On July 3, 2026, breach monitoring services reported a surge in data breach disclosures, attributed to the activities of several prominent ransomware gangs. Threat actors including INC_RANSOM, ANUBIS, Bashe, and Qilin have publicly listed a diverse set of new victims on their data leak sites. The targets span multiple continents and a wide array of industries, including logistics, manufacturing, healthcare, government, and technology. This wave of attacks underscores the persistent and global nature of the ransomware-as-a-service (RaaS) ecosystem, where multiple syndicates operate in parallel to extort organizations of all sizes.
The attacks represent classic double-extortion ransomware campaigns, where data is first stolen and then encrypted. The public listing of victims is a tactic to pressure them into paying the ransom.
This group was highly active, claiming responsibility for breaches at:
This gang targeted organizations in Europe and the US:
This actor claimed victims in Europe and Asia:
This well-known RaaS group added an Australian entity to its list:
While specific TTPs for each breach are not detailed, these ransomware groups generally follow a similar attack lifecycle:
T1566 - Phishing), exploitation of public-facing applications like VPNs or RDP (T1190 - Exploit Public-Facing Application), or through credentials purchased from initial access brokers.T1041 - Exfiltration Over C2 Channel).T1486 - Data Encrypted for Impact) and deleting backups (T1490 - Inhibit System Recovery).The impact on the victim organizations is severe, encompassing operational downtime, significant financial costs for recovery and potential ransom payments, regulatory fines for data breaches, and long-term reputational damage. The diversity of victims—from municipal governments and healthcare providers to manufacturing and logistics companies—demonstrates that no industry is safe. The global distribution of victims (Brazil, USA, Switzerland, Italy, Vietnam, Australia) highlights the international reach of these ransomware syndicates.
No specific Indicators of Compromise (IOCs) were disclosed in the reports.
Security teams can hunt for common ransomware TTPs to detect these groups. The following patterns could indicate related activity:
powershell.exeWindows Security Event Logswmic.exe shadowcopy deleteM1032 - Multi-factor Authentication).M1030 - Network Segmentation).M1017 - User Training).Enforcing MFA on all remote access points is a critical defense against initial access via compromised credentials.
Offline and immutable backups are essential for recovery without paying a ransom.
Segmentation limits the blast radius of a ransomware infection.
Multiple ransomware groups list new victims on their data leak sites.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.