Multiple Ransomware Groups Claim Victims Across Globe in Early July Spree

Ransomware Frenzy: INC, ANUBIS, Qilin and Bashe Hit Raft of Global Firms

HIGH
July 4, 2026
5m read
RansomwareData BreachThreat Actor

Related Entities

Threat Actors

INC_RANSOMANUBISBasheQilin

Organizations

City of Acworth, GeorgiaOak Park, Michigan

Other

Carvalima TransportesEstrutural ZortéaHamilton Eye InstituteFerrum GroupQuest Healthcare SolutionsNortheast Pediatrics & Adolescent MedicineFlazioRita Võ GroupPennant Hills Golf Club

Full Report

Executive Summary

On July 3, 2026, breach monitoring services reported a surge in data breach disclosures, attributed to the activities of several prominent ransomware gangs. Threat actors including INC_RANSOM, ANUBIS, Bashe, and Qilin have publicly listed a diverse set of new victims on their data leak sites. The targets span multiple continents and a wide array of industries, including logistics, manufacturing, healthcare, government, and technology. This wave of attacks underscores the persistent and global nature of the ransomware-as-a-service (RaaS) ecosystem, where multiple syndicates operate in parallel to extort organizations of all sizes.

Threat Overview

The attacks represent classic double-extortion ransomware campaigns, where data is first stolen and then encrypted. The public listing of victims is a tactic to pressure them into paying the ransom.

INC_RANSOM

This group was highly active, claiming responsibility for breaches at:

  • Carvalima Transportes (Brazilian logistics firm)
  • Estrutural Zortéa (Brazilian industrial engineering company)
  • Hamilton Eye Institute (US healthcare provider)
  • City of Acworth, Georgia (US municipal government)
  • Oak Park, Michigan (US municipal government)

ANUBIS

This gang targeted organizations in Europe and the US:

  • Ferrum Group (Swiss industrial manufacturer)
  • Quest Healthcare Solutions (US healthcare staffing agency)
  • Northeast Pediatrics & Adolescent Medicine (US healthcare provider)

Bashe

This actor claimed victims in Europe and Asia:

  • Flazio (Italian SaaS website-building platform)
  • Rita Võ Group (Vietnamese business conglomerate)

Qilin

This well-known RaaS group added an Australian entity to its list:

  • Pennant Hills Golf Club (Australian private golf course)

Technical Analysis

While specific TTPs for each breach are not detailed, these ransomware groups generally follow a similar attack lifecycle:

  1. Initial Access: Often gained through phishing emails (T1566 - Phishing), exploitation of public-facing applications like VPNs or RDP (T1190 - Exploit Public-Facing Application), or through credentials purchased from initial access brokers.
  2. Execution and Persistence: Deploying tools like Cobalt Strike to maintain access and move laterally.
  3. Privilege Escalation: Exploiting local vulnerabilities or using tools like Mimikatz to gain administrative privileges.
  4. Data Exfiltration: Identifying and stealing large volumes of sensitive data before encryption (T1041 - Exfiltration Over C2 Channel).
  5. Impact: Encrypting systems across the network (T1486 - Data Encrypted for Impact) and deleting backups (T1490 - Inhibit System Recovery).

Impact Assessment

The impact on the victim organizations is severe, encompassing operational downtime, significant financial costs for recovery and potential ransom payments, regulatory fines for data breaches, and long-term reputational damage. The diversity of victims—from municipal governments and healthcare providers to manufacturing and logistics companies—demonstrates that no industry is safe. The global distribution of victims (Brazil, USA, Switzerland, Italy, Vietnam, Australia) highlights the international reach of these ransomware syndicates.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) were disclosed in the reports.

Cyber Observables — Hunting Hints

Security teams can hunt for common ransomware TTPs to detect these groups. The following patterns could indicate related activity:

Type
Process Name
Value
powershell.exe
Description
Look for PowerShell processes downloading Cobalt Strike beacons or running obfuscated commands.
Type
Network Traffic Pattern
Value
Large outbound transfers to cloud storage
Description
Ransomware groups often use legitimate services like Mega or Dropbox for data exfiltration.
Type
Log Source
Value
Windows Security Event Logs
Description
Monitor for Event ID 4625 (failed logins) for signs of password spraying, and Event ID 1102 (Audit log cleared) as a defense evasion technique.
Type
Command Line Pattern
Value
wmic.exe shadowcopy delete
Description
Command used to delete Volume Shadow Copies to prevent easy recovery.

Detection & Response

  1. EDR/XDR: Deploy advanced endpoint protection that uses behavioral analysis to detect and block ransomware activities like mass file encryption and backup deletion. This aligns with D3FEND's Process Analysis (D3-PA).
  2. SIEM Monitoring: Use a SIEM to correlate events from multiple sources (endpoints, firewalls, Active Directory) to detect the full attack chain, from initial access to lateral movement and impact.
  3. Deception Technology: Deploy honeypots and decoy accounts to detect lateral movement early. When a threat actor interacts with a decoy, it generates a high-fidelity alert.

Mitigation

  1. Secure Remote Access: Harden all remote access points. Enforce MFA on all VPN and RDP connections, and regularly patch any vulnerabilities in these services (M1032 - Multi-factor Authentication).
  2. Immutable Backups: Maintain offline, air-gapped, or immutable backups of all critical data. Regularly test the restoration process to ensure you can recover without paying a ransom.
  3. Network Segmentation: Segment the network to contain a potential ransomware infection and prevent it from spreading from the IT network to OT systems or backup infrastructure (M1030 - Network Segmentation).
  4. User Training: Conduct regular phishing simulation and security awareness training to help employees spot and report initial access attempts (M1017 - User Training).

Timeline of Events

1
July 3, 2026
Multiple ransomware groups list new victims on their data leak sites.
2
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

Enforcing MFA on all remote access points is a critical defense against initial access via compromised credentials.

Offline and immutable backups are essential for recovery without paying a ransom.

Segmentation limits the blast radius of a ransomware infection.

Timeline of Events

1
July 3, 2026

Multiple ransomware groups list new victims on their data leak sites.

Sources & References

Data Breaches in July 2026
BreachsenseJuly 3, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

RansomwareINC_RANSOMANUBISBasheQilinData BreachCybercrime

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.