Ransomware Report - 05/16/2026
Statistical Overview
Victim Totals
- This month: 424
- This quarter: 1202
- Year to date: 3819
- Last 24h: 24
Quarterly Breakdown
| Q1: 2622 | Q2: 1202 | Q3: 0 | Q4: 0 |
|---|
Quarter 2 activity continues, with 1202 victims recorded to date. This follows an active Q1. The last 24 hours saw 24 new entities impacted, showing ongoing pressure across various sectors.
Introduction
In the last 24 hours, PurpleOps recorded 24 new ransomware victims, showing persistent threat actor activity. The most active groups included Qilin (8 victims), LockBit (6 victims), and DragonForce (4 victims). Targeting remained geographically diverse, though concentrated in the United States. Sectors such as Healthcare and Education experienced significant impact.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Qilin | 8 | Australian college of business intelligence, B.care medical center, Common part groupings (+5) | Thailand, United States | Financial Services, Education |
| 2 | LockBit | 6 | centralromana.com.do, jec.co.id, lbreng.com.br (+3) | Dominican Republic, Netherlands | Education, Healthcare |
| 3 | DragonForce | 4 | Advanced medical consultants, Advancedhealth, Advancedhealth. (+1) | United States | Construction & Engineering, Healthcare |
| 4 | CoinbaseCartel | 2 | Grafana, Zywave | United States | Technology / Software |
| 5 | Exitium | 1 | Gastroenterology & hepatology of cny[full_leak] | United States | Healthcare |
| 6 | Medusa Locker | 1 | Estrela industrial demo | Brazil | Manufacturing |
| 7 | Rhysida | 1 | Tower view primary school | United Kingdom | Education |
| 8 | The Gentelman | 1 | Ross yerger insurance | United States | Insurance |
Today's ransomware activity was primarily led by Qilin, which accounted for a third of all new victims. The group's targets included financial services and education entities across Thailand and the United States. LockBit and DragonForce were also active, contributing to pressure on the healthcare sector. No specific high-value government or critical infrastructure targets were identified among the new victims in the last 24 hours. PurpleOps continues to monitor these groups, providing real-time ransomware threat activity updates.
Victim Distribution
By Country
- United States: 11
- Australia: 3
- Brazil: 3
- Thailand: 2
- United Kingdom: 1
- Peru: 1
- Netherlands: 1
- Indonesia: 1
- Dominican Republic: 1
By Industry
- Healthcare: 4
- Education: 3
- Healthcare Services: 1
- Software Development: 1
- Software: 1
- Retail: 1
- Pain Management Medicine: 1
- Insurance: 1
- Industrial Machinery & Equipment: 1
- Industrial Distribution: 1
The United States remains the primary target for ransomware attacks, accounting for nearly half of the new victims. Industrially, the healthcare and education sectors show a concentration of attacks because attackers continue to exploit their sensitive data and critical operations.
Ransomware News
Topline
Recent activity shows ongoing ransomware threats, with Qilin allegedly breaching an Australian IT provider and ShinyHunters causing data leaks by exfiltrating data from cloud environments.
Campaigns & Operations
Qilin listed Australian hospitality IT provider Bluize on its dark web leak site. Details about the incident or sample data are unconfirmed, reflecting the group's sporadic posting and potential for extortion based on exposed databases. Separately, ShinyHunters has increased its extortion tactics, using persistent social engineering and voice-based pretexts to exfiltrate multi-terabyte datasets from cloud environments, especially Salesforce and other SaaS storage. Security researchers use AI for data classification to map exposed fields and estimate risk per breach.
Vulnerabilities & TTPs
ShinyHunters' operations show a reliance on social engineering and data exfiltration from cloud environments, resulting in public dumps of extensive personal and health-related data. The broader discussion around ransomware payments shows that promises to delete data often prove unreliable, which increases long-term risks for victims. Panels also warn that AI-assisted threats and non-human identities are increasing attacks, making AI for detection and rapid microsegmentation necessary.
Analyst Note
These developments show the expanding attack surface of cloud environments and the continued effectiveness of social engineering as a primary vector, alongside the unreliability of ransomware actors post-payment. Our recent intelligence covers the ransomware intelligence update and specific Qilin ransomware threat activity.
Technical Takeaways
- Qilin showed high activity, becoming the most active group in the last 24 hours with 8 new victims, and maintained its activity level.
- The healthcare and education sectors are often targeted, making up 7 out of 24 new victims, which shows their vulnerability to ransomware campaigns.
- The United States continues to be the geographic focus for ransomware operators, with 11 organizations listed as victims today.
- ShinyHunters' activities show a heavy reliance on data exfiltration from cloud environments and social engineering, leading to large-scale data leaks.
- Observations suggest Qilin uses extortion tactics, possibly listing exposed databases to pressure victims without confirming full data exfiltration.