Ransomware Report - 05/12/2026
Statistical Overview
Victim Totals
- This month: 336
- This quarter: 1114
- Year to date: 3731
- Last 24h: 40
Quarterly Breakdown
| Q1: 2622 | Q2: 1114 | Q3: 0 | Q4: 0 |
|---|
With 40 new victims identified in the last 24 hours, Q2 activity shows sustained ransomware operations across multiple threat groups.
Introduction
The past 24 hours added 40 new ransomware victims to dedicated leak sites, indicating ongoing pressure on various sectors globally. Genesis led activity with 7 victims, followed by Qilin, Akira, CoinbaseCartel, and Lamashtu, each claiming 4 or 5 new targets. Geographic targeting remained concentrated in the United States. Industries such as Technology, Professional Services, Manufacturing, and Healthcare continued to experience impact.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Genesis | 7 | Ben f. barcus and associates pllc, Casino gaming commission, Fargo moorhead west fargo chamber (+4) | India, United Kingdom | Technology / Software, Nonprofit |
| 2 | Qilin | 5 | Appdirect, International customer care services, Keller williams real estate - exton (+2) | Canada, United Kingdom | Manufacturing, Technology / Software |
| 3 | Akira | 4 | Kaplan companies, Manhattan broadcasting, Taylor clay products (+1) | United States | Media & Entertainment, Professional Services |
| 4 | CoinbaseCartel | 4 | Alpinion, Cass information systems, Jozef stefan institute (ijs) (+1) | Slovenia, South Korea | Professional Services, Manufacturing |
| 5 | Lamashtu | 4 | Ddu.mx, Naraya.com, Saharuang.com (+1) | Thailand, Mexico | Energy & Utilities, Healthcare |
| 6 | Aur0ra | 3 | Avanti windows & doors, Northwest handling systems, Startec group of companies | Canada, United States | Manufacturing |
| 7 | INC Ransom | 3 | Bideawee, lalsgroup.com, rbh aerospace inc | United Arab Emirates, United States | Retail & Ecommerce, Nonprofit |
| 8 | Kairos | 2 | Arwini, Ayuntamiento de valdemoro | Germany, Spain | Healthcare, Government / Public Sector |
| 9 | Brain Cipher | 1 | Ice.org.uk | United Kingdom | Nonprofit |
| 10 | Bravox | 1 | Rivadeneyra treviño ?? | Mexico | Legal |
| 11 | CMD | 1 | advanced software products group | United States | Technology / Software |
| 12 | Fulcrum | 1 | avnet | United States | Retail & Ecommerce |
Analysis of today's ransomware activity shows Genesis as the most active group, adding 7 new victims. Groups like Qilin ransomware and Akira ransomware continue with victim counts, alongside CoinbaseCartel. Sector targeting is diverse, including Technology, Professional Services, and Manufacturing. Geographically, attacks distributed across North America, Europe, and Asia.
Targets included a Casino gaming commission by Genesis, the Jozef Stefan Institute (IJS)-a research institute-by CoinbaseCartel, and the Ayuntamiento de Valdemoro (local government) by Kairos. These incidents show persistent targeting of public sector and research institutions.
Victim Distribution
By Country
- United States: 22
- Mexico: 3
- United Kingdom: 3
- Spain: 2
- Canada: 2
- Thailand: 2
- Germany: 1
- India: 1
- Jamaica: 1
- Slovenia: 1
By Industry
- Real Estate: 2
- Manufacturing: 2
- Legal Services: 2
- IT Services and IT Consulting: 1
- Aviation and Aerospace Component Manufacturing: 1
- Business Process Outsourcing: 1
- Chamber of Commerce: 1
- Educational Technology: 1
- Electronics Distribution: 1
- Healthcare: 1
The United States remains the main target for ransomware operators, accounting for over half of all new victims in the last 24 hours. While industry targeting is broad, Real Estate, Manufacturing, and Legal Services experienced multiple incidents, which suggests a focus on sectors with high-value data or critical operational dependencies.
Ransomware News
Topline
A major education provider paid extortion demands, and a ransomware group's internal operations were exposed through a data leak.
Campaigns & Operations
Instructure reached a ransom agreement with ShinyHunters to prevent a 3.65TB Canvas data leak after attackers exploited a vulnerability in a support-ticket flow, siphoning 275 million records. Ahmed Al-Kadi Private Hospital in South Africa confirmed a ransomware breach encrypting a portion of its network. West Pharmaceutical Services experienced a cyberattack on May 4 that exfiltrated data and encrypted core systems, disrupting global operations. INC Ransom listed Earth Systems, an Australian environmental firm, claiming 600 GB of stolen data. Spain's Notin, an IT provider for notaries, was hit by Crypto24 ransomware, which deployed LockBit 5.0 to encrypt files and disrupt client services. The April 2026 Threat Trend Report showed broad global targeting across Manufacturing, Healthcare, and financial sectors, noting the emergence of new groups alongside active groups like Qilin and INC Ransom.
Vulnerabilities & TTPs
The Instructure incident involved exploiting a vulnerability within a free-for-teacher support-ticket flow. A data leak from The Gentlemen ransomware group exposed internal chats detailing RaaS operations, including access via compromised Fortinet edge gear, OpenConnect VPNs, extensive reconnaissance, EDR evasion, and mapping of critical infrastructure. South Staffordshire Water was fined after a nearly two-year intrusion that began with phishing and exploited weak monitoring, inadequate privileged access management, and unpatched legacy systems. Notin's attack by Crypto24 utilized LockBit 5.0, gaining access through stolen credentials, phishing, or exposed RDP, followed by lateral movement and data exfiltration. Overall trends in 2026 indicate a shift toward encryptionless extortion, post-quantum ransomware, and industrialized initial access via Access-as-a-Service, often using RDWeb/RDP abuse.
Analyst Note
These events show persistent reliance on known attack vectors like phishing and compromised credentials. They also demonstrate the increasing sophistication of data extortion tactics and the changing post-exploitation tradecraft documented in internal leaks.
Technical Takeaways
- The United States consistently experiences the highest volume of ransomware attacks. This shows a continued focus on the region by threat groups.
- Threat groups like INC Ransom, Genesis, and Crypto24 (LockBit 5.0) frequently use double-extortion tactics, combining data exfiltration with encryption to maximize pressure on victims.
- Recent analysis shows a shift toward encryptionless extortion and the industrialization of initial access through Access-as-a-Service models, often using RDWeb/RDP abuse.
- Internal leaks from ransomware groups, such as The Gentlemen, provide critical insights into their operational methods, including reconnaissance, EDR evasion, and how they structure affiliates.
- Critical infrastructure and public sector organizations remain high-value targets, as shown by incidents affecting a Casino gaming commission and local government organizations.