Ransomware Report - 05/06/2026
Statistical Overview
Victim Totals
- This month: 167
- This quarter: 947
- Year to date: 3565
- Last 24h: 70
Quarterly Breakdown
| Q1: 2622 | Q2: 947 | Q3: 0 | Q4: 0 |
|---|
Ransomware victim counts for Q2 currently stand at 947, showing sustained activity after Q1's 2622 recorded incidents. The past 24 hours alone contributed 70 new victims, indicating continued operations.
Introduction
The past 24 hours saw 70 new ransomware victims added to leak sites, maintaining a consistent threat environment. The_Gentelman was the most active group, claiming 27 victims, followed by Medusa Locker with 18. Other active groups included Meduza, Sinobi, and Akira. Geographically, the United States, Japan, and India were impacted, and the Education and Automotive sectors saw significant targeting.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | The Gentelman | 27 | Arcelik, C2o architects, Clark fixture technologies (+24) | Japan, India | Education, Pharmaceuticals & Biotech |
| 2 | Medusa Locker | 18 | Académie de montpellier / csjm demo, Actionaid / tacosa demo, Atencio engineering (+15) | Brazil, Costa Rica | Automotive, Education |
| 3 | Meduza | 7 | Gsgroup.co, Kelseyschooldivision.ca, Powerscourt.com (+4) | Taiwan, Canada | Automotive, Education |
| 4 | Sinobi | 5 | Bay State Land Services, Celeris Networks, Positiwise Infotech Pvt (+2) | India, United States | Construction & Engineering, Professional Services |
| 5 | Akira | 4 | Abi and ideal tape, Clinical registry solutions, Moorman harting (+1) | United States, United Kingdom | Financial Services, Healthcare |
| 6 | Qilin | 3 | Asphalt specialists, Le maire de quiberon, Sysco | France, United States | Construction & Engineering, Government / Public Sector |
| 7 | INC Ransom | 1 | Aerodiagnostics | United States | Healthcare |
| 8 | Icarus | 1 | Cazh.id | Indonesia | Technology / Software |
| 9 | Krybit | 1 | Ovextech.com | Pakistan | Professional Services |
| 10 | Lamashtu | 1 | Woha.net | Singapore | Construction & Engineering |
| 11 | LeakedData | 1 | Ropers majeski | United States | Legal |
| 12 | Stormous | 1 | Ttt.vn ttt corporation new | Vietnam | Construction & Engineering |
The_Gentelman led ransomware activity in the last 24 hours, responsible for 27 new victim postings in sectors like Education and Pharmaceuticals & Biotech, focusing on Japan and India. For more details on groups such as The_Gentelman and Sinobi, refer to our daily ransomware report from January 12, 2026. Medusa Locker followed with 18 victims, mainly impacting Automotive and Education entities in Brazil and Costa Rica; more information about active groups like Medusa Locker can be found in our previous reports. Other groups included Meduza (7 victims), Sinobi (5 victims, in India and the United States), and Akira (4 victims, targeting Financial Services and Healthcare). Qilin claimed "Le maire de quiberon" (The Mayor of Quiberon) in France, showing persistent targeting of the Government/Public Sector.
Victim Distribution
Which countries were most affected by ransomware today?
- United States: 22
- Italy: 5
- United Kingdom: 4
- Canada: 4
- Taiwan: 3
- United Arab Emirates: 2
- India: 2
- France: 2
- Brazil: 2
- Australia: 2
What industries did ransomware groups target?
- Manufacturing: 5
- Education: 5
- Software Development: 4
- Pharmaceutical Manufacturing: 2
- Healthcare: 2
- Architecture, Engineering & Design: 1
- Accounting and Financial Services: 1
- Public Relations and Communications Services: 1
- Line marking and surface coating: 1
- Environmental Services: 1
The United States was the most frequently targeted nation, accounting for 22 victims. Italy, the United Kingdom, and Canada also saw activity. Manufacturing and Education were the most impacted industries, each registering 5 victims. This shows broad and diverse targeting by ransomware groups.
Ransomware News
Topline
Today's ransomware-relevant developments include significant breach disclosures, changes in attack methods by state-sponsored actors, and continued legal action against cybercriminals.
Campaigns & Operations
Rapid7 researchers reported MuddyWater disguising its intrusions as Chaos ransomware operations. They used Microsoft Teams for social engineering and deployed decoys for broader cyber-espionage. ShinyHunters reportedly breached Instructure's Canvas LMS, exfiltrating approximately 275 million student, teacher, and staff records across 8,809 affected institutions. A production halt at Foxconn's Mount Pleasant, Wisconsin facility, citing abnormal network issues, is suspected to be a cybersecurity incident consistent with an OT/ICS disruption.
Vulnerabilities & TTPs
Reports state that ransomware attacks often succeed because attackers deliberately expose, access, and destroy backups, not just due to their absence. Threat Activity Enablers (TAEs), infrastructure providers operating through shell entities, continue to sustain various ransomware and state-sponsored campaigns. Insider threats also contribute to data broker breaches, as seen with National Public Data's 2.9 billion record exposure and an IT administrator holding systems for ransom. Ransomware incidents in 2024, while fewer, saw more severe breaches with increased ransom payments. Small organizations and email/phishing were primary targets.
Analyst Note
These developments show the connection between state-sponsored and financially motivated actors, the pervasive data supply chain threat, and ongoing efforts to prosecute ransomware affiliates globally, as evidenced by the sentencing of a Latvian national involved in Conti-led operations.
Technical Takeaways
- New Groups Led Activity: The_Gentelman was the most active group in the last 24 hours with 27 victims, outnumbering other established groups.
- Education Sector Still Targeted: Education continued to be a primary target, appearing among the top sectors for victim counts (5 victims), with examples from The_Gentelman and Medusa Locker.
- Geographic Spread Across APAC and Americas: Ransomware activity showed a wide geographic spread, impacting countries like Japan, India, Brazil, and Canada, alongside persistent targeting in the United States.
- Government Sector Targeted: Qilin's targeting of "Le maire de quiberon" (Government/Public Sector, France) shows ongoing threat actor interest in public institutions.
- Backup Destruction Tactics Change: Recent intelligence shows attackers' deliberate strategies to compromise and destroy backups. This demonstrates the need for advanced data resilience.
