Ransomware Report - 05/13/2026
Statistical Overview
Victim Totals
- This month: 364
- This quarter: 1142
- Year to date: 3759
- Last 24h: 30
Quarterly Breakdown
| Q1: 2622 | Q2: 1142 | Q3: 0 | Q4: 0 |
|---|
Q2 activity maintains a strong pace, accumulating 1142 victims to date. The 30 new victims in the last 24 hours show continued activity, contributing to a year-to-date total of 3759 incidents. For more on Q2 trends, refer to our Q2 Ransomware Threat Activity Update.
Introduction
Ransomware activity recorded 30 new victims in the last 24 hours, maintaining a consistent pace. The_Gentelman was the most active group, responsible for a third of today's breaches, followed closely by Play News. Targeting focused on the Construction & Engineering and Financial Services sectors, with the United States remaining the primary geographic target.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | The Gentelman | 10 | Amstel securities, Dodson & horrell, Electroban sae (+7) | United States, Singapore | Financial Services, Construction & Engineering |
| 2 | Play News | 7 | Acc construction, Ashcroft homes, Durand-wayland (+4) | Canada, United States | Construction & Engineering, Technology / Software |
| 3 | Akira | 2 | Allele diagnostics, Institute of private enterprise development | Guyana, United States | Pharmaceuticals & Biotech, Financial Services |
| 4 | LeakedData | 2 | Marshall dennehey, Porter wright | United States | Legal |
| 5 | Payload | 2 | Gorey community school, Inteceng.com.my (+ tsksynergy.com.my + amemanufacturing.com.my + woodnova.com.my) | Ireland, Malaysia | Education, Manufacturing |
| 6 | Qilin | 2 | Sheriff, The gravity group | Ukraine, United States | Professional Services, Manufacturing |
| 7 | Anubis | 1 | A.r.ge.co | France | Professional Services |
| 8 | CoinbaseCartel | 1 | Buenos aires software | Argentina | Technology / Software |
| 9 | Medusa Locker | 1 | Baraaai | Kenya | Technology / Software |
| 10 | PayoutsKing | 1 | Ntn bearing corporation of america | United States | Manufacturing |
| 11 | World Leaks | 1 | Bestat pharmaservices corp. | Taiwan | Pharmaceuticals & Biotech |
Today's activity shows The_Gentelman and Play News as the most prolific groups, collectively responsible for 17 of the 30 new incidents. Their targeting shows a strong emphasis on Financial Services and Construction & Engineering across North America and parts of Asia. Akira and LeakedData also contributed to the day's victim count, impacting pharmaceuticals and legal sectors respectively. The geographical spread remains diverse, with a concentration in the United States.
Q: Where were ransomware victims located geographically and by industry today?
The United States recorded the highest number of new ransomware victims, with activity distributed across various industries including Manufacturing and Financial Services.
By Country
- United States: 12
- Qatar: 2
- Tunisia: 1
- United Kingdom: 1
- Ukraine: 1
- Argentina: 1
- Thailand: 1
- Taiwan: 1
- Singapore: 1
- Paraguay: 1
By Industry
- Manufacturing: 2
- Financial Services: 2
- Automotive Manufacturing: 1
- Transportation: 1
- Retail Technology: 1
- Machinery Manufacturing: 1
- Legal Services: 1
- Law Practice: 1
- Food Service Distribution: 1
- Construction Management: 1
The United States continues to experience the most ransomware attacks, accounting for 40% of today's observed victims. While Manufacturing and Financial Services show a slight uptick, the overall distribution across industries remains fragmented, indicating opportunistic rather than highly specialized targeting in the last 24 hours.
Ransomware News
Topline
Ransomware operations continue to impact diverse sectors, with activity from established groups and new attacks on major corporations across technology and healthcare.
Campaigns & Operations
The_Gentelman ransomware group's operations use infostealer credential logs, mining OWA/M365 data and breach search engines for initial access. This aligns with trends of credential use observed with groups like Coinbase Cartel. A full overview of their tactics is available in our latest ransomware threat activity report. In North America, Nitrogen ransomware claimed an attack on Foxconn, reportedly exfiltrating 8 TB of sensitive data from factories, marking another incident for the manufacturing giant. Separately, West Pharmaceutical Services disclosed a ransomware incident impacting critical systems, now under investigation by Palo Alto Networks Unit 42, showing ongoing risks to the healthcare industry. In the education sector, Instructure reached a deal with ShinyHunters following a Canvas platform breach that exposed user data, while Japan's Hokuyo Corporation reported a resolved ransomware infection from late March.
Vulnerabilities & TTPs
The emphasis on infostealer credential logs by groups like The_Gentelman shows a persistent initial access vector, prioritizing compromised employee logins for network penetration.
Analyst Note
These incidents collectively show the persistent threat of data exfiltration and business disruption across critical sectors, often facilitated by credential-based initial access.
Technical Takeaways
- Credential-based Initial Access: The_Gentelman group's documented reliance on infostealer credential logs for initial access shows a pervasive TTP in current ransomware operations.
- Data Exfiltration Focus: Multiple incidents, including Nitrogen's attack on Foxconn (8TB exfiltrated) and West Pharmaceutical Services, confirm data exfiltration as a primary ransomware objective alongside encryption.
- Targeting Diversification: While the United States remains a primary target, the distribution across countries like Singapore, Ireland, Malaysia, and Ukraine indicates a broad, opportunistic targeting approach.
- Persistent Sectoral Risk: The observed breaches in Financial Services, Manufacturing, Education, and Pharmaceuticals show the continued vulnerability of diverse critical and enterprise sectors to ransomware.
