operation of the week by a substantial margin, posting over 30 victims across North America, Europe, Asia, Latin America, and Oceania. The group’s current infrastructure supports a high-tempo affiliate model that shows no geographic or sector preference — Denso and Manulife Wealth sit alongside Napoleon City Hall and Priests for Life in the same week’s victim list. Qilin has now claimed approximately 1,730 victims since October 2022. Its technical tradecraft continues to include Cobalt Strike deployment, Evilginx for credential harvesting, and BYOVD techniques to disable endpoint detection tools.
Kyber emerged as the week’s most technically significant new threat. BleepingComputer and Rapid7 reported on April 22 that a confirmed Kyber attack on a multi-billion-dollar US defence contractor and IT services provider used a Windows variant implementing genuine Kyber1024 post-quantum cryptography — specifically the X25519 key agreement protocol combined with AES-CTR symmetric encryption. This is the first confirmed production deployment of post-quantum cryptography in a ransomware campaign. The ESXi variant, by contrast, falsely claims post-quantum encryption but uses ChaCha8 with RSA-4096. The practical implication for defenders is significant: organisations that retain encrypted data and hope future quantum computing capability will enable recovery without payment must now treat at least some ransomware groups as having credibly foreclosed that option.
Trigona resumed active operations after nearly three years of dormancy, following the Ukrainian hacktivist seizure of its infrastructure in October 2023. Symantec’s analysis published April 23 documented attacks beginning as early as March 2026, showing the group has returned with enhanced capabilities including a custom exfiltration tool designated uploader_client.exe. The tool establishes up to five simultaneous file transfer connections, rotates TCP sessions after every two gigabytes of transferred data to complicate traffic analysis, restricts sessions with an authentication key to prevent interference, and selectively targets file types of high intelligence value. The group also deploys the Huorong/HRSword kernel driver via BYOVD to disable security software, uses AnyDesk for remote access persistence, and demands Monero — all of which have changed since the group’s earlier campaigns. Trigona’s reconstitution demonstrates the difficulty of permanently dismantling ransomware operations through infrastructure disruption alone.
Silent Ransom Group posted four law firms across the US and UK this week — Jackson Lewis, Rutan & Tucker, Fagen Friedman & Fulfrost (US), and Chartwell Law (UK). The group has now claimed 106 total victims, 95 of them US-based, with business and financial services representing its near-exclusive target sector. The consistent focus on legal firms suggests either specialised initial access capabilities tailored to legal IT environments, or a deliberate strategy exploiting the sector’s particular vulnerability to data-confidentiality exposure.
CoinbaseCartel posted 13 victims in concentrated batches on April 20 and April 23, with its characteristic data-exfiltration-only model — no encryption, pure leverage from the threat of publication. Its most significant targets this week included Engie (France), Commscope and Integer Holdings (US), and the Indonesian Ministry of Agriculture. The group’s average delay of 536 days between compromise and publication suggests it maintains long-term persistent access before surfacing claims, meaning its April 2026 postings likely reflect intrusions conducted in late 2024 or early 2025.
TheGentlemen published a large batch of approximately 23 victims on April 19 spanning a striking range of geographies: South Africa, Brazil, Venezuela, Colombia, Ecuador, Ireland, France, Poland, Italy, Sweden, Thailand, Indonesia, Singapore, Taiwan, Denmark, and Belgium. The batch-publication model and the breadth of geographies suggest a data-broker or reseller operating on behalf of multiple access brokers rather than a traditional ransomware affiliate team conducting individual intrusions.
Akira continued at sustained volume with at least 12 victims during the week, including Pharmathek (Germany), Salimetrics (US), Gumpp Kunststoffe (Germany), and Integra Architecture (Canada). The group is now approaching 1,500 total victims since March 2023 and continues to exploit Cisco VPN vulnerabilities, Fortinet, and SonicWall appliances for initial access.
DragonForce posted across multiple continents, claiming Incyte Corporation (US), medicalnetworks (Germany), Primius Law Firm (Greece), and Champion Homes (Australia). The group operates a ransomware-as-a-service model and has been absorbing affiliates from disrupted operations.
INC Ransom listed Rheem, TruGreen, Dorotea Sweden, and Saudi Arabia’s Aluminum Products Company among others, with healthcare remaining its primary long-term focus.
6. KEY TAKEAWAYS
The defining theme of week 17 is the simultaneous maturation of ransomware across two dimensions: scale and technology. Qilin demonstrated that a single affiliate operation can achieve genuine global reach — dozens of victims across six continents in seven days — while Kyber showed that ransomware groups are beginning to incorporate post-quantum cryptography ahead of the quantum computing threshold that the security community has long treated as a distant concern.
The concentration of Silent Ransom Group activity against legal services firms warrants a sector-specific response. Law firms hold client communications, litigation strategy, M&A due diligence materials, and privileged correspondence that is often more sensitive than the data held by the corporate clients themselves. The group’s focus on this sector suggests it has either built tailored initial access capability or is systematically exploiting known weaknesses in legal IT security posture.
Trigona’s return is a reminder that infrastructure seizures do not destroy criminal groups — they temporarily displace them. The group’s return after nearly three years, equipped with more capable tooling than it had before, follows the pattern of LockBit’s attempted reconstitution after Operation Cronos. Defenders should treat disrupted ransomware operations as dormant rather than destroyed, and monitor for resumed activity.
CoinbaseCartel’s long-dwell intrusion model — posting victims 536 days on average after the underlying compromise — creates a particular challenge for incident response and regulatory disclosure programmes. Organisations that appear in CoinbaseCartel’s postings this week may only now be learning of intrusions that occurred in late 2024. This underscores the value of continuous threat intelligence monitoring beyond the perimeter, including tracking leak sites and extortion announcements for mentions of the organisation or its subsidiaries.
Sources
Primary Sources
- BleepingComputer — Kyber post-quantum ransomware report (April 22, 2026): https://www.bleepingcomputer.com/news/security/kyber-ransomware-gang-toys-with-post-quantum-encryption-on-windows/
- BleepingComputer / Symantec — Trigona resumed operations with custom exfiltration tool (April 23, 2026): https://www.bleepingcomputer.com/news/security/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/
- ransomware.live victim tracker: https://ransomware.live
- Dexpose.io — Qilin victim tracker and analysis
- FalconFeeds.io — ransomware victim intelligence
- SecurityWeek — Angelo Martino BlackCat insider plea
- The Record by Recorded Future — weekly ransomware coverage
- Bitdefender Threat Debrief April 2026