Ransomware Activity Tracker
Qilin leads tracked ransomware groups by victim count with 226 cases, followed by Akira with 90 and Nova with 85 as of early July 2026. Recent activity spans established operations like Stormous (51 victims, pro-Russian orientation) and emerging threats including Prinz Eugen, plus infrastructure attacks on schools and manufacturing firms; credential theft campaigns linked to Lynx and INC ransomware suggest coordinated intrusion pipelines. Law enforcement disrupted the AudiA6 cryptocurrency laundering service in June, estimated to have moved over €336 million for ransomware actors and other criminal networks.
- qilin
Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-relea…
- akira
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackB…
- safepay
SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealin…
- nova
Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.
- Židlochovice city
…s: https://www.denik.cz/regiony/zidlochovice-hackeri-kyberneticky-utok-vykupne-data-software-ransomware-kldr.html https://www.irozhlas.cz/zpravy-domov/poslete-bitcoiny-nebo-vas-nepustime-k-datum-urad-v-zidlochovicich-zjistuje-skody_2603172012_bva https://www.zidlochovice.c
- New Prinz Eugen ransomware prioritizes recent files for encryption
A new ransomware operation named 'Prinz Eugen' prioritizes recently modified files for encryption and does not leave a ransom note on the system.
- Cybersecurity firm says it found 'the first documented case' of AI agentic ransomware
Sysdig researchers documented the first agentic AI ransomware attack, named 'Jade Puffer,' where an AI model orchestrated a complex ransomware campaign. The attack lowered the barrier to entry for ransomware by automating…
- New Avalon Malware Framework Packs CrownX Ransomware Capabilities
…Avalon integrates credential collection, lateral movement, remote access, recovery disruption, and ransomware execution, combining diverse functions under one framework.
- Authorities disrupt Evil Corp’s SocGholish botnet
Authorities disrupted Evil Corp’s SocGholish botnet, a malware framework used since 2017 to steal data and deploy ransomware. The multinational takedown involved seizing 106 servers, remediating 15,000 infected websites, and…
- JadePuffer ransomware used AI agent to automate entire attack
Researchers identified the first documented case of the JadePuffer ransomware operation, which was conducted entirely by a large language model (LLM) agent. The attack was automated using an AI agent, marking a…
- AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Sysdig, a security firm, reports discovering the first ransomware attack fully executed by an AI agent named JADEPUFFER. The AI agent conducted a database ransomware attack by infiltrating systems, stealing credentials, moving…
- ETHS closes Monday, Tuesday after ransomware attack disrupts systems
Evanston Township High School will be closed on Monday and Tuesday following a ransomware attack that disrupted district systems, internet services, and computer infrastructure.
- Blackfield ransomware asks Nidec Corporation for $2 million ransom
The Blackfield ransomware gang is demanding a $2 million ransom from Nidec Corporation, a Japanese manufacturer of electronic components for automotive and computing applications.
- How current is the ransomware data?
- The Underground tracker ingests leak-site and threat-actor activity continuously; this page refreshes on a short cache cadence so the evidence list stays close to live.
- Does this confirm a victim was breached?
- No. Leak-site postings are claims made by threat actors. The Nexus surfaces them alongside reporting so you can assess corroboration yourself.