MOXFIVE | Monthly Insights

Ransomware Highlights for April 2026

Established RaaS operations led ransomware activity in April, while extortion-only groups relying on IT help desk social engineering accounted for a growing share of the month's observed activity. Overall volume declined compared to earlier months in 2026, though activity across the year has stayed high compared to 2025.

Qilin led for the fourth consecutive month among groups posting victims in the United States, with Inc, DragonForce, Akira, and ShinyHunters rounding out the top five. Critical unauthenticated remote code execution vulnerabilities in Fortinet FortiClient EMS and Palo Alto Networks PAN-OS saw active exploitation, with the PAN-OS flaw exploited as a zero-day weeks before public disclosure. Professional Services was the most impacted industry in April, followed by Retail and Hospitality, Healthcare, Manufacturing and Production, and Technology.

This month's Case Study examines the ShinyHunters playbook in detail, alongside Cordial Spider, Snarky Spider, and Silent Ransom Group, which are other groups deploying similar tactics. The Resilience Spotlight provides guidance on defending against this class of attack, covering phishing-resistant MFA, help desk identity verification, and SaaS monitoring.

Top Threats & Exploits

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

‍Fortinet FortiClient EMS SQL injection vulnerability (CVE-2026-21643): Disclosed on February 6, 2026, this vulnerability allows unauthenticated remote code execution on affected FortiClient EMS instances via specially crafted HTTP requests. The flaw affects version 7.4.4 and stems from the tenant identification header being passed directly into a database query without sanitization, before authentication checks occur.
Fortinet FortiClient EMS improper access control vulnerability (CVE-2026-35616): Disclosed on April 3, 2026, this vulnerability allows unauthenticated remote code execution on affected FortiClient EMS instances via crafted HTTP requests that bypass authentication and authorization controls entirely. The flaw affects versions 7.4.5 and 7.4.6 and was exploited as a zero-day at the time of disclosure, marking the second unauthenticated remote code execution flaw disclosed in FortiClient EMS within weeks.
Palo Alto Networks PAN-OS buffer overflow vulnerability (CVE-2026-0300): Disclosed on May 6, 2026, this vulnerability allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls via a buffer overflow in the User-ID Authentication Portal when exposed to untrusted networks or the public internet. The vulnerability affects PAN-OS versions 10.2, 11.1, 11.2, and 12.1, and is believed to have been exploited as a zero-day beginning in early April, weeks before public disclosure. Exploitation activity has been linked to possible state-sponsored threat activity.

Active Threat Actors

Ransomware activity in April declined compared to earlier months in 2026, though overall volume across the year has remained elevated compared to 2025. RaaS operations continued to account for a large share of known ransomware attacks, with affiliates driving activity across most of the top-ranked operations. At MOXFIVE, we are seeing an uptick in cases involving extortion-only groups that rely on IT help desk social engineering for initial access. ShinyHunters has been the most visible operation in this space, with other groups adopting similar tactics like Cordial Spider/BlackFile, Snarky Spider, and Silent Ransom Group. MOXFIVE has also recently engaged cases involving FulcrumSec, another extortion-only group operating across cloud environments.

Qilin ranked as the most deployed ransomware in April, leading for the fourth consecutive month. The group's commission-based RaaS model, which offers affiliates up to 80-85% of ransom payments, has driven its adoption across the affiliate ecosystem. Qilin deployments include payloads for both Windows and Linux environments and rely on double extortion tactics.
Inc ranked second in April by victim count. First observed in 2023, Inc operates under a RaaS model with a codebase that shares significant overlap with Lynx, widely assessed as its successor. Affiliates deploying Inc rely on double extortion tactics.
DragonForce and Akira were among the most frequently deployed operations in April. DragonForce shifted from a RaaS model to a cartel structure in 2025, allowing affiliates to operate under their own brands while using shared infrastructure and tooling. Akira has been one of the top RaaS operations through 2025 and into 2026, with affiliates relying on credential-based access and remote-access methods for initial access.
ShinyHunters ranked fifth in April and has been among the most active data extortion operations in 2026, relying on IT help desk social engineering for initial access followed by large-scale data theft and extortion. A detailed look at the group's tactics is covered in this month's Case Study.

Bar chart showing the top ransomware variants active in April 2026.

Figure 1: Top ransomware variants in April 2026 based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, Inc, Akira, ShinyHunters and DragonForce.
‍

Top Industries Impacted by Ransomware

Professional Services was the most impacted industry in April. Law firms, consulting groups, and other professional services organizations are consistent targets due to the sensitivity of client data and the intellectual property they hold. Retail and Hospitality ranked second. They are often targets because they process payment data, operate distributed physical locations, and maintain extensive customer records, exposing point-of-sale systems and customer data to compromise.

‍Healthcare, Manufacturing and Production, and Technology organizations also rank in the top five. Healthcare organizations continue to face risk due to the sensitivity of patient data and the impact of system downtime. Operational disruption in Manufacturing and Production can quickly affect revenue and supply chains, keeping the sector a frequent target. Service providers, software platforms, and managed IT firms in the Technology sector often maintain direct integration with client networks and cloud environments, increasing the potential impact of a single intrusion.

Figure 2: Top industries impacted by ransomware in April 2026.

