Ransomware Weekly, May 18 to 25, 2026: 228 Leak Site Posts Across 37 Groups
By ScruteX Team Published
This Week at a Glance
| Metric | Value |
|---|---|
| Total unique victims posted | 228 |
| Active groups | 37 |
| Countries hit | 39 |
| Heaviest single day | May 19 (57 posts) |
| Second-heaviest day | May 18 (41 posts, driven by Titan, SafePay, The Gentlemen batches) |
| Most targeted country | USA (26% of postings) |
| Most targeted sector | Business Services (22 victims) |
| New or returning brand of note | LockBit 5.0 (18 across week), ShadowByt3$ (Starbucks claim) |
| Notable major-brand claims | Charter Communications, DentaQuest, Panasonic Avionics, Semgrep, Starbucks (unverified) |
Group Activity Breakdown
Five groups produced more than 50% of the week's volume. The long tail (15 groups with three or fewer posts) shows the leak site space is still highly fragmented after the LockBit and ALPHV takedowns of 2024 to 2025.
| Rank | Group | Victims | Sector Focus | Notable Activity |
|---|---|---|---|---|
| 1 | Nova | 30 | Mixed; education, manufacturing, hospitality, technology | Mass May 19 batch (18 victims), then steady output across the week |
| 2 | Qilin (Agenda) | 21 | Legal, packaging, real estate, construction, technology | Consistent daily output, hit Semgrep (security vendor) on May 22 |
| 3 | DragonForce | 19 | US SMBs, professional services, insurance, agriculture | 12 fresh postings on May 25 alone |
| 3 | The Gentlemen | 19 | Technology, manufacturing, healthcare, logistics | Two big clusters: 7 victims May 18, 9 victims May 24 |
| 5 | LockBit 5.0 | 18 | Manufacturing, healthcare, education, retail | 15-victim batch on May 19, plus more on May 20 and 25 |
| 6 | NightSpire | 14 | Energy, food, automotive, finance | Two clusters (May 18 and May 24), several redacted victim names |
| 7 | Coinbase Cartel | 9 | Telecom, IT services, aviation | Re-posted Openmind Networks and Pragmatic Solutions across multiple days; claimed Panasonic Avionics |
| 7 | Akira | 9 | Hospitality, manufacturing, fitness, IT consulting | Steady cadence; Healthtrax, Vacu-Lug, Buffalo Convention Center |
| 7 | Titan | 9 | Logistics, legal, automotive, aviation | May 18 burst across seven countries (Mexico, Italy, USA, Tunisia, France, Singapore) |
| 7 | SafePay | 9 | Manufacturing, retail, government, healthcare | May 18 cluster of 8 (Germany, UK, USA, Canada, France) plus olipes.com May 19 |
| 11 | Payload | 8 | Legal, manufacturing, healthcare, logistics | Singapore, Japan, US, German clusters |
| 12 | BASHE (Eraleign / APT73) | 7 | Government, telecom, pharma, banking | Heavy focus on state and infrastructure targets |
| 13 | Bavacai | 6 | Germany-focused | Sustained pressure on German legal and consumer targets |
| 14 | INC Ransom | 5 | Education, manufacturing, consulting, technology | Includes Mecanizados (Spain), Meirc (UAE), Bergen Community College |
| 14 | Krybit | 5 | Public sector, hospitality, business services | Hong Kong, Singapore, Thailand, Spain spread |
| 14 | Pear | 5 | Agriculture, jewelry, water utility, consumer services | Single-day batch on May 20 plus Kinsmen TeleMiracle |
| 17 | AiLock | 3 | Engineering, manufacturing, business services | Three US/Taiwan victims |
| 17 | ShinyHunters | 3 | Telecom, dental, distribution | Returned with Charter Communications, DentaQuest, Baker Distributing |
| 17 | ThreeAM | 3 | Consulting, agriculture, business services | Mixed Latin America targets |
| 20 | Rhysida | 2 | Local government, business | Stuttgart (Germany), IDS Group |
| 20 | ShadowByt3$ | 2 | Hospitality (claims only) | Posted Starbucks and Hotelogix on May 21, very low confidence |
| 20 | Bravox | 2 | Energy, non-profit | Emek Elektrik, Salvation Army Canada |
| 20 | AuditTeam | 2 | Government, retail | Senegal Treasury, Mopas Supermarket |
| 20 | Lamashtu | 2 | Heavy industries, technology | ROTH-TECHNIK Austria, Malaysia Smelting Corp |
| 20 | Anubis | 2 | Healthcare | Colorado Dental Wellness, A.R.Ge.Co |
| Long tail | Brain Cipher, CMD Organization, Genesis, Gunra, Leaknet, Play, SilentRansomGroup, Spy Corporate, Stormous, Triple X, Worldleaks, plus a few "unknown attacker" cyberattack reports | 1 each | Various | One-off claims, single-affiliate brands, or victim-reported attacks where the group is unidentified |
Two observations:
- Nova alone produced 13% of all weekly volume. The group is operating like a high-affiliate RaaS with sustained throughput, not a one-off campaign.
