Ransomware Report - 05/05/2026

Statistical Overview

Victim Totals

  • This month: 97
  • This quarter: 854
  • Year to date: 3472
  • Last 24h: 30

Quarterly Breakdown

Q1: 2622Q2: 854Q3: 0Q4: 0

Q2 activity continues to add to the year-to-date total, showing a consistent threat situation with 854 victims this quarter and 3472 year-to-date. For more on recent activity, see our latest ransomware victims report.

Introduction

In the past 24 hours, 30 new ransomware victims were reported across various leak sites. Qilin reported 8 new victims, SafePay 6, and INC_Ransom 3, leading the activity. The United States remained the primary geographic target. Financial services and professional services sectors were significantly targeted, along with retail.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1Qilin8Ahorramas, Cushman & wakefield, Foxstone financial (+5)Spain, UkraineFinancial Services, Legal
2SafePay6Bootstransport.ca, Dahlgrenscement.se, Fital-treppenlifte.de (+3)Sweden, JapanProfessional Services, Government / Public Sector
3INC Ransom3EXPEDITOR, childplace.org, sanver.com.mxUnited States, MexicoNonprofit, Retail & Ecommerce
4Akira2Pipestone, Punch & associates investment managementUnited StatesFinancial Services, Agriculture & Food
5Chaos2Vacaero.com, Www.cswindustrials.comUnited States, CanadaManufacturing
6SLSH2Adelante soluciones financieras (addi.com), Entire list of affected schools by instructure breachUnited States, ColombiaFinancial Services, Technology / Software
7Everest1Studio marchi - studio professionale associatoItalyProfessional Services
8Krybit1Foodsmart.com.doDominican RepublicAgriculture & Food
9Lamashtu1Grandhomemart.comThailandRetail & Ecommerce
10MS13-0891Brittanyresidential.com (usa, ohio)United StatesNonprofit
11PEAR1Morning star toursUnited StatesHospitality & Travel
12Securotop1Thompson builders corporationUnited StatesConstruction & Engineering

Qilin was the most active group, primarily targeting financial services and legal sectors across Spain and Ukraine. SafePay was also active, affecting professional services and government entities in Sweden and Japan. The United States remains a focal point for groups like INC Ransom, Akira, and Chaos, showing a diverse range of targets. Qilin notably targeted the Standard-Examiner today, as reported in recent news, which may show a possible focus on media entities. Everest Group claims regarding Liberty Mutual data also point to ongoing pressure on large insurers, though Liberty Mutual attributes this to a third-party vendor incident. For more on active groups like Qilin, SafePay, Akira, and INC_Ransom, see our daily ransomware reports.

Victim Distribution

By Country

  • United States: 15
  • Canada: 2
  • Italy: 2
  • Ukraine: 1
  • Thailand: 1
  • Sweden: 1
  • Spain: 1
  • Portugal: 1
  • Mexico: 1
  • Japan: 1

By Industry

  • Law Firms & Legal Services: 2
  • Construction: 2
  • Home Improvement & Hardware Retail: 2
  • Automotive: 1
  • Specialty Industrial Machinery: 1
  • Social Services: 1
  • Religious Travel and Tourism: 1
  • Real Estate: 1
  • Non-Profit & Charitable Organizations: 1
  • Investment Management: 1

The United States remains the predominant target, accounting for half of the reported victims in the last 24 hours. Industry distribution is fragmented, with legal services, construction, and retail showing slightly higher victim counts. This suggests opportunistic targeting across various small to medium-sized enterprises.

Ransomware News

Ransomware activity today includes new attacks, significant data leaks, critical vulnerability exploitation, and significant law enforcement action against an extortion group. Rootboy conducted a three-week assault on Standard Bank (South Africa) and Liberty, exfiltrating 1.2 TB of data and over 154 million SQL rows. In Germany, 4SELLERS, an e-commerce solutions provider, experienced a targeted ransomware attack. Champion Homes (Sydney) confirmed a cyber event linked to the DragonForce ransomware operation, resulting in a 44-gigabyte dataset published to the dark web. The Everest Group began leaking what it claims is 108 GB of Liberty Mutual data, following an alleged failure to meet demands, though Liberty Mutual attributes this to a third-party vendor incident. The Qilin ransomware group listed STANDARD-EXAMINER on its leak site after the paper reported production difficulties. Separately, the VENOMOUS#HELPER phishing campaign impacted over 80 organizations, mainly in the U.S., deploying SimpleHelp RMM via compromised domains. Law enforcement efforts saw Latvian national Deniss Zolotarjovs, a Karakurt extortion negotiator, sentenced to 8.5 years for conspiracy to commit wire fraud and money laundering, marking the first U.S. sentencing of a Karakurt member.

A critical authentication-bypass flaw, CVE-2026-41940 in cPanel/WHM/WP Squared, was weaponized within hours of disclosure, leading to botnet deployment and ransomware encrypting files with a .sorry extension. Progress Software patched critical MOVEit Automation vulnerabilities, CVE-2026-4670 (authentication bypass) and CVE-2026-5174 (privilege escalation), in MOVEit Automation. New intelligence details how infostealers act as a major initial attack vector that fuels ransomware campaigns. For more details on Qilin activity and cPanel vulnerabilities, see our report from May 3rd.

Technical Takeaways

  • Broadened Initial Access: The VENOMOUS#HELPER phishing campaign's use of dual-channel RMM tools (SimpleHelp and ScreenConnect) shows complex initial access broker tactics designed for redundancy and evasion.
  • Rapid CVE Exploitation: The immediate weaponization of CVE-2026-41940 in cPanel/WHM/WP Squared within hours of disclosure shows the urgency for patch deployment, especially for critical authentication bypass flaws.
  • Infostealer Nexus: New intelligence confirms infostealers as a significant initial attack vector for ransomware, showing the importance of credential intelligence in preventing attacks.
  • Diverse Sector Targeting by Top Groups: Qilin and SafePay showed broad targeting across financial services, legal, professional services, and government sectors, which shows a non-discriminatory approach to victim selection.
  • Third-Party Risk: Multiple incidents, including the alleged Liberty Mutual data leak linked to a third-party vendor, emphasize the challenge of managing supply chain risk for organizations.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active group with 8 new victims, followed by SafePay with 6 victims, and INC_Ransom with 3 victims. Akira and Chaos each reported 2 new victims.

Q: What geographic regions experienced the most ransomware attacks today?

The United States was the most targeted country, accounting for 15 of the 30 new victims. Canada, Italy, Ukraine, Thailand, Sweden, Spain, Portugal, Mexico, and Japan each saw 1 to 2 reported incidents.

Q: Which industries were most frequently targeted by ransomware in this period?

Industry targeting was diverse, with Law Firms & Legal Services, Construction, and Home Improvement & Hardware Retail each reporting 2 victims. Other industries such as Automotive, Financial Services, and Non-Profit Organizations also experienced attacks.

Q: Were any new critical vulnerabilities exploited by ransomware operators today?

Yes, the critical authentication-bypass flaw CVE-2026-41940 in cPanel/WHM/WP Squared was weaponized within hours of its disclosure, leading to ransomware deployments. Progress Software also patched critical authentication bypass (CVE-2026-4670) and privilege escalation (CVE-2026-5174) vulnerabilities in MOVEit Automation.