Targeting across the mainstream RaaS groups was largely scattered in April, with no single operation responsible for a heavy share of activity in any one sector. SilentRansomGroup accounted for the highest concentration of victim postings in Professional Services, continuing a sustained focus on law firms using callback phishing and IT help desk social engineering for initial access. Coinbase Cartel drove much of the observed activity in Retail and Hospitality, operating as a data extortion group that relies on stolen credentials and infostealer logs to gain access without deploying encryption.

Case Study - IT Help Desk Vishing: ShinyHunters and the Rise of Extortion-Only Operations

Extortion-only operations have gained ground in 2026, and IT help desk social engineering has become the defining initial access vector for this class of threat actor. ShinyHunters is one of the most visible groups running this playbook. The model works for attackers because vishing requires no malware and systems stay online while data is exfiltrated in the background, limiting the visibility of traditional endpoint detection. Scattered Spider has been running this approach since at least 2022, and while activity directly attributed to Scattered Spider has declined since May 2025, the model has been carried forward by ShinyHunters and others operating within the Scattered LAPSUS$ Hunters collective.

The IT Help Desk Vishing Playbook
IT help desk vishing follows two distinct paths, each aimed at the same target: a valid identity inside the victim's environment. In one, attackers call employees at the target organization while impersonating internal IT help desk staff, directing them to a credential harvesting page hosted on a victim-branded subdomain, where adversary-in-the-middle infrastructure captures SSO credentials and MFA codes in real time. In the other, attackers call IT help desk staff while impersonating an employee or third-party vendor, using the interaction to obtain identity access through requested account changes or approvals.

From either entry point, the attacker moves laterally into connected SaaS environments such as Salesforce and SharePoint and exfiltrates data. Stolen data is then used to extort the victim, with threats of public exposure on a data leak site if payment is refused. ShinyHunters has built out its own internal vishing operation, which it refers to as the "SLH Operations Centre." Modeled on a call center, the operation recruits and pays contractors to run scripted vishing calls against targeted employees, enabling the group to run social engineering at scale.

Several other groups have built operations around the same approach:‍

Cordial Spider, also tracked as BlackFile, has been active since October 2025, primarily targeting retail and hospitality organizations. Despite the name, the group is far from cordial and has been one of the more aggressive extortion-only operations to emerge in this space.
Snarky Spider has been active since October 2025, conducting both data extortion and cryptocurrency theft against compromised organizations. The group has been associated with harassment tactics including the swatting of victim employees in cases where extortion demands are refused.
Silent Ransom Group has been active since March 2025, when it pivoted from callback phishing to direct vishing, and primarily targets US law firms. The group uses an "overnight IT maintenance" pretext to keep remote access sessions open during data exfiltration.

Resilience Spotlight - Defending Against IT Help Desk Vishing

IT help desk vishing is a human-driven attack, and no single control will stop it on its own. A layered defense combines identity controls that make stolen credentials less useful, verification procedures that make impersonation harder, and visibility into what happens after a help desk interaction. The following are mitigations organizations can consider when assessing their exposure to this class of attack.

Phishing-resistant MFA: Move privileged and high-risk accounts off SMS, push, and one-time codes, all of which can be captured through adversary-in-the-middle infrastructure. FIDO2 hardware keys, passkeys, and certificate-based authentication bind cryptographically to the legitimate login origin and cannot be replayed against a fake SSO page.
Help desk identity verification: Require out-of-band verification before any sensitive action like a password reset, MFA reset, or account unlock. When help desk staff receive inbound calls, verification questions should be open-ended ("what is your employee number?") rather than leading ("is your employee number 12345?"), since caller ID, employee numbers, and manager names can all be harvested in advance.
Help desk hardening and least privilege: Limit what help desk accounts can access and what actions they can take without secondary approval. Agents should have explicit authority to pause a request and verify, with protocol enforced consistently rather than waived under pressure to resolve calls quickly.
Vishing simulations and targeted training: Run realistic voice-based simulations against both help desk staff and general employees, using the pretexts attackers actually use, including IT impersonation, urgent MFA resets, password reset requests, and inbound calls claiming to be from internal IT. Annual awareness training alone leaves staff under-prepared for a well-rehearsed caller working from a script.
SaaS visibility and identity monitoring: Centralize logs from connected SaaS platforms and alert on MFA device re-registration, especially when an existing device is removed and replaced. Logins from new devices or unfamiliar locations immediately following a help desk interaction should be treated as a potential indicator of compromise.
RMM tool restrictions: Apply default-deny policies for remote monitoring and management tools, allowing only those approved and used by internal IT. Attackers have been observed attempting multiple RMM tools in sequence until one is permitted to execute.

Outsourced or third-party IT support adds another layer of risk. When help desk operations sit outside the organization, verification standards and incident response expectations need to be enforced across the provider, not just internally. Organizations using MSPs or external IT support should confirm those partners apply the same procedures the internal team applies.

How MOXFIVE Can Help
‍
‍MOXGUARD: Strategic advisory including AD/identity assessments, CVE alerting prioritized to active ransomware exploitation, guidance on segmentation and backup hardening, tabletop exercises with response playbooks, and pre-positioned incident response.

Professional Services: Control validation through EDR coverage assessments, purple team exercises, network segmentation reviews, backup immutability and restoration testing, external attack surface reduction, and SIEM/XDR detection engineering.

Our team has handled hundreds of ransomware cases against the most advanced and active operations, aligning preventive, detective, and recovery controls to current threat actor TTPs. Contact us at 833-568-6695 or incident@moxfive.com.