Ransomware Report - 05/17/2026

Statistical Overview

Victim Totals

  • This month: 440
  • This quarter: 1218
  • Year to date: 3835
  • Last 24h: 17

Quarterly Breakdown

Q1: 2622 | Q2: 1218 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while still early, has already reached over 46% of Q1's total victim count, suggesting a sustained or potentially increased operational tempo from ransomware groups as the quarter progresses.

Introduction

The past 24 hours saw 17 new ransomware victims added to leak sites, showing continued pressure across various sectors. The most active groups included M3RXDLS with four reported victims, followed by Nova (RALord) and Qilin, each claiming three. Geographically, attacks were broadly distributed, with the United States and Spain registering the highest number of reported incidents, while industries such as Technology/Software and Healthcare continued to experience significant targeting.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1M3RXDLS4Dosocho.es, Grupo55.com, Psbsementi.it (+1)Italy, SpainAgriculture & Food, Technology / Software
2Nova (RALord)3Baum games, Don bosco technical institute of makati, Urg oemPhilippines, South KoreaHospitality & Travel, Education
3Qilin3Clinica avellaneda medical center, Comercial echave turri limitada, Pnsb insurance brokers sdn bhdMalaysia, ChileHealthcare, Insurance
4DragonForce2Ingelan, PlanSpain, Isle of ManTechnology / Software, Telecommunications
5Beast1TrivantageUnited StatesRetail & Ecommerce
6CMD1holy name of jesusUnited StatesNonprofit
7INC Ransom1metaval.com.auAustraliaProfessional Services
8Lamashtu1Parleagro.comIndiaAgriculture & Food
9Termite1Https://www.ramarfoods.com/United StatesHospitality & Travel

Today's ransomware activity saw M3RXDLS leading the reported victim count, showing its persistent operations primarily in Europe. Nova (RALord) and Qilin also showed significant activity, with Qilin impacting organizations across Asia and South America. DragonForce maintained its presence with targets in Europe, while other groups such as Beast, INC Ransom, and Lamashtu each claimed single victims, showing a fragmented but active threat picture. For more details into specific threat actors, review our recent analysis of M3RXDLS ransomware activity and a detailed look at Qilin ransomware activity.

Targeting today included Clinica Avellaneda Medical Center in Chile by Qilin, showing ongoing ransomware pressure on the healthcare sector in Latin America.

Victim Distribution

By Country

  • United States: 4
  • Spain: 3
  • Romania: 1
  • South Korea: 1
  • Argentina: 1
  • Philippines: 1
  • Malaysia: 1
  • Italy: 1
  • Isle of Man: 1
  • India: 1

By Industry

  • Information Technology and Services: 2
  • Gambling: 1
  • Wholesale: 1
  • Religious Organization: 1
  • Food and Beverage Services: 1
  • Insurance Brokerage: 1
  • Automotive Parts Retail and E-commerce: 1
  • Cosmetics Manufacturing: 1
  • Healthcare: 1
  • Education: 1

The concentration of attacks indicates continued targeting of the United States and European nations, with a spread across various industries. This suggests threat actors are employing opportunistic tactics rather than focusing on a single high-value sector or region, reflecting the diverse nature of recent ransomware victim updates.

Ransomware News

Topline

Grafana Labs disclosed a breach involving source code theft but rejected the associated ransom demand.

Campaigns & Operations

An attacker gained access to a portion of Grafana's GitHub environment via a compromised token, leading to the download of source code. Grafana reported no exposure of customer data or impact on customer environments and publicly refused the ransom demand, aligning with FBI guidance against payments. Remediation included revoking compromised credentials and implementing additional safeguards, with a post-incident review planned to describe further technical findings.

Vulnerabilities & TTPs

The incident was facilitated by a compromised token. Credential compromise remains a persistent initial access vector. Investigators found no evidence of customer data exposure or impact to customer environments.

Analyst Note

This incident shows the ongoing threat of data exfiltration and supply-chain risk, even when encryption is not deployed, and the complexities of managing developer environment security.

Technical Takeaways

  • M3RXDLS, Nova (RALord), and Qilin collectively accounted for 10 out of 17 new victims, which shows their continued significant activity.
  • Geographic targeting remains diverse, with the United States, Spain, and APAC countries (Philippines, South Korea, Malaysia, India) seeing prominent activity, as shown in the latest ransomware victims update.
  • The healthcare sector, exemplified by Qilin's targeting of Clinica Avellaneda Medical Center, remains a persistent focus for ransomware groups.
  • The Grafana incident shows data exfiltration without encryption as a distinct threat model, where intellectual property theft is the primary objective rather than system disruption.
  • Credential compromise, as seen in the Grafana breach, continues to be a prevalent initial access vector for sophisticated threat actors.