Ransomware Report - 05/17/2026
Statistical Overview
Victim Totals
- This month: 440
- This quarter: 1218
- Year to date: 3835
- Last 24h: 17
Quarterly Breakdown
Q1: 2622 | Q2: 1218 | Q3: 0 | Q4: 0
Ransomware activity in Q2, while still early, has already reached over 46% of Q1's total victim count, suggesting a sustained or potentially increased operational tempo from ransomware groups as the quarter progresses.
Introduction
The past 24 hours saw 17 new ransomware victims added to leak sites, showing continued pressure across various sectors. The most active groups included M3RXDLS with four reported victims, followed by Nova (RALord) and Qilin, each claiming three. Geographically, attacks were broadly distributed, with the United States and Spain registering the highest number of reported incidents, while industries such as Technology/Software and Healthcare continued to experience significant targeting.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | M3RXDLS | 4 | Dosocho.es, Grupo55.com, Psbsementi.it (+1) | Italy, Spain | Agriculture & Food, Technology / Software |
| 2 | Nova (RALord) | 3 | Baum games, Don bosco technical institute of makati, Urg oem | Philippines, South Korea | Hospitality & Travel, Education |
| 3 | Qilin | 3 | Clinica avellaneda medical center, Comercial echave turri limitada, Pnsb insurance brokers sdn bhd | Malaysia, Chile | Healthcare, Insurance |
| 4 | DragonForce | 2 | Ingelan, Plan | Spain, Isle of Man | Technology / Software, Telecommunications |
| 5 | Beast | 1 | Trivantage | United States | Retail & Ecommerce |
| 6 | CMD | 1 | holy name of jesus | United States | Nonprofit |
| 7 | INC Ransom | 1 | metaval.com.au | Australia | Professional Services |
| 8 | Lamashtu | 1 | Parleagro.com | India | Agriculture & Food |
| 9 | Termite | 1 | Https://www.ramarfoods.com/ | United States | Hospitality & Travel |
Today's ransomware activity saw M3RXDLS leading the reported victim count, showing its persistent operations primarily in Europe. Nova (RALord) and Qilin also showed significant activity, with Qilin impacting organizations across Asia and South America. DragonForce maintained its presence with targets in Europe, while other groups such as Beast, INC Ransom, and Lamashtu each claimed single victims, showing a fragmented but active threat picture. For more details into specific threat actors, review our recent analysis of M3RXDLS ransomware activity and a detailed look at Qilin ransomware activity.
Targeting today included Clinica Avellaneda Medical Center in Chile by Qilin, showing ongoing ransomware pressure on the healthcare sector in Latin America.
Victim Distribution
By Country
- United States: 4
- Spain: 3
- Romania: 1
- South Korea: 1
- Argentina: 1
- Philippines: 1
- Malaysia: 1
- Italy: 1
- Isle of Man: 1
- India: 1
By Industry
- Information Technology and Services: 2
- Gambling: 1
- Wholesale: 1
- Religious Organization: 1
- Food and Beverage Services: 1
- Insurance Brokerage: 1
- Automotive Parts Retail and E-commerce: 1
- Cosmetics Manufacturing: 1
- Healthcare: 1
- Education: 1
The concentration of attacks indicates continued targeting of the United States and European nations, with a spread across various industries. This suggests threat actors are employing opportunistic tactics rather than focusing on a single high-value sector or region, reflecting the diverse nature of recent ransomware victim updates.
Ransomware News
Topline
Grafana Labs disclosed a breach involving source code theft but rejected the associated ransom demand.
Campaigns & Operations
An attacker gained access to a portion of Grafana's GitHub environment via a compromised token, leading to the download of source code. Grafana reported no exposure of customer data or impact on customer environments and publicly refused the ransom demand, aligning with FBI guidance against payments. Remediation included revoking compromised credentials and implementing additional safeguards, with a post-incident review planned to describe further technical findings.
Vulnerabilities & TTPs
The incident was facilitated by a compromised token. Credential compromise remains a persistent initial access vector. Investigators found no evidence of customer data exposure or impact to customer environments.
Analyst Note
This incident shows the ongoing threat of data exfiltration and supply-chain risk, even when encryption is not deployed, and the complexities of managing developer environment security.
Technical Takeaways
- M3RXDLS, Nova (RALord), and Qilin collectively accounted for 10 out of 17 new victims, which shows their continued significant activity.
- Geographic targeting remains diverse, with the United States, Spain, and APAC countries (Philippines, South Korea, Malaysia, India) seeing prominent activity, as shown in the latest ransomware victims update.
- The healthcare sector, exemplified by Qilin's targeting of Clinica Avellaneda Medical Center, remains a persistent focus for ransomware groups.
- The Grafana incident shows data exfiltration without encryption as a distinct threat model, where intellectual property theft is the primary objective rather than system disruption.
- Credential compromise, as seen in the Grafana breach, continues to be a prevalent initial access vector for sophisticated threat actors.