Ransomware Report - 05/03/2026
Statistical Overview
Victim Totals
- This month: 60
- This quarter: 817
- Year to date: 3435
- Last 24h: 13
Quarterly Breakdown
| Q1: 2622 | Q2: 817 | Q3: 0 | Q4: 0 |
|---|
Ransomware activity continues with 13 new victims in the last 24 hours, bringing the total to 60 victims this month. Q2 figures currently trail Q1's high volume, but sustained daily operations show threat actors continue pressure across various sectors, as detailed in our Breach Detection Report for May 3rd.
Introduction
In the past 24 hours, ransomware activity saw 13 new victims posted to leak sites. The Qilin group was active, accounting for six of these incidents, followed by M3RXDLS and SLSH. Targeting primarily concentrated on the United States, with Canada and Germany also affected. The technology and financial technology sectors bore the brunt of these attacks, alongside other industries.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 6 | Admins, Armstrong george cohen will ophthalmology, Lsm lee (+3) | United States, Canada | Media & Entertainment, Technology / Software |
| 2 | M3RXDLS | 3 | Emtco.com, It-freitag.de, Manateeair.com | United States, Germany | Construction & Engineering, Technology / Software |
| 3 | SLSH | 2 | Cushman & wakefield inc., Instructure holdings, inc. (canva lms, instructure.com) | United States | Technology / Software, Real Estate |
| 4 | Everest | 1 | Fiserv | United States | Technology / Software |
| 5 | MNT6 | 1 | Photonic | Canada | Technology / Software |
Today's activity was led by Qilin, responsible for nearly half of all reported incidents. Previous analyses, such as our Ransomware Threat Activity Update on May 1st, show Qilin continues to target broadly across North America. M3RXDLS also showed activity, impacting technology and construction firms, aligning with previous observations detailed in our M3RXDLS Ransomware Threat Activity report from April 26th. The Everest group attacked Fiserv, a major financial technology corporation in the United States, an incident that shows persistent pressure on critical financial infrastructure.
Victim Distribution
By Country
- United States: 10
- Canada: 2
- Germany: 1
By Industry
- Construction: 1
- Quantum Computing: 1
- Information Technology: 1
- Architectural Signage Design and Fabrication: 1
- Educational Technology: 1
- Financial Technology: 1
- Healthcare: 1
- HVAC Services: 1
- Manufacturing - Custom Machinery: 1
- Newspaper Publishing: 1
The United States remains the primary target, accounting for most of today's ransomware victims. While a range of industries were impacted, the concentration of attacks within various technology sub-sectors (Information Technology, Educational Technology, Financial Technology, Quantum Computing) shows these entities hold continued high value for ransomware operators.
Ransomware News
Topline
A critical cPanel/WHM authentication bypass vulnerability, CVE-2026-41940, has been under mass exploitation in the wild, leading to widespread "Sorry" ransomware attacks.
Campaigns & Operations
The "Sorry" ransomware campaign has actively used a critical cPanel/WHM flaw, CVE-2026-41940, for mass exploitation since February. Attackers breached servers and deployed a Go-based Linux encryptor, appending the .sorry extension to encrypted files. Victims are directed to a Tox-based chat for negotiation, with Shadowserver identifying approximately 44,000 affected IP addresses.
Vulnerabilities & TTPs
The campaign exploits CVE-2026-41940, an authentication bypass vulnerability within cPanel/WHM. This involves gaining initial access through a critical software flaw to facilitate subsequent encryption and extortion.
Analyst Note
This incident shows a persistent threat actor strategy involving the mass exploitation of critical vulnerabilities in widely adopted enterprise software for initial access.
Technical Takeaways
- Qilin continues to be a very active ransomware group, diversifying its targeting across sectors like Media & Entertainment and Technology/Software in North America.
- The exploitation of CVE-2026-41940 in cPanel/WHM by the "Sorry" ransomware campaign shows a focus on mass exploitation of critical, widely used software for initial access.
- The targeting of Fiserv by Everest shows ongoing threats specifically directed at the financial technology sector, which handles sensitive data and critical infrastructure.
- Technology-related industries, broadly defined, consistently remain the most frequent targets, showing their perceived value and potential vulnerability.
- Activity includes both very active, established groups (Qilin) and emerging or less frequently observed groups (M3RXDLS, SLSH), which shows dynamic threat actor activity.
FAQ
Q: Which ransomware groups were most active in the last 24 hours?
The Qilin ransomware group was the most active in the past 24 hours, publicly claiming six new victims. Following Qilin, M3RXDLS announced three new victims, and SLSH listed two.
Q: What industries were most affected by ransomware today?
The technology sector, encompassing information technology, educational technology, financial technology, and quantum computing, was most affected today. Other affected industries included construction, healthcare, real estate, and manufacturing.
Q: What countries saw the highest ransomware victim count on 05/03/2026?
The United States recorded the highest number of ransomware victims in the last 24 hours, with 10 incidents. Canada followed with two victims, and Germany reported one.
Q: Was any new vulnerability exploited by ransomware in the last 24 hours?
Yes, a critical cPanel/WHM authentication bypass flaw, identified as CVE-2026-41940, has been mass-exploited by the "Sorry" ransomware group since February. This vulnerability allowed attackers to breach servers and deploy their Linux encryptor.
Q: Were there any high-profile ransomware victims today?
Yes, Fiserv, a major financial technology provider in the United States, was listed as a victim by the Everest ransomware group. This is a high-value target due to its critical role in financial infrastructure.
