Ransomware Report - 05/10/2026

Statistical Overview

Victim Totals

  • This month: 284
  • This quarter: 1062
  • Year to date: 3679
  • Last 24h: 24

Quarterly Breakdown

Q1: 2622Q2: 1062Q3: 0Q4: 0

Q2 ransomware activity tracks consistently with Q1, showing threat actors maintaining a high operational tempo. The 24 new victims in the last 24 hours reflect ongoing pressure across sectors, similar to trends discussed in our Q2 Ransomware Activity Report.

Introduction

In the past 24 hours, PurpleOps observed 24 new ransomware victims, which suggests consistent threat actor activity. Leak_Bazaar and Lynx were the most active groups, accounting for over two-thirds of reported breaches. These attacks primarily affected the Financial Services and Technology sectors, and were concentrated in North America and Europe, reflecting recent ransomware trends.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Leak Bazaar9Disk precision group, E-jones associates lcc, Gastroenterology & hepatology (+6)India, United KingdomFinancial Services, Construction & Engineering
2Lynx8bayareaherbs.com, csb-battery.com, funkychunky.com (+5)Germany, United StatesEducation, Technology / Software
3INC Ransom2lopezlawfl.comUnited StatesFinancial Services, Legal
4Fulcrum1arupUnited KingdomProfessional Services
5Krybit1Eclagestio360.comSpainFinancial Services
6Lapsus1Axcera.ioUnited Arab EmiratesTechnology / Software
7PEAR1Langenberg, strubberg, arand & king, llcUnited StatesProfessional Services
8Stormous1Ams-group.co.uk full data dump 33gb newUnited KingdomMedia & Entertainment

Leak Bazaar and Lynx were the most active in ransomware activity over the last 24 hours, accounting for 17 of the 24 reported victims. Leak Bazaar focused heavily on Financial Services and Construction & Engineering firms in India and the United Kingdom. Lynx showed a broader reach, targeting Education and Technology sectors primarily in Germany and the United States. Other groups, including INC Ransom and Fulcrum, maintained a lower but persistent presence, with Fulcrum specifically affecting a UK-based professional services firm, a group whose activities we discussed in a previous report.

Victim Distribution

By Country

  • United States: 13
  • United Kingdom: 4
  • Spain: 2
  • Germany: 1
  • United Arab Emirates: 1
  • Taiwan: 1
  • Singapore: 1
  • India: 1

By Industry

  • Legal Services: 2
  • Financial Services: 2
  • Accounting: 1
  • Tourism and Hospitality: 1
  • Packaging Services: 1
  • Information Technology Services: 1
  • Individual and Family Services: 1
  • Healthcare: 1
  • Food and Beverage Services: 1
  • Food & Beverage: 1

The United States remains the primary target country, with over half of all victims reported today, showing a consistent focus on North American entities. While Financial Services and Legal Services had multiple incidents, the overall industry distribution points to a fragmented targeting approach, as various sectors experienced single breaches.

Ransomware News

Topline

The last 24 hours included two significant ransomware incidents affecting an Italian luxury goods manufacturer and Australian mining companies. These incidents show persistent threats to diverse industries.

Campaigns & Operations

Around May 9, 2026, Unoaerre, an Italian gold jewelry manufacturer, was hit by a ransomware attack that disrupted its operational systems. Threat actors demanded 3.8 million euros in Bitcoin for data restoration and to prevent data dissemination. Initial investigations suggest involvement from Eastern Europe and the Middle East. Around May 6, 2026, multiple Australian mining firms faced disruptions after Scope Systems, a cloud-based software provider, was breached. Northern Star Resources and Evolution Mining were among the reported targets, with the incident affecting core ERP and asset management SaaS services.

Vulnerabilities & TTPs

No new CVEs were identified in today's reporting; however, both incidents showed supply-chain risks. The Scope Systems breach revealed a cascade effect from credential theft and potential data exfiltration at a third-party provider, affecting client operations.

Analyst Note

These incidents emphasize the growing effectiveness of supply-chain targeting and the financial motivations behind current ransomware operations, particularly against established businesses.

Technical Takeaways

  • Dominant Activity: Leak Bazaar and Lynx were the most active ransomware groups, responsible for 70% of new victims in the last 24 hours. This shows their current high operational tempo.
  • Geographic Concentration: North America, specifically the United States, accounted for over 50% of the newly reported ransomware victims. It remains a primary target region.
  • Targeted Verticals: While Financial Services and Technology / Software had concentrated attacks, the overall distribution across industries remained broad. This suggests opportunistic rather than highly specialized targeting for most groups.
  • Supply Chain Exploitation: Recent news shows an ongoing focus on supply chain vulnerabilities. Ransomware groups use breaches in IT service providers to gain access to multiple downstream clients.