Ransomware Report - 05/11/2026
Statistical Overview
Victim Totals
- This month: 296
- This quarter: 1074
- Year to date: 3691
- Last 24h: 12
Quarterly Breakdown
| Q1: 2622 | Q2: 1074 | Q3: 0 | Q4: 0 |
|---|
The second quarter shows consistent ransomware activity, with 12 new victims reported in the last 24 hours. While Q2's cumulative total remains lower than Q1, the daily pace suggests pressure across various sectors.
Introduction
In the past 24 hours, PurpleOps observed 12 new ransomware victims, showing persistent threat activity. Akira and Interlock were the most active groups, each claiming three victims, followed by Medusa Locker with two. Attacks primarily impacted the United States, with sectors like Construction & Engineering, Hospitality & Travel, and Manufacturing experiencing incidents.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Akira | 3 | Circle u foods, Clarkson walsh & coulter, Nijborg staal | United States, Netherlands | Construction & Engineering, Hospitality & Travel |
| 2 | Interlock | 3 | Kent district library, Park dental research, Waterford hotel group | United States | Hospitality & Travel, Government / Public Sector |
| 3 | Medusa Locker | 2 | Bapamai, Bauarai | United States, China | Technology / Software, Manufacturing |
| 4 | 3AM | 1 | Jastrebarsko.hr | Croatia | Professional Services |
| 5 | AiLock | 1 | Accretech america inc. | United States | Technology / Software |
| 6 | Nitrogen | 1 | FOXCONN | Taiwan | Manufacturing |
| 7 | SLSH | 1 | Notification | None | Professional Services |
Akira and Interlock were the most active groups over the last 24 hours, each claiming three victims, predominantly in the United States. Akira focused on Construction & Engineering and Hospitality, while Interlock impacted the Kent District Library, showing continued targeting of the Government / Public Sector. Medusa Locker, which has a distinct RaaS model and specific TTPs detailed in our analysis of Medusa Locker's exploitation tactics, added two victims in Technology/Software and Manufacturing. Nitrogen targeting FOXCONN in Taiwan was another high-value breach, showing pressure on critical manufacturing and electronics supply chains.
Victim Distribution
By Country
- United States: 7
- China: 1
- Croatia: 1
- Netherlands: 1
- None: 1
- Taiwan: 1
By Industry
- None: 2
- Machinery Manufacturing: 1
- Steel Construction: 1
- Electronics Manufacturing: 1
- Food and Beverage Services: 1
- Hospitality Management: 1
- Legal Services: 1
- Medical Equipment Manufacturing: 1
- Public Library System: 1
- Semiconductor Manufacturing Equipment: 1
The United States remains the primary target, accounting for most new ransomware victims. Industry targeting is diversified, but a concentration is observed in Manufacturing, particularly Electronics and Semiconductor sectors, alongside Hospitality and Government/Public Services.
Ransomware News
Topline
The past 24 hours included several ransomware-related developments, such as critical application exploitation, new social engineering tactics, and the emergence of new threat groups.
Campaigns & Operations
Instructure confirmed the exploitation of multiple cross-site scripting (XSS) flaws in their Canvas platform. This led to admin session hijacking, portal defacement, and significant data exfiltration, impacting over 8,800 institutions. Separately, the MuddyWater APT group used Microsoft Teams external chat requests for credential theft and MFA bypass, often masquerading as "Chaos ransomware" to hide their espionage objectives. In Japan, JR Tokai Takashimaya and pharmaceutical wholesaler Marutake Co., Ltd. reported separate ransomware incidents on May 1 and April 28, respectively. Both involved unauthorized access, system encryption, and likely double-extortion tactics; Marutake's incident is expected to require substantial restoration time. The M3rx ransomware group, newly identified, claimed Australian toy distributor KB Toys, exfiltrating 140 GB of data and listing 15 victims in total. An interview with MedusaLocker further detailed its long-running RaaS model, financially motivated targeting, and use of distinct victim-identifying extensions such as BAGAJAI and BARADAI.
Vulnerabilities & TTPs
Exploitation of multiple XSS flaws in the Canvas platform enabled initial access and data exfiltration in the Instructure breach. MuddyWater APT used advanced social engineering via Microsoft Teams to induce victims into sharing credentials and enabling MFA bypass, employing a multi-stage payload and dual remote access tools. The M3rx ransomware payload is identified as a PE32+ x64 Go binary, using X25519 for key exchange, AES-CTR for file content, and AES-GCM for per-file key wrapping. These varied tactics show organizations need to address critical vulnerabilities and ransomware breaches.
Analyst Note
These events show the persistent prevalence of double-extortion tactics and a diversified threat environment marked by opportunistic exploitation of application flaws, sophisticated social engineering, and the continued emergence of new ransomware groups.
Technical Takeaways
- The United States remains the primary geographic target for ransomware attacks.
- Critical manufacturing sectors, including Electronics and Semiconductors (e.g., FOXCONN), are under sustained pressure.
- Adversaries are actively exploiting web application vulnerabilities, such as XSS flaws in enterprise platforms like Canvas, for initial access and data exfiltration.
- Social engineering via collaboration platforms like Microsoft Teams is a changing tactic for credential theft and MFA bypass, sometimes used to mask espionage.
- New ransomware groups, such as M3rx, continue to emerge, introducing new tooling (Go binaries) and crypto implementations (X25519, AES-CTR, AES-GCM).
- The Akira ransomware group remains active; a detailed analysis of Akira's TTPs is available.