Ransomware Weekly: Top Groups and Trends, Week of May 4, 2026
By ScruteX Team Published Updated
April closed with 772 claimed victims across 70 groups. As May opens, the most immediate concern isn't a single ransomware group, it's the mass exploitation of CVE-2026-41940 (cPanel authentication bypass, CVSS 9.8), which was added to CISA's Known Exploited Vulnerabilities catalog on April 30 and creates an industrialised entry point for ransomware deployment.
Here's what defenders need to know from the week of May 4.
This Week at a Glance
| Metric | Value |
|---|---|
| Total Victims Claimed | ~155-170 (estimated) |
| Active Groups | 30+ |
| Most Targeted Sector | Financial Services, Healthcare |
| Most Targeted Country | United States |
| Notable Event | cPanel CVE-2026-41940 exploitation enabling mass ransomware deployment |
| Week-over-Week Trend | Steady with April average; infrastructure exploitation increasing |
Group Activity Highlights
| Group | Activity | Notable |
|---|---|---|
| Qilin | Sustained high volume | Continues leveraging Fortinet device exploits |
| Everest | Aggressive week | Multiple financial services targets: Symcor, TSYS, Epiq Global, Liberty Mutual |
| Incransom | Steady | Environmental consultancy, IT services targets |
| Ailock | Emerging | Site Design Group (landscape architecture); new group gaining visibility |
| DragonForce | Active | Cross-sector targeting; maintaining top-5 position |
| LockBit | Active | Deploying via compromised Bomgar RMM instances (CVE-2026-1731) |
Key Developments
cPanel Mass Exploitation Creates Ransomware Opportunity
The cPanel authentication bypass (CVE-2026-41940) disclosed on April 28 represents the week's most significant development for ransomware risk. With 1.5 million cPanel instances exposed to the internet -- serving an estimated 70 million domains -- this vulnerability creates an unprecedented scale of potential entry points.
Attackers exploited the flaw for approximately two months before the patch. cPanel controls 94% of the control-panel market, and compromise at this layer gives attackers full root access to the server and every website hosted on it.
For ransomware operators, mass cPanel compromise is particularly valuable: it provides high-privilege access to servers hosting multiple customer environments, with data from dozens or hundreds of organisations accessible from a single compromised instance.
Defender action: Verify cPanel patch status immediately. Run the detection script. Treat any compromise indicator as an active incident. See this week's CVE Radar for detailed remediation guidance.
Everest Intensifies Financial Services Campaign
Everest continued its concentrated push into financial services this week, adding Symcor (Canadian payment processing), TSYS (US payment solutions), and Epiq Global (legal services for financial institutions) to its leak site alongside last week's Liberty Mutual Insurance claim.
This clustering is notable. Four major financial services organisations claimed within a 7-day window suggests either a coordinated campaign or multiple affiliates independently targeting the sector using shared intelligence.
Supply-Chain Attack Fallout Continues
The Checkmarx/Bitwarden supply-chain compromise from last week continues to generate downstream impact. Vercel confirmed expanding fallout affecting more customers and third-party systems. The Lapsus$ and TeamPCP groups behind the attacks have explicitly stated intent to chain supply-chain compromises into ransomware campaigns.
Data-Extortion-Only Operations Expand
ShinyHunters continues operating without encryption, claiming multiple major victims through pure data theft and extortion. This model eliminates the need for ransomware deployment infrastructure while maintaining profitable extortion leverage.
Trend Analysis
April Final Numbers
April 2026 closed with clear patterns that carry into May:
- 772 total victims, 70 active groups -- steady activity slightly below March's 808 but 27% above 2025 averages
- Healthcare at #1 (64 victims), Technology at #2 (56), Manufacturing declining (50)
- US share dropping from 50% to 39% as geographic spread widens to 79 countries
- Group ecosystem fragmenting -- more groups with fewer victims each, making single-group tracking insufficient
What to Watch in May
- cPanel-related compromises. Expect ransomware groups to leverage the two-month exploitation window. Victims who were compromised before the April 28 patch may not know it yet.
- Supply-chain cascading. The Checkmarx incident's full blast radius isn't yet known. Downstream compromises will continue surfacing.
- VPN credential exploitation. 70% of ransomware intrusions use VPN as the initial access vector. The infostealer-to-IAB-to-ransomware pipeline shows no signs of slowing.
- Financial services targeting. Everest's concentrated campaign and broader industry trends suggest financial services will remain a top-3 target through Q2.
Key Takeaways
- cPanel CVE-2026-41940 is the week's top ransomware risk. 1.5 million exposed instances, two months of pre-patch exploitation, and full root access on compromise. Verify your patch status now.
- Everest is running a financial services campaign. Four major targets in seven days. Financial sector organisations should audit external exposure immediately.
- Supply-chain attacks are the new initial access vector. Checkmarx/Bitwarden fallout continues expanding. Audit CI/CD dependencies.
- 2026 is on pace for 8,800+ ransomware victims. The elevated baseline from Q1 is holding steady into Q2.
Track ransomware threats, leaked credentials, and external exposures with Scrutex. Free tier available.
Frequently Asked Questions
How many ransomware attacks happen per week in 2026?
Approximately 150-200 victims are claimed per week across 30-40 active ransomware groups. April 2026 averaged about 193 per week (772 total). The actual number is higher as many victims pay before being publicly listed.
What is the biggest ransomware threat this week?
CVE-2026-41940 (cPanel authentication bypass). The vulnerability affects infrastructure serving 70 million domains and was exploited for two months before patching. Ransomware groups can leverage compromised cPanel instances for mass deployment.