Ransomware Report - 05/10/2026
Statistical Overview
Victim Totals
- This month: 284
- This quarter: 1062
- Year to date: 3679
- Last 24h: 24
Quarterly Breakdown
| Q1: 2622 | Q2: 1062 | Q3: 0 | Q4: 0 |
|---|
Q2 ransomware activity tracks consistently with Q1, showing threat actors maintaining a high operational tempo. The 24 new victims in the last 24 hours reflect ongoing pressure across sectors, similar to trends discussed in our Q2 Ransomware Activity Report.
Introduction
In the past 24 hours, PurpleOps observed 24 new ransomware victims, which suggests consistent threat actor activity. Leak_Bazaar and Lynx were the most active groups, accounting for over two-thirds of reported breaches. These attacks primarily affected the Financial Services and Technology sectors, and were concentrated in North America and Europe, reflecting recent ransomware trends.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Leak Bazaar | 9 | Disk precision group, E-jones associates lcc, Gastroenterology & hepatology (+6) | India, United Kingdom | Financial Services, Construction & Engineering |
| 2 | Lynx | 8 | bayareaherbs.com, csb-battery.com, funkychunky.com (+5) | Germany, United States | Education, Technology / Software |
| 3 | INC Ransom | 2 | lopezlawfl.com | United States | Financial Services, Legal |
| 4 | Fulcrum | 1 | arup | United Kingdom | Professional Services |
| 5 | Krybit | 1 | Eclagestio360.com | Spain | Financial Services |
| 6 | Lapsus | 1 | Axcera.io | United Arab Emirates | Technology / Software |
| 7 | PEAR | 1 | Langenberg, strubberg, arand & king, llc | United States | Professional Services |
| 8 | Stormous | 1 | Ams-group.co.uk full data dump 33gb new | United Kingdom | Media & Entertainment |
Leak Bazaar and Lynx were the most active in ransomware activity over the last 24 hours, accounting for 17 of the 24 reported victims. Leak Bazaar focused heavily on Financial Services and Construction & Engineering firms in India and the United Kingdom. Lynx showed a broader reach, targeting Education and Technology sectors primarily in Germany and the United States. Other groups, including INC Ransom and Fulcrum, maintained a lower but persistent presence, with Fulcrum specifically affecting a UK-based professional services firm, a group whose activities we discussed in a previous report.
Victim Distribution
By Country
- United States: 13
- United Kingdom: 4
- Spain: 2
- Germany: 1
- United Arab Emirates: 1
- Taiwan: 1
- Singapore: 1
- India: 1
By Industry
- Legal Services: 2
- Financial Services: 2
- Accounting: 1
- Tourism and Hospitality: 1
- Packaging Services: 1
- Information Technology Services: 1
- Individual and Family Services: 1
- Healthcare: 1
- Food and Beverage Services: 1
- Food & Beverage: 1
The United States remains the primary target country, with over half of all victims reported today, showing a consistent focus on North American entities. While Financial Services and Legal Services had multiple incidents, the overall industry distribution points to a fragmented targeting approach, as various sectors experienced single breaches.
Ransomware News
Topline
The last 24 hours included two significant ransomware incidents affecting an Italian luxury goods manufacturer and Australian mining companies. These incidents show persistent threats to diverse industries.
Campaigns & Operations
Around May 9, 2026, Unoaerre, an Italian gold jewelry manufacturer, was hit by a ransomware attack that disrupted its operational systems. Threat actors demanded 3.8 million euros in Bitcoin for data restoration and to prevent data dissemination. Initial investigations suggest involvement from Eastern Europe and the Middle East. Around May 6, 2026, multiple Australian mining firms faced disruptions after Scope Systems, a cloud-based software provider, was breached. Northern Star Resources and Evolution Mining were among the reported targets, with the incident affecting core ERP and asset management SaaS services.
Vulnerabilities & TTPs
No new CVEs were identified in today's reporting; however, both incidents showed supply-chain risks. The Scope Systems breach revealed a cascade effect from credential theft and potential data exfiltration at a third-party provider, affecting client operations.
Analyst Note
These incidents emphasize the growing effectiveness of supply-chain targeting and the financial motivations behind current ransomware operations, particularly against established businesses.
Technical Takeaways
- Dominant Activity: Leak Bazaar and Lynx were the most active ransomware groups, responsible for 70% of new victims in the last 24 hours. This shows their current high operational tempo.
- Geographic Concentration: North America, specifically the United States, accounted for over 50% of the newly reported ransomware victims. It remains a primary target region.
- Targeted Verticals: While Financial Services and Technology / Software had concentrated attacks, the overall distribution across industries remained broad. This suggests opportunistic rather than highly specialized targeting for most groups.
- Supply Chain Exploitation: Recent news shows an ongoing focus on supply chain vulnerabilities. Ransomware groups use breaches in IT service providers to gain access to multiple downstream clients.