Interlock Hits DC Housing Authority; Play, Nova Post New Victims

Interlock ransomware targeted DC's public housing agency; Play posted five victims across four countries; Nova added three more in a multi-group batch.
Table of Contents
    Add a header to begin generating the table of contents

    Interlock ransomware listed the District of Columbia Housing Authority on its dark web leak site while Play ransomware posted five victims across four countries, and Nova ransomware added three organizations in a victim batch that also included new postings from INC Ransom, Gunra, Chaos, RansomHouse, Krybit, and M3RX across the July 16–17, 2026 window.

    Interlock Claims the District of Columbia Housing Authority

    Interlock ransomware group listed the District of Columbia Housing Authority on its leak site. DCHA is Washington D.C.’s principal public housing agency, administering housing assistance for approximately 44,000 low-income households and managing public housing properties across the District. No ransom amount was disclosed, and DCHA had not publicly confirmed the breach at time of brief compilation.

    A ransomware attack against a municipal housing authority carries specific consequences beyond typical enterprise incidents. Public housing agencies maintain personally identifiable information on tens of thousands of low-income residents — including Social Security numbers, income records, and housing assistance payment histories. These data categories carry high value for identity fraud and represent significant harm potential for residents who depend on DCHA for housing stability if their records are exposed or disrupted by a ransomware operation.

    Play Ransomware Posts Five Victims Across Four Countries in a Single Day

    Play ransomware posted five victims spanning four countries in a 24-hour window: Boston Electric and Telephone Company, a U.S. regional telecommunications and electrical contractor; Wring Group, a UK logistics and distribution company; AG Scholtes, a Dutch manufacturing firm; Andorra Life, an Andorran financial services provider; and Svensk Direktreklam, a Swedish direct marketing company. The cross-continental scope — U.S., UK, Netherlands, Andorra, and Sweden — in a single day of postings reflects the operational reach of large ransomware-as-a-service platforms that enable affiliates to run simultaneous campaigns across jurisdictions. Play has maintained consistently high victim-posting volume throughout 2026 across North America and Europe.

    Nova, INC Ransom, and Smaller Groups Add Victims Across Japan, Canada, Vietnam, and Beyond

    Nova ransomware posted three victims: Phi, a Canadian engineering and professional services firm; Digipro, a Vietnamese technology services company; and Integrated Marketing Services, a U.S. marketing and analytics company.

    INC Ransom listed Kyokuto Kaihatsu Kogyo — a Japanese industrial machinery manufacturer producing specialty vehicles and hydraulic equipment for construction and logistics applications — in its latest victim batch.

    Additional postings from smaller ransomware groups completed the 48-hour window: Gunra listed Dissinger and Dissinger Law Firm in the U.S.; Chaos listed Radiax; RansomHouse listed Megawork of Brazil; Krybit listed four organizations across Israel, Mexico, Malaysia, and the Czech Republic, including Eitz Chaim, Formas Universales, Rehab Malaysia, and LAGUS; and M3RX listed Supp Center SA of South Africa and Arambol of the UK. Ransomware.live confirmed all listings via direct dark web source monitoring. No victim organization had publicly confirmed their inclusion at time of batch compilation.

    What the Multi-Group Batch Reveals About Ransomware Affiliate Targeting in 2026

    The Interlock breach of the DC Housing Authority is the highest-consequence victim in this batch. Municipal housing authorities hold personally identifiable information on tens of thousands of low-income residents — data categories with direct financial fraud utility and significant downstream harm to vulnerable populations who rely on housing assistance programs for stability. An attack that disrupts housing authority operations can interrupt benefit administration, lease management, and maintenance workflows that residents depend on.

    The Play batch’s cross-continental scope illustrates how large RaaS platforms have removed geographic coordination barriers for affiliates. A single affiliate or affiliate team can claim victims on multiple continents within a 24-hour posting window without any per-country coordination overhead. The inclusion of Andorra — a small jurisdiction not frequently associated with ransomware targeting — alongside the U.S., UK, Netherlands, and Sweden in a single day’s postings reflects indiscriminate targeting by geography as well as by sector.

    Nine distinct ransomware groups active in the same 48-hour window — Interlock, Play, Nova, INC Ransom, Krybit, M3RX, Gunra, Chaos, and RansomHouse — illustrates the fragmented and competitive state of the current ransomware ecosystem. The market has not consolidated around a small number of dominant groups; instead, multiple independent RaaS operations and independent groups are simultaneously active, each with their own affiliate networks and victim pipelines. The July 16–17 batch spans public housing administration, telecommunications, manufacturing, financial services, logistics, engineering, technology services, legal services, and marketing — a sector distribution that reflects the absence of any meaningful target discrimination among current ransomware affiliates.

    Related Posts