- The Gentlemen frequently posts in clusters that mirror INC Ransom's infrastructure. We have low-confidence indicators of a shared affiliate pool. Worth tracking, not yet confirmed.
Sector Targeting Analysis
Across the 194 victim postings where sector data was available:
| Sector | Victims | Share |
|---|---|---|
| Business Services | 22 | 11% |
| Manufacturing | 18 | 9% |
| Technology | 15 | 8% |
| Consumer Services | 13 | 7% |
| Healthcare | 12 | 6% |
| Construction | 11 | 6% |
| Public Sector / Government | 11 | 6% |
| Hospitality and Tourism | 10 | 5% |
| Education | 10 | 5% |
| Agriculture and Food | 8 | 4% |
| Transportation and Logistics | 6 | 3% |
| Financial Services | 5 | 3% |
| Legal | 4 | 2% |
| Consulting | 4 | 2% |
| Engineering | 3 | 2% |
| Electricity | 3 | 2% |
| Heavy industries | 3 | 2% |
| Telecommunications | 3 | 2% |
| Other / unclassified | 34 | 18% |
What this tells us:
Business Services took the heaviest hit with 22 victims (11% of all postings). Mid-sized consulting, accounting, legal, and outsourced services firms typically carry large client data volumes with weaker controls than regulated industries. They are the affiliate sweet spot.
Manufacturing came in second with 18 victims, including the The Gentlemen May 18 batch (Polyrack, ACAM, Modern Display, Koa Glass, TRANSSYSTEM) and Titan's German and Japanese targets. The supply chain effect, downstream disruption forces faster payment, continues to make it attractive.
Technology entered the top three this week (15 victims). Most are mid-market SaaS, IT services, and telecom adjacents. Qilin claiming Semgrep (a security tool vendor) on May 22 is the highest-profile example. Compromise of a security vendor creates downstream risk for their customers.
Healthcare climbed to 12 victims, the highest in our six-week tracking. Drivers: NightSpire (la familia adult day center), DragonForce (multiple), The Gentlemen (Internal Medicine of Southwest Florida, Sanatorio Delta), Payload (Internal Medicine and Pediatrics of Cullman), Anubis (Colorado Dental Wellness), plus SafePay hitting hautarzt-budihardja.de and CMD Organization claiming Stonehenge Therapeutic Community.
Public sector activity (11 victims) is concentrated in BASHE postings (Turkey land registry, Mexico government health body, Thailand astronomical institute), Rhysida claiming the City of Stuttgart, Krybit hitting the Bangkok Metropolitan Administration, AuditTeam against Senegal's Treasury, plus several French and Brazilian municipalities. State and local government remain a strategic target for groups with geopolitical leanings.
Education jumped to 10 victims this week. Nova accounted for most (universities in Spain, Mexico, Poland, Philippines), plus LockBit 5.0 hitting a US calvary school and a UK junior school.
Notable composition: Financial Services stays low at five postings, all SMB credit and finance firms. The major banks remain outside the RaaS affiliate target profile, consistent with our six-month observation (likely a mix of better detection, regulatory pressure, and OFAC sanctions risk for the attacker).
Country Distribution
The United States accounts for 26% of all postings, but the rest of the world is more evenly spread than previous weeks:
| Rank | Country | Victims |
|---|---|---|
| 1 | USA | 59 |
| 2 | Germany | 14 |
| 3 | UK | 13 |
| 4 | Spain | 11 |
| 5 | France | 7 |
| 5 | Mexico | 7 |
| 7 | Canada | 6 |
| 7 | Brazil | 6 |
| 7 | Turkey | 6 |
| 7 | Singapore | 6 |
| 11 | Poland | 5 |
| 11 | Australia | 5 |
| 11 | Austria | 5 |
| 14 | Argentina | 4 |
| 14 | Japan | 4 |
| 14 | Thailand | 4 |
| 14 | Indonesia | 4 |
| 18 | Netherlands | 3 |
| 18 | Czech Republic | 3 |
| 18 | Italy | 3 |
A further 19 countries had one to two victims each, including Switzerland, Norway, India, Bangladesh, Vietnam, Malaysia, North Macedonia, Ecuador, New Zealand, Senegal, UAE, Egypt, Tunisia, Cyprus, Peru, Dominican Republic, Philippines, Taiwan, and China.
