Ransomware Report - 05/05/2026
Statistical Overview
Victim Totals
- This month: 97
- This quarter: 854
- Year to date: 3472
- Last 24h: 30
Quarterly Breakdown
| Q1: 2622 | Q2: 854 | Q3: 0 | Q4: 0 |
|---|
Q2 activity continues to add to the year-to-date total, showing a consistent threat situation with 854 victims this quarter and 3472 year-to-date. For more on recent activity, see our latest ransomware victims report.
Introduction
In the past 24 hours, 30 new ransomware victims were reported across various leak sites. Qilin reported 8 new victims, SafePay 6, and INC_Ransom 3, leading the activity. The United States remained the primary geographic target. Financial services and professional services sectors were significantly targeted, along with retail.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 8 | Ahorramas, Cushman & wakefield, Foxstone financial (+5) | Spain, Ukraine | Financial Services, Legal |
| 2 | SafePay | 6 | Bootstransport.ca, Dahlgrenscement.se, Fital-treppenlifte.de (+3) | Sweden, Japan | Professional Services, Government / Public Sector |
| 3 | INC Ransom | 3 | EXPEDITOR, childplace.org, sanver.com.mx | United States, Mexico | Nonprofit, Retail & Ecommerce |
| 4 | Akira | 2 | Pipestone, Punch & associates investment management | United States | Financial Services, Agriculture & Food |
| 5 | Chaos | 2 | Vacaero.com, Www.cswindustrials.com | United States, Canada | Manufacturing |
| 6 | SLSH | 2 | Adelante soluciones financieras (addi.com), Entire list of affected schools by instructure breach | United States, Colombia | Financial Services, Technology / Software |
| 7 | Everest | 1 | Studio marchi - studio professionale associato | Italy | Professional Services |
| 8 | Krybit | 1 | Foodsmart.com.do | Dominican Republic | Agriculture & Food |
| 9 | Lamashtu | 1 | Grandhomemart.com | Thailand | Retail & Ecommerce |
| 10 | MS13-089 | 1 | Brittanyresidential.com (usa, ohio) | United States | Nonprofit |
| 11 | PEAR | 1 | Morning star tours | United States | Hospitality & Travel |
| 12 | Securotop | 1 | Thompson builders corporation | United States | Construction & Engineering |
Qilin was the most active group, primarily targeting financial services and legal sectors across Spain and Ukraine. SafePay was also active, affecting professional services and government entities in Sweden and Japan. The United States remains a focal point for groups like INC Ransom, Akira, and Chaos, showing a diverse range of targets. Qilin notably targeted the Standard-Examiner today, as reported in recent news, which may show a possible focus on media entities. Everest Group claims regarding Liberty Mutual data also point to ongoing pressure on large insurers, though Liberty Mutual attributes this to a third-party vendor incident. For more on active groups like Qilin, SafePay, Akira, and INC_Ransom, see our daily ransomware reports.
Victim Distribution
By Country
- United States: 15
- Canada: 2
- Italy: 2
- Ukraine: 1
- Thailand: 1
- Sweden: 1
- Spain: 1
- Portugal: 1
- Mexico: 1
- Japan: 1
By Industry
- Law Firms & Legal Services: 2
- Construction: 2
- Home Improvement & Hardware Retail: 2
- Automotive: 1
- Specialty Industrial Machinery: 1
- Social Services: 1
- Religious Travel and Tourism: 1
- Real Estate: 1
- Non-Profit & Charitable Organizations: 1
- Investment Management: 1
The United States remains the predominant target, accounting for half of the reported victims in the last 24 hours. Industry distribution is fragmented, with legal services, construction, and retail showing slightly higher victim counts. This suggests opportunistic targeting across various small to medium-sized enterprises.
Ransomware News
Ransomware activity today includes new attacks, significant data leaks, critical vulnerability exploitation, and significant law enforcement action against an extortion group. Rootboy conducted a three-week assault on Standard Bank (South Africa) and Liberty, exfiltrating 1.2 TB of data and over 154 million SQL rows. In Germany, 4SELLERS, an e-commerce solutions provider, experienced a targeted ransomware attack. Champion Homes (Sydney) confirmed a cyber event linked to the DragonForce ransomware operation, resulting in a 44-gigabyte dataset published to the dark web. The Everest Group began leaking what it claims is 108 GB of Liberty Mutual data, following an alleged failure to meet demands, though Liberty Mutual attributes this to a third-party vendor incident. The Qilin ransomware group listed STANDARD-EXAMINER on its leak site after the paper reported production difficulties. Separately, the VENOMOUS#HELPER phishing campaign impacted over 80 organizations, mainly in the U.S., deploying SimpleHelp RMM via compromised domains. Law enforcement efforts saw Latvian national Deniss Zolotarjovs, a Karakurt extortion negotiator, sentenced to 8.5 years for conspiracy to commit wire fraud and money laundering, marking the first U.S. sentencing of a Karakurt member.
A critical authentication-bypass flaw, CVE-2026-41940 in cPanel/WHM/WP Squared, was weaponized within hours of disclosure, leading to botnet deployment and ransomware encrypting files with a .sorry extension. Progress Software patched critical MOVEit Automation vulnerabilities, CVE-2026-4670 (authentication bypass) and CVE-2026-5174 (privilege escalation), in MOVEit Automation. New intelligence details how infostealers act as a major initial attack vector that fuels ransomware campaigns. For more details on Qilin activity and cPanel vulnerabilities, see our report from May 3rd.
Technical Takeaways
- Broadened Initial Access: The VENOMOUS#HELPER phishing campaign's use of dual-channel RMM tools (SimpleHelp and ScreenConnect) shows complex initial access broker tactics designed for redundancy and evasion.
- Rapid CVE Exploitation: The immediate weaponization of CVE-2026-41940 in cPanel/WHM/WP Squared within hours of disclosure shows the urgency for patch deployment, especially for critical authentication bypass flaws.
- Infostealer Nexus: New intelligence confirms infostealers as a significant initial attack vector for ransomware, showing the importance of credential intelligence in preventing attacks.
- Diverse Sector Targeting by Top Groups: Qilin and SafePay showed broad targeting across financial services, legal, professional services, and government sectors, which shows a non-discriminatory approach to victim selection.
- Third-Party Risk: Multiple incidents, including the alleged Liberty Mutual data leak linked to a third-party vendor, emphasize the challenge of managing supply chain risk for organizations.
FAQ
Q: Which ransomware groups were most active in the last 24 hours?
Qilin was the most active group with 8 new victims, followed by SafePay with 6 victims, and INC_Ransom with 3 victims. Akira and Chaos each reported 2 new victims.
Q: What geographic regions experienced the most ransomware attacks today?
The United States was the most targeted country, accounting for 15 of the 30 new victims. Canada, Italy, Ukraine, Thailand, Sweden, Spain, Portugal, Mexico, and Japan each saw 1 to 2 reported incidents.
Q: Which industries were most frequently targeted by ransomware in this period?
Industry targeting was diverse, with Law Firms & Legal Services, Construction, and Home Improvement & Hardware Retail each reporting 2 victims. Other industries such as Automotive, Financial Services, and Non-Profit Organizations also experienced attacks.
Q: Were any new critical vulnerabilities exploited by ransomware operators today?
Yes, the critical authentication-bypass flaw CVE-2026-41940 in cPanel/WHM/WP Squared was weaponized within hours of its disclosure, leading to ransomware deployments. Progress Software also patched critical authentication bypass (CVE-2026-4670) and privilege escalation (CVE-2026-5174) vulnerabilities in MOVEit Automation.