Ransomware Report - 05/09/2026
Statistical Overview
Victim Totals
- This month: 260
- This quarter: 1039
- Year to date: 3656
- Last 24h: 36
Quarterly Breakdown
| Q1: 2622 | Q2: 1039 | Q3: 0 | Q4: 0 |
|---|
Ransomware activity remains consistent, with Q2 already reflecting a significant portion of Q1's total victims despite being an incomplete quarter. The past 24 hours saw 36 new victims. For more details on current trends, see our latest Q2 ransomware activity report.
Introduction
The past 24 hours recorded 36 new ransomware victims, showing consistent activity. "The Gentelman" and Qilin were the most active groups, collectively accounted for over half of the new compromises. While targeting was geographically diverse, the United States was the primary victim country, with Construction and Technology / Software were frequently impacted sectors.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | The Gentelman | 10 | Arizona professional painting, Chx express, Dermapharm (+7) | Netherlands, Egypt | Transportation & Logistics, Real Estate |
| 2 | Qilin | 9 | Advanced laundry systems, Cad-it uk, Calidra (+6) | Mexico, Spain | Financial Services, Transportation & Logistics |
| 3 | Genesis | 5 | Carepoint health, Prescott & holden, Rain makers solutions (+2) | United States, Canada | Construction & Engineering, Healthcare |
| 4 | DragonForce | 2 | Cf evans construction, Cmc expertise comptable | France, United States | Construction & Engineering, Professional Services |
| 5 | Lamashtu | 2 | Acros-components.com, Ashinfo.com | India, Germany | Technology / Software, Manufacturing |
| 6 | INC Ransom | 1 | Calsoft Inc | United States | Technology / Software |
| 7 | Kill Security | 1 | Mrs holdings | Nigeria | Energy & Utilities |
| 8 | Lapsus | 1 | None | Professional Services | |
| 9 | LockBit | 1 | dentoncalvary.org | United States | Education |
| 10 | Medusa Locker | 1 | Bavadai | India | Construction & Engineering |
| 11 | PEAR | 1 | Office furniture group | United States | Professional Services |
| 12 | SLSH | 1 | Houghton mifflin harcourt company | United States | Education |
The latest 24-hour period showed continued high activity from "The Gentelman" and Qilin, with 10 and 9 victims respectively. Genesis also showed moderate activity with 5 new victims, primarily in the United States and Canada. Key sectors targeted include Construction & Engineering, Transportation & Logistics, and Technology / Software. These ransomware operators used a broad-spectrum approach. For more information on active groups like "The Gentelman" and Qilin, see our recent report on new ransomware victims. No government, military, or critical infrastructure entities were identified among the sample victims listed today.
Victim Distribution
By Country
- United States: 19
- India: 2
- Germany: 2
- Venezuela: 1
- Argentina: 1
- United Kingdom: 1
- Spain: 1
- Poland: 1
- None: 1
- Nigeria: 1
By Industry
- Construction: 5
- Machinery Manufacturing: 2
- Chemical Manufacturing: 2
- Financial Services: 1
- Civil Engineering and Land Surveying: 1
- Clinical Research: 1
- Construction and Building Materials: 1
- Consulting: 1
- Design Services: 1
- Education: 1
The United States was the primary target of ransomware attacks, accounting for over half of all victims today. The concentration in Construction and related industries suggests either opportunistic targeting or a focused campaign against this sector.
Ransomware News
Topline
Recent intelligence reveals a re-compromise of a major educational platform and the release of important security patches for widely used web hosting software.
Campaigns & Operations
ShinyHunters has claimed a second successful breach against Instructure's Canvas LMS, alleging theft of approximately 3.65 TB of data, affecting around 275 million individuals from nearly 9,000 institutions. This re-exploitation happened despite Instructure's earlier claims of containment. The group has pushed a new leak deadline. Instructure has temporarily shut down Free-For-Teacher accounts to address issues. This persistent targeting of an educational platform shows the significant data breach risks the sector faces.
Vulnerabilities & TTPs
cPanel and WHM have released fixes for three vulnerabilities: CVE-2026-29201 (CVSS 4.3), CVE-2026-29202 (CVSS 8.8), and CVE-2026-29203 (CVSS 8.8). These range from arbitrary file reads to arbitrary Perl code execution and unsafe symlink handling. These could lead to denial-of-service or privilege escalation. While no public exploitation is confirmed, these patches follow recent CVE-2026-41940 zero-day activity involving Mirai and ransomware, showing the importance of timely patching for web infrastructure.
Analyst Note
These developments show a dual threat: persistent re-exploitation of enterprise applications and the continuous discovery and patching of important vulnerabilities in widely deployed software.
Technical Takeaways
- "The Gentelman" and Qilin groups maintained high activity, accounting for over half of new compromises.
- The Construction sector and related industries (Civil Engineering, Building Materials) were consistently targeted, reporting 5 victims.
- The United States accounted for 19 out of 36 new victims, becoming a primary target geography.
- Vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) in cPanel/WHM show ongoing risks to web infrastructure.
- ShinyHunters' re-exploitation of Instructure shows persistent threat actor capabilities and challenges in incident response.