The breadth (39 countries hit) reflects how affiliate-driven RaaS now operates globally. Geographic distribution tracks revenue opportunity, not threat actor location. Notable shift this week: USA share dropped from typical 33% to 26%, and Germany jumped to second place largely on SafePay and Bavacai activity.
Notable Claims and Incidents
1. ShinyHunters returns with Charter Communications and DentaQuest
ShinyHunters posted three high-profile claims on May 23: Charter Communications, DentaQuest, and Baker Distributing Company. None of these appear to be encryption events. ShinyHunters operates as a data extortion crew, not a traditional ransomware operator. Charter has a customer base of more than 32 million, and DentaQuest holds dental insurance records for more than 30 million Americans. If validated, both would carry significant regulatory exposure under HIPAA and state breach notification laws.
Confidence: Medium on the data being authentic. Low on it being from a new intrusion (ShinyHunters has a history of re-leaking older, repackaged datasets). We are tracking samples to confirm freshness.
2. LockBit 5.0 posts 18 victims across the week
May 19 saw a 15-victim LockBit 5.0 batch, the first significant volume from the brand since its tentative resurfacing earlier in 2026. Targets spanned Turkey, Brazil, Netherlands, Peru, Indonesia, Thailand, Dominican Republic, Spain, and Germany. The branding is consistent with post-takedown LockBit infrastructure but the affiliate roster is almost certainly different from the pre-Cronos LockBit Black operation. Treat this as a new program operating under a recovered brand, not a continuation of the original group.
Two further LockBit 5.0 postings landed on May 20 (Shottermill Junior School in the UK) and three more on May 25 (Van Tuijl Haaften, Columbia Orthopedic Group). Total weekly volume: 18 victims. Tempo is rising.
3. Three groups stack big batches on May 18
May 18 produced 41 victim postings, the second-heaviest day of the week. Three groups drove most of that volume:
- Titan posted 7 victims in a single window: Mezta Corporativo (Mexico), Abp Autoricambi (Italy), DFI America (USA), CRIT Tunisie, Groupe CRIT SA (France), ETM-Electromatic (USA), and Quahe Woo & Palmer (Singapore). The mix of automotive, technology, electricity, and legal targets across five countries fits an affiliate working a broad target list, not a single campaign.
- The Gentlemen posted 7 victims: Polyrack (Germany), ACAM Systemautomation (Austria), Modern Display (USA), Koa Glass (Japan, in the May 24 cluster but indexed by some trackers to May 18), Internal Medicine of Southwest Florida, DEVO-Tech (Switzerland), and Internet Technologies Designs (France). Technology and manufacturing dominate.
- SafePay posted 8 victims: harrisoncountywv.com (USA), printroom.co.uk, hautarzt-budihardja.de (Germany), mediafrance.de, ashleytimber.co.uk, adlan.com (Canada), Berlinmobil.de, and Vialis Colmar (France). Heavy German and UK concentration.
Combined, that is 22 victims from three groups in a single day. Tuesday May 19 (57 victims) is the broader peak, but May 18 is the operational tell. Affiliates were teeing up posts for the week.
4. DragonForce dominates May 25
Twelve of the 19 DragonForce postings hit on May 25 alone. The list reads like a mid-market US SMB roll-up: insurance adjusters, CPAs, scaffold suppliers, network services, lighting, packaging. The pattern suggests a single affiliate working through a target list, probably acquired from an initial access broker or a single phishing campaign that landed multiple footholds in a shared upstream provider (an MSP supply chain effect is plausible but unconfirmed).
5. Coinbase Cartel re-posts the same victims
Openmind Networks, Pragmatic Solutions, and Panasonic Avionics appear multiple times across May 18, 21, and 22 under the Coinbase Cartel banner. Re-posting is usually a negotiation tactic, the group is escalating pressure publicly because the victim is not paying or is stalling. Watch this space for a full data drop in the next week if the pattern holds.
6. BASHE (Eraleign / APT73) hits government infrastructure
Seven BASHE postings this week, including Turkey's General Directorate of Land Registry, Mexico's Minsa, Thailand's NARIT astronomical institute, Macedonia's Alkaloid pharmaceutical, and Argentina's Grupo Petersen banking group. The target profile (state-adjacent, infrastructure, pharma) is consistent with a politically motivated extortion operation, not a pure financial play.
