Skip to content
The Nexus
Topic · Cyber312 cited itemsLatest Jul 8, 2026

Ransomware Activity Tracker

Qilin leads tracked ransomware groups by victim count with 226 cases, followed by Akira with 90 and Nova with 85 as of early July 2026. Recent activity spans established operations like Stormous (51 victims, pro-Russian orientation) and emerging threats including Prinz Eugen, plus infrastructure attacks on schools and manufacturing firms; credential theft campaigns linked to Lynx and INC ransomware suggest coordinated intrusion pipelines. Law enforcement disrupted the AudiA6 cryptocurrency laundering service in June, estimated to have moved over €336 million for ransomware actors and other criminal networks.

Underground276 matches
  • Jul 8, 2026Group · 250 victims
    qilin

    Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice double extortion – demanding payment for a decryptor, as well as for the non-relea…

  • Jul 8, 2026Group · 100 victims
    akira

    The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackB…

  • Jul 6, 2026Group · 76 victims
    safepay

    SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealin…

  • Jun 26, 2026Group · 85 victims
    nova

    Nova (formerly RALord) is a ransomware-as-a-service (RaaS) group that encrypts victims’files and uses double-extortion tactics to pressure organizations into paying for decryption and data non-disclosure.

  • Jun 15, 2026Victim
    Židlochovice city

    …s: https://www.denik.cz/regiony/zidlochovice-hackeri-kyberneticky-utok-vykupne-data-software-ransomware-kldr.html https://www.irozhlas.cz/zpravy-domov/poslete-bitcoiny-nebo-vas-nepustime-k-datum-urad-v-zidlochovicich-zjistuje-skody_2603172012_bva https://www.zidlochovice.c

Articles36 matches
Frequently asked
How current is the ransomware data?
The Underground tracker ingests leak-site and threat-actor activity continuously; this page refreshes on a short cache cadence so the evidence list stays close to live.
Does this confirm a victim was breached?
No. Leak-site postings are claims made by threat actors. The Nexus surfaces them alongside reporting so you can assess corroboration yourself.
More topics