Ransomware Report - 05/07/2026
Statistical Overview
Victim Totals
- This month: 201
- This quarter: 980
- Year to date: 3598
- Last 24h: 34
Quarterly Breakdown
Q1: 2622 | Q2: 980 | Q3: 0 | Q4: 0
Ransomware victim counts continue to accumulate in Q2. Today's activity shows consistent pressure on various sectors globally. For more context on recent trends, see our Ransomware Victims Q2 May 06 report.
Introduction
The past 24 hours saw 34 new ransomware victims reported. This shows sustained activity across multiple threat groups. SafePay was the most active group with 9 new victims, closely followed by Qilin with 8. Targets included Legal Services, Professional Services, and Retail & Ecommerce sectors, with the United States experiencing the highest concentration of attacks.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | SafePay | 9 | Ettp.be, Gingerichtrucking.com, Globalmerchservices.com (+6) | Spain, Germany | Automotive, Media & Entertainment |
| 2 | Qilin | 8 | Bmtp, Complastex.com, Inox market service spa (+5) | Switzerland, Paraguay | Education, Pharmaceuticals & Biotech |
| 3 | LeakedData | 6 | Farella braun + martel llp, Farella braun + martel llp information, Ropers majeski pc (+3) | United States | Legal |
| 4 | M3RXDLS | 4 | Alge-stop.dk, Datasavior.com, Kbtoys.com.au (+1) | United States, Denmark | Retail & Ecommerce, Professional Services |
| 5 | Akira | 3 | Elia law firm, Grau gmbh, Jacobs doland beer | United States, Germany | Professional Services, Manufacturing |
| 6 | CMD | 1 | penneastern architects | United States | Professional Services |
| 7 | Everest | 1 | Rehab clinics group ltd | United Kingdom | Healthcare |
| 8 | INC Ransom | 1 | lafj.org | United States | Legal |
| 9 | Kairos | 1 | Houk air conditioning | United States | Professional Services |
SafePay and Qilin demonstrated the highest activity over the last 24 hours, collectively accounting for 17 of the 34 new victims. LeakedData continued its focus on the Legal sector, while M3RXDLS targeted Retail & Ecommerce and Professional Services. This pattern is consistent with recent observations in our M3RXDLS ransomware threat activity report. Geographically, the United States remained the primary target, alongside scattered activity across Europe and South America. Further details on groups like Qilin and SafePay can be found in our ransomware victim summary from May 05.
Victim Distribution
By Country
- United States: 16
- Italy: 4
- United Kingdom: 3
- Germany: 3
- Thailand: 1
- Australia: 1
- Switzerland: 1
- Spain: 1
- Paraguay: 1
- Denmark: 1
By Industry
- Legal Services: 6
- Law Practice: 3
- Transportation, Automotive & Logistics: 1
- Pharmaceutical Manufacturing: 1
- Local Trucking, Without Storage: 1
- IT Services and Systems Integration: 1
- General Engineering and Construction: 1
- Foodservice Design and Consulting: 1
- Facilities Services: 1
- Construction Training and Apprenticeship: 1
The concentration of attacks on the United States and the Legal sector suggests a continued focus on economically significant regions and industries that handle sensitive data. This shows persistent targeting of professional services.
Ransomware News
Topline
Ransomware-related disclosures over the past 24 hours show ongoing supply chain vulnerabilities, targeted data exfiltration campaigns, and the deceptive use of ransomware branding by state-sponsored actors.
Campaigns & Operations
Multiple Japanese organizations, including Nambu Corporation, Nippon Telenet, and Hotel Okura Fukuoka, reported ransomware incidents in March and April 2026. These incidents used compromises of outsourcing partners or cloud-based systems, which led to potential personal and customer data exposure. Separately, Australian car-parts importer Strategic Imports was breached by MedusaLocker, while energy management firm Energy Action was listed on SafePay's dark web leak site following a data exfiltration event. ASEC's Week 1 May 2026 report noted cross-border activity, including BlackWater targeting a Chinese auto parts manufacturer and Guatemalan government data sales.
Vulnerabilities & TTPs
MedusaLocker is known to exploit exposed RDP configurations and phishing campaigns for initial access. The Iranian APT MuddyWater was observed masquerading as Chaos ransomware activity. It employed high-touch social engineering via Microsoft Teams for credential harvesting and MFA manipulation. This was followed by data exfiltration and long-term persistence via DWAgent rather than encryption. This tactic also showed MuddyWater-style certificates and infrastructure, with a victimology shift towards the Middle East, North Africa, and Southeast Asia.
Analyst Note
These events collectively show the significant impact of supply chain compromises and the evolving tactics of threat actors who use ransomware as a cover for more sophisticated data exfiltration and intelligence-gathering operations.
Technical Takeaways
- Geographic Focus: The United States remains a primary target, making up nearly half of all new victims in the last 24 hours.
- Industry Preference: Legal Services and Professional Services are consistently important targets, likely due to access to sensitive client data.
- Supply Chain Exploitation: Recent incidents in Japan show a recurring theme of threat actors compromising third-party vendors and cloud systems to reach primary targets.
- APT Blurring: The use of ransomware branding by advanced persistent threat (APT) groups like MuddyWater shows a strategic shift towards using ransomware as a deceptive tactic for data exfiltration and long-term persistence.
- Common TTPs: Initial access vectors continue to include common methods like exposed RDP and phishing campaigns, as observed with MedusaLocker activity.