7. ShadowByt3$ claims Starbucks and Hotelogix
A relatively unknown extortion brand calling itself ShadowByt3$ posted two claims on May 21: Starbucks Corporation and Hotelogix (Indian hospitality SaaS). Both claims are flagged low confidence in our tracking. We have seen no corroborating sample data, no encryption indicators, and no public acknowledgement from either company. The pattern (a small-volume group claiming household brands without supporting evidence) usually resolves one of three ways: (1) the data is repackaged from an earlier unrelated breach, (2) the claim is fabricated to drive notoriety, or (3) the intrusion is real but limited to a low-impact system the victim is not treating as material. We are monitoring for sample release. Treat both claims as unverified until proof appears.
8. Qilin compromises Semgrep
Qilin posted Semgrep on May 22. Semgrep is a security product vendor whose code analysis tool runs inside many large engineering organizations. If the data is real, it has downstream value to other affiliates and brokers. Security vendor compromise is the kind of event that creates a multi-week response cycle for customers, not just for the named victim.
Infrastructure and Operational Shifts
Three things worth flagging on the operational side:
- NightSpire's redaction pattern continues. Of nine NightSpire postings, three carried partial-redacted victim names. The group reliably reveals full names on day 7 to 10 of the negotiation cycle if no payment lands. We expect those three to be fully named by June 1.
- The Gentlemen and INC Ransom overlap. Two victims (Internal Medicine of Southwest Florida, Polyrack) had their initial leak posts handled with similar formatting, comment structure, and infrastructure timing. Hypothesis: shared affiliate. Low confidence, needs more samples.
- Nova continues to scale. The group has now exceeded 80 victim postings in May 2026. Their leak site is also moving faster between posting and partial-data publication (we measured an average of 6.2 days this week, down from 9.4 days in early May). Faster pressure cycle.
Key Takeaways for Defenders
- Mid-market is the target zone. If your organization is between 200 and 2,000 employees with revenue between $50M and $1B, you are inside the affiliate sweet spot. Treat ransomware as a 30 to 90 day probability event, not a tail risk.
- MSP and shared-provider compromise is back. The DragonForce May 25 cluster looks supply-chain shaped. Validate your MSP's controls, especially privileged access and remote management tooling.
- Leak site appearance is a late signal. By the time a victim appears on a leak site, the intrusion is typically 30 to 90 days old. Continuous monitoring of external exposure, leaked credentials, and dark web chatter is what catches this earlier.
- LockBit 5.0 is a real program now. Refresh your detection rules against the v5 IOC set (separate post coming this week from the Scrutex CTI team).
- Watch BASHE if you operate in government, pharma, or infrastructure. The group's targeting pattern is escalating and they are publishing data, not just threatening.
- Treat high-profile claims by small groups skeptically. ShadowByt3$ claiming Starbucks is the kind of high-noise, low-evidence posting that drives news cycles but rarely reflects a material incident. Wait for sample data before reacting. Your communications team should have a pre-approved "unverified claim" response template ready for moments like these.
CTA
Scrutex continuously tracks all 37 of the groups in this report, plus 41 others in the active extortion ecosystem. If your team is monitoring leak sites manually, you are losing roughly 14 to 20 hours per week to noise. Scrutex's Threat Insights module surfaces only the postings that touch your domains, brands, or vendors.
Start a free workspace at scrutex.ai/signup. No credit card. Five minutes to first signal.
FAQ
Q: How many ransomware attacks happened the week of May 18 to 25, 2026?
A: 228 unique victim postings appeared on dark web leak sites in that window, across 37 distinct ransomware and extortion groups. This counts leak site postings, not all attacks (many incidents are settled privately and never appear publicly).
Q: Which ransomware group is most active in May 2026?
A: Nova leads month-to-date with more than 80 victim postings, followed by Qilin and DragonForce.
Q: Did Starbucks get hit by ransomware?
A: A small extortion brand called ShadowByt3$ posted a claim against Starbucks on May 21, 2026. The claim is unverified. No sample data has been released, no encryption indicator has been observed, and Starbucks has not publicly acknowledged any incident. Treat the claim as low confidence until evidence emerges.
Q: Is LockBit back?
A: A LockBit 5.0 brand is operating and posted 18 victims this week (15 in a single batch on May 19, plus two more on May 25). The infrastructure is consistent with post-takedown LockBit, but the affiliate roster appears different. Treat it as a new program using a recovered brand.
Q: What sectors should I worry about most this week?
A: Business Services, Consumer Services, and Manufacturing accounted for nearly a quarter of all postings. Public sector government bodies were targeted by BASHE specifically. Healthcare saw five postings, including two US clinics and a German dermatology practice.
Q: Where can I get this data in real-time?
A: Scrutex Threat Insights surfaces ransomware leak site activity filtered to your organization, brands, and vendors. Public aggregators like ransomware.live and RansomLook publish the raw feed.
Related reading: