Ransomware Report - 05/08/2026
Statistical Overview
Victim Totals
- This month: 226
- This quarter: 1005
- Year to date: 3622
- Last 24h: 26
Quarterly Breakdown
| Q1: 2622 | Q2: 1005 | Q3: 0 | Q4: 0 |
|---|
Q2 ransomware activity counts 1,005 victims, a decrease from Q1's 2,622. The year-to-date total is 3,622, with 26 new victims in the past 24 hours.
Introduction
PurpleOps recorded 26 new ransomware victims in the past 24 hours. This shows continued activity among various threat groups. LockBit was the most active group with five victims, followed by INC_Ransom (4), Akira (3), Play News (3), and Qilin (2). Attacks targeted diverse industries, affecting manufacturing, healthcare, and construction & engineering sectors, mostly in North America and parts of Asia. For more on recent trends, see our Ransomware Victims Update - May 07.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | LockBit | 5 | anser-coding.com, de.yangming.com, rhactushotel.com (+2) | Egypt, Germany | Media & Entertainment, Agriculture & Food |
| 2 | INC Ransom | 4 | autorisk.org, cmswpc.com, earthsystems.com.au earthsystemseurope.com (+1) | United States, Australia | Construction & Engineering, Healthcare |
| 3 | Akira | 3 | Greenwoods dental centre, Réseau radiologique romand, Zojirushi | Japan, Canada | Healthcare, Manufacturing |
| 4 | Play News | 3 | Accessoires outillage ltee, Ema engineering & consulting, K & e distributing | United States, Canada | Construction & Engineering, Manufacturing |
| 5 | Qilin | 2 | Exco technologies, Imex international | Thailand, Canada | Manufacturing |
| 6 | 3AM | 1 | Jetmachprod.com | United States | Manufacturing |
| 7 | Aur0ra | 1 | United States | Real Estate | |
| 8 | Bravox | 1 | Soprolux ?? | France | Agriculture & Food |
| 9 | CMD | 1 | Zampell | United States | Construction & Engineering |
| 10 | Fulcrum | 1 | stuf | United States | Real Estate |
| 11 | Medusa Locker | 1 | Bavacai | None | Professional Services |
| 12 | Nova (RALord) | 1 | Desysweb | Peru | Telecommunications |
LockBit remained the most active group in the last 24 hours, ahead of INC_Ransom and Akira. Manufacturing, construction, and healthcare were frequent targets, showing attacks across many industries by several threat groups. The United States and Canada reported the most incidents. More on LockBit and Qilin's activities is in our Ransomware Threat Activity Update - May 01. Detailed analysis of INC_Ransom and Akira is available in our CVE-2025-5777 Ransomware Breach report.
Victim Distribution
By Country
- United States: 10
- Canada: 3
- None: 2
- Taiwan: 1
- Thailand: 1
- Australia: 1
- Switzerland: 1
- Peru: 1
- Japan: 1
- Jamaica: 1
By Industry
- Industrial Machinery & Equipment: 2
- None: 2
- Machinery Manufacturing: 1
- Software Development: 1
- Self-Storage: 1
- Real Estate: 1
- Precision Machining: 1
- Insurance: 1
- HVAC Distribution: 1
- Healthcare: 1
The United States is the primary target for ransomware attacks, with 10 reported victims. Beyond the U.S., activity spread geographically, with several countries reporting single incidents and no single industry showing overwhelming concentration in this 24-hour period.
Ransomware News
Topline
The past 24 hours brought varied ransomware developments, including data extortion claims against cybersecurity firms, nation-state false-flag operations, and several incidents affecting Japanese organizations.
Campaigns & Operations
RansomHouse, a data-extortion group, claimed a breach of cybersecurity firm Trellix, alleging access to source code and appliance management systems. Trellix confirmed unauthorized access to a portion of its source code repository but found no evidence of compromised release processes. ShinyHunters defaced the Canvas LMS portal, claiming exfiltration of 3.65TB from nearly 9,000 institutions. This group uses an extortion and credential theft model instead of encryption. In Japan, several organizations reported ransomware incidents. These include Shin-Facom Co., Ltd., F1 Corporation's contractor (with potential PII exfiltration for 285 customers), and Medica Publishing. All these incidents occurred around mid-April, and investigations into data impact are ongoing.
Vulnerabilities & TTPs
Rapid7 researchers identified Iranian MOIS-backed MuddyWater using Chaos ransomware as a false-flag cover for espionage and data theft. This operation began with Microsoft Teams social engineering to obtain VPN credentials, followed by remote management tool deployment and data leak threats. It is significant because it lacks encryption and uses ransomware tooling to obscure state-driven objectives.
Analyst Note
The activity shows more complex motivations among threat actors. They combine traditional data encryption with data exfiltration and false-flag operations to achieve various strategic goals.
Technical Takeaways
- Wider Geographic Targeting: The United States is still a primary target, but victims are spread across Canada, Japan, Australia, and parts of Europe and Latin America, showing ransomware groups target many regions.
- Established Groups Remain Active: LockBit continues its high activity, with 5 new victims, showing it persists despite ongoing law enforcement operations.
- Encryption and Extortion Threats: News items show data exfiltration and extortion (e.g., RansomHouse, ShinyHunters) are as common as traditional encryption-based ransomware, presenting substantial data breach risks.
- False-Flag Operations: MuddyWater's use of Chaos ransomware as a false-flag for espionage shows advanced tactics to hide attribution and blends cybercrime with state-sponsored activity.
- Manufacturing Remains a Target: Manufacturing appears on multiple groups' victim lists (Akira, Play News, Qilin, 3AM), which suggests the industry continues to be vulnerable.