Ransomware Report - 05/02/2026
Statistical Overview
Victim Totals
- This month: 47
- This quarter: 804
- Year to date: 3422
- Last 24h: 35
Quarterly Breakdown
Q1: 2622 | Q2: 804 | Q3: 0 | Q4: 0
Ransomware activity in Q2, while lower than the peak of Q1, continues to add to the year-to-date victim count. The past 24 hours observed an increase, with 35 new victims reported.
Introduction
The past 24 hours saw a rise in ransomware activity, with 35 new victims added to public leak sites. The Fulcrum group was very active, responsible for most incidents, while CMD and Everest also attacked several targets. Geographically, the United States, United Kingdom, and Germany experienced the highest concentration of targeting. Financial Services, Healthcare, and Construction & Engineering sectors were most affected by attacks. For more information on recent trends, refer to our recent general ransomware activity update.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Fulcrum | 22 | analog-prospector, avnet-leaks, bookblock (+19) | Japan, India | Financial Services, Transportation & Logistics |
| 2 | CMD | 3 | Cytek Biosciences, jg stewart construction, zampell | United States, United Kingdom | Pharmaceuticals & Biotech, Construction & Engineering |
| 3 | Everest | 3 | Epiq global, Symcor, Tsys | United States, Canada | Financial Services, Legal |
| 4 | SafePay | 2 | Energyaction.com.au, Hpk.hamburg | Australia, Germany | Energy & Utilities, Legal |
| 5 | AiLock | 1 | Site design group | United States | Construction & Engineering |
| 6 | Blackwater | 1 | Tuopu | China | Automotive |
| 7 | INC Ransom | 1 | northshoreenv.com | Canada | Professional Services |
| 8 | Krybit | 1 | Bomuhospital.org | Kenya | Healthcare |
| 9 | PEAR | 1 | Beyond measure & associates, inc. | United States | Construction & Engineering |
Today's ransomware activity saw Fulcrum as the primary actor, which posted 22 new victims across diverse geographies including Japan and India, primarily affecting Financial Services and Transportation & Logistics. Other groups like CMD and Everest targeted businesses in the United States, United Kingdom, and Canada, focused on Pharmaceuticals & Biotech, Construction & Engineering, and Financial Services. Our ongoing analysis, including previous reports on new ransomware victims and relevant industries, shows these key sectors remain under attack.
Notable targeting observed today includes Energyaction.com.au by SafePay, an attack on the Energy & Utilities sector in Australia, and Bomuhospital.org by Krybit, affecting the Healthcare sector in Kenya. The Everest group, which we have previously detailed in our reports on active ransomware groups, continues to target key financial service providers.
Victim Distribution
By Country
- United States: 15
- United Kingdom: 5
- Germany: 3
- Canada: 3
- Australia: 2
- None: 1
- Kenya: 1
- Japan: 1
- India: 1
- Denmark: 1
By Industry
- Software Development: 4
- Financial Services: 4
- Healthcare: 3
- Construction: 2
- Military and Government Procurement: 1
- Mining and Technology: 1
- Legal and Business Services: 1
- Landscape Architecture and Urban Design: 1
- Information and Analytics: 1
- Healthcare Technology: 1
The United States remains the primary target, with nearly half of the reported victims. However, the geographic spread across 10 countries shows ransomware operators use a broad, indiscriminate approach, with Financial Services and Healthcare consistently affected.
Ransomware News
Topline
Significant legal action against ransomware affiliates and ongoing operational disruptions from attacks show that the ransomware threat is persistent and evolving.
Campaigns & Operations
Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for acting as affiliates for the ALPHV/BlackCat ransomware group in 2023. They used their incident response and negotiation skills in a ransomware-as-a-service model, extorting over 1,000 victims globally, taking a 20% developer cut and leaking patient data. Separately, Columbia Surgical Partners in Tennessee reported inaccessible electronic health records following a ransomware incident at its parent company, Advanced Diagnostic Imaging (ADI), which disrupted access to patient charts and surgical schedules across multiple offices.
Vulnerabilities & TTPs
While specific CVEs were not reported, the ALPHV affiliate case shows the insider threat vector and the abuse of legitimate cybersecurity expertise for ransomware operations. Frontier AI models like Mythos could give attackers faster, more capable extortion methods, possibly increasing average ransom payments. This requires strong defensive strategies such as real-time microsegmentation and continuous asset visibility.
Analyst Note
These events demonstrate two challenges: sophisticated human actors in ransomware operations and the emerging threat of AI orchestrating attacks. Both contribute to the persistent risk for critical sectors.
Technical Takeaways
- Fulcrum was the most active ransomware group in the past 24 hours, responsible for 22 out of 35 reported victims.
- The United States had the highest number of ransomware victims (15), followed by the United Kingdom (5) and Canada (3).
- Financial Services and Software Development were the most targeted industries, each with 4 reported victims.
- Critical infrastructure and healthcare entities, such as
Energyaction.com.au(Energy & Utilities) andBomuhospital.org(Healthcare), were among the high-value targets. - Several different ransomware groups, with nine distinct entities claiming victims, shows a fragmented but active threat environment.
FAQ
Q: Which ransomware groups were most active on May 2, 2026?
The Fulcrum ransomware group was the most active, responsible for 22 new victims in the last 24 hours. CMD and Everest were also active, each reporting 3 new victims.
Q: What industries did ransomware groups primarily target today?
Ransomware groups primarily targeted the Software Development and Financial Services industries, each had 4 new reported victims. Healthcare also had 3 new victims.
Q: Which countries experienced the most ransomware attacks in the last 24 hours?
The United States had the highest number of ransomware attacks with 15 victims in the last 24 hours. The United Kingdom followed with 5 victims, and Canada and Germany each reported 3 victims.
Q: Were there any notable high-value ransomware victims reported today?
Yes, high-value victims include Energyaction.com.au in Australia, which affected the Energy & Utilities sector, and Bomuhospital.org in Kenya, which affected the Healthcare sector. This shows continued targeting of critical infrastructure and services.
Q: What is the current cumulative ransomware victim count for the quarter?
As of May 2, 2026, the cumulative ransomware victim count for this quarter is 804. The year-to-date total is 3422 victims, showing ongoing high levels of ransomware activity.