Ransomware Report - 05/08/2026

Statistical Overview

Victim Totals

  • This month: 226
  • This quarter: 1005
  • Year to date: 3622
  • Last 24h: 26

Quarterly Breakdown

Q1: 2622Q2: 1005Q3: 0Q4: 0

Q2 ransomware activity counts 1,005 victims, a decrease from Q1's 2,622. The year-to-date total is 3,622, with 26 new victims in the past 24 hours.

Introduction

PurpleOps recorded 26 new ransomware victims in the past 24 hours. This shows continued activity among various threat groups. LockBit was the most active group with five victims, followed by INC_Ransom (4), Akira (3), Play News (3), and Qilin (2). Attacks targeted diverse industries, affecting manufacturing, healthcare, and construction & engineering sectors, mostly in North America and parts of Asia. For more on recent trends, see our Ransomware Victims Update - May 07.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit5anser-coding.com, de.yangming.com, rhactushotel.com (+2)Egypt, GermanyMedia & Entertainment, Agriculture & Food
2INC Ransom4autorisk.org, cmswpc.com, earthsystems.com.au earthsystemseurope.com (+1)United States, AustraliaConstruction & Engineering, Healthcare
3Akira3Greenwoods dental centre, Réseau radiologique romand, ZojirushiJapan, CanadaHealthcare, Manufacturing
4Play News3Accessoires outillage ltee, Ema engineering & consulting, K & e distributingUnited States, CanadaConstruction & Engineering, Manufacturing
5Qilin2Exco technologies, Imex internationalThailand, CanadaManufacturing
63AM1Jetmachprod.comUnited StatesManufacturing
7Aur0ra1United StatesReal Estate
8Bravox1Soprolux ??FranceAgriculture & Food
9CMD1ZampellUnited StatesConstruction & Engineering
10Fulcrum1stufUnited StatesReal Estate
11Medusa Locker1BavacaiNoneProfessional Services
12Nova (RALord)1DesyswebPeruTelecommunications

LockBit remained the most active group in the last 24 hours, ahead of INC_Ransom and Akira. Manufacturing, construction, and healthcare were frequent targets, showing attacks across many industries by several threat groups. The United States and Canada reported the most incidents. More on LockBit and Qilin's activities is in our Ransomware Threat Activity Update - May 01. Detailed analysis of INC_Ransom and Akira is available in our CVE-2025-5777 Ransomware Breach report.

Victim Distribution

By Country

  • United States: 10
  • Canada: 3
  • None: 2
  • Taiwan: 1
  • Thailand: 1
  • Australia: 1
  • Switzerland: 1
  • Peru: 1
  • Japan: 1
  • Jamaica: 1

By Industry

  • Industrial Machinery & Equipment: 2
  • None: 2
  • Machinery Manufacturing: 1
  • Software Development: 1
  • Self-Storage: 1
  • Real Estate: 1
  • Precision Machining: 1
  • Insurance: 1
  • HVAC Distribution: 1
  • Healthcare: 1

The United States is the primary target for ransomware attacks, with 10 reported victims. Beyond the U.S., activity spread geographically, with several countries reporting single incidents and no single industry showing overwhelming concentration in this 24-hour period.

Ransomware News

Topline

The past 24 hours brought varied ransomware developments, including data extortion claims against cybersecurity firms, nation-state false-flag operations, and several incidents affecting Japanese organizations.

Campaigns & Operations

RansomHouse, a data-extortion group, claimed a breach of cybersecurity firm Trellix, alleging access to source code and appliance management systems. Trellix confirmed unauthorized access to a portion of its source code repository but found no evidence of compromised release processes. ShinyHunters defaced the Canvas LMS portal, claiming exfiltration of 3.65TB from nearly 9,000 institutions. This group uses an extortion and credential theft model instead of encryption. In Japan, several organizations reported ransomware incidents. These include Shin-Facom Co., Ltd., F1 Corporation's contractor (with potential PII exfiltration for 285 customers), and Medica Publishing. All these incidents occurred around mid-April, and investigations into data impact are ongoing.

Vulnerabilities & TTPs

Rapid7 researchers identified Iranian MOIS-backed MuddyWater using Chaos ransomware as a false-flag cover for espionage and data theft. This operation began with Microsoft Teams social engineering to obtain VPN credentials, followed by remote management tool deployment and data leak threats. It is significant because it lacks encryption and uses ransomware tooling to obscure state-driven objectives.

Analyst Note

The activity shows more complex motivations among threat actors. They combine traditional data encryption with data exfiltration and false-flag operations to achieve various strategic goals.

Technical Takeaways

  • Wider Geographic Targeting: The United States is still a primary target, but victims are spread across Canada, Japan, Australia, and parts of Europe and Latin America, showing ransomware groups target many regions.
  • Established Groups Remain Active: LockBit continues its high activity, with 5 new victims, showing it persists despite ongoing law enforcement operations.
  • Encryption and Extortion Threats: News items show data exfiltration and extortion (e.g., RansomHouse, ShinyHunters) are as common as traditional encryption-based ransomware, presenting substantial data breach risks.
  • False-Flag Operations: MuddyWater's use of Chaos ransomware as a false-flag for espionage shows advanced tactics to hide attribution and blends cybercrime with state-sponsored activity.
  • Manufacturing Remains a Target: Manufacturing appears on multiple groups' victim lists (Akira, Play News, Qilin, 3AM), which suggests the industry continues to be vulnerable.