Ransomware Report - 05/02/2026

Statistical Overview

Victim Totals

  • This month: 47
  • This quarter: 804
  • Year to date: 3422
  • Last 24h: 35

Quarterly Breakdown

Q1: 2622 | Q2: 804 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while lower than the peak of Q1, continues to add to the year-to-date victim count. The past 24 hours observed an increase, with 35 new victims reported.

Introduction

The past 24 hours saw a rise in ransomware activity, with 35 new victims added to public leak sites. The Fulcrum group was very active, responsible for most incidents, while CMD and Everest also attacked several targets. Geographically, the United States, United Kingdom, and Germany experienced the highest concentration of targeting. Financial Services, Healthcare, and Construction & Engineering sectors were most affected by attacks. For more information on recent trends, refer to our recent general ransomware activity update.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Fulcrum22analog-prospector, avnet-leaks, bookblock (+19)Japan, IndiaFinancial Services, Transportation & Logistics
2CMD3Cytek Biosciences, jg stewart construction, zampellUnited States, United KingdomPharmaceuticals & Biotech, Construction & Engineering
3Everest3Epiq global, Symcor, TsysUnited States, CanadaFinancial Services, Legal
4SafePay2Energyaction.com.au, Hpk.hamburgAustralia, GermanyEnergy & Utilities, Legal
5AiLock1Site design groupUnited StatesConstruction & Engineering
6Blackwater1TuopuChinaAutomotive
7INC Ransom1northshoreenv.comCanadaProfessional Services
8Krybit1Bomuhospital.orgKenyaHealthcare
9PEAR1Beyond measure & associates, inc.United StatesConstruction & Engineering

Today's ransomware activity saw Fulcrum as the primary actor, which posted 22 new victims across diverse geographies including Japan and India, primarily affecting Financial Services and Transportation & Logistics. Other groups like CMD and Everest targeted businesses in the United States, United Kingdom, and Canada, focused on Pharmaceuticals & Biotech, Construction & Engineering, and Financial Services. Our ongoing analysis, including previous reports on new ransomware victims and relevant industries, shows these key sectors remain under attack.

Notable targeting observed today includes Energyaction.com.au by SafePay, an attack on the Energy & Utilities sector in Australia, and Bomuhospital.org by Krybit, affecting the Healthcare sector in Kenya. The Everest group, which we have previously detailed in our reports on active ransomware groups, continues to target key financial service providers.

Victim Distribution

By Country

  • United States: 15
  • United Kingdom: 5
  • Germany: 3
  • Canada: 3
  • Australia: 2
  • None: 1
  • Kenya: 1
  • Japan: 1
  • India: 1
  • Denmark: 1

By Industry

  • Software Development: 4
  • Financial Services: 4
  • Healthcare: 3
  • Construction: 2
  • Military and Government Procurement: 1
  • Mining and Technology: 1
  • Legal and Business Services: 1
  • Landscape Architecture and Urban Design: 1
  • Information and Analytics: 1
  • Healthcare Technology: 1

The United States remains the primary target, with nearly half of the reported victims. However, the geographic spread across 10 countries shows ransomware operators use a broad, indiscriminate approach, with Financial Services and Healthcare consistently affected.

Ransomware News

Topline

Significant legal action against ransomware affiliates and ongoing operational disruptions from attacks show that the ransomware threat is persistent and evolving.

Campaigns & Operations

Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for acting as affiliates for the ALPHV/BlackCat ransomware group in 2023. They used their incident response and negotiation skills in a ransomware-as-a-service model, extorting over 1,000 victims globally, taking a 20% developer cut and leaking patient data. Separately, Columbia Surgical Partners in Tennessee reported inaccessible electronic health records following a ransomware incident at its parent company, Advanced Diagnostic Imaging (ADI), which disrupted access to patient charts and surgical schedules across multiple offices.

Vulnerabilities & TTPs

While specific CVEs were not reported, the ALPHV affiliate case shows the insider threat vector and the abuse of legitimate cybersecurity expertise for ransomware operations. Frontier AI models like Mythos could give attackers faster, more capable extortion methods, possibly increasing average ransom payments. This requires strong defensive strategies such as real-time microsegmentation and continuous asset visibility.

Analyst Note

These events demonstrate two challenges: sophisticated human actors in ransomware operations and the emerging threat of AI orchestrating attacks. Both contribute to the persistent risk for critical sectors.

Technical Takeaways

  • Fulcrum was the most active ransomware group in the past 24 hours, responsible for 22 out of 35 reported victims.
  • The United States had the highest number of ransomware victims (15), followed by the United Kingdom (5) and Canada (3).
  • Financial Services and Software Development were the most targeted industries, each with 4 reported victims.
  • Critical infrastructure and healthcare entities, such as Energyaction.com.au (Energy & Utilities) and Bomuhospital.org (Healthcare), were among the high-value targets.
  • Several different ransomware groups, with nine distinct entities claiming victims, shows a fragmented but active threat environment.

FAQ

Q: Which ransomware groups were most active on May 2, 2026?

The Fulcrum ransomware group was the most active, responsible for 22 new victims in the last 24 hours. CMD and Everest were also active, each reporting 3 new victims.

Q: What industries did ransomware groups primarily target today?

Ransomware groups primarily targeted the Software Development and Financial Services industries, each had 4 new reported victims. Healthcare also had 3 new victims.

Q: Which countries experienced the most ransomware attacks in the last 24 hours?

The United States had the highest number of ransomware attacks with 15 victims in the last 24 hours. The United Kingdom followed with 5 victims, and Canada and Germany each reported 3 victims.

Q: Were there any notable high-value ransomware victims reported today?

Yes, high-value victims include Energyaction.com.au in Australia, which affected the Energy & Utilities sector, and Bomuhospital.org in Kenya, which affected the Healthcare sector. This shows continued targeting of critical infrastructure and services.

Q: What is the current cumulative ransomware victim count for the quarter?

As of May 2, 2026, the cumulative ransomware victim count for this quarter is 804. The year-to-date total is 3422 victims, showing ongoing high levels of ransomware activity.