Executive Summary
The week of May 1 to 8, 2026 produced one of the year’s most consequential data breach events, as the ShinyHunters extortion group published claims against Instructure — the company behind Canvas LMS, the world’s most widely deployed learning management system — alleging the theft of approximately 275 million records spanning 8,809 schools, universities, and online learning platforms. The disclosure arrived during US college finals season, maximising its operational disruption, and Canvas services were affected at thousands of institutions before systems were restored by May 6. The Instructure breach sits within a sustained ShinyHunters campaign that also claimed Cushman & Wakefield, the global commercial real estate services firm, in the same week — a second major US target whose compromise was attributed to voice-phishing attacks against employees with access to Salesforce administrator credentials.
Beyond the ShinyHunters campaign, week 19 saw the Everest ransomware group claim a data exfiltration against Fiserv, one of the most systemically significant financial technology companies in the United States, which processes payments and core banking infrastructure for thousands of financial institutions. Qilin maintained its position as the highest-volume ransomware group by leak-site posting rate, adding Sysco — the world’s largest foodservice distributor — to its victim list, with a claimed extortion deadline of May 12. RansomHouse claimed a breach of Trellix, the US cybersecurity software vendor, alleging access to source code repositories and internal operational infrastructure — a particularly sensitive incident given Trellix’s role in defending enterprise and government networks. In Hungary, the publication of an 8.5 TB data dump against the pro-government media conglomerate Mediaworks by the World Leaks group triggered a government investigation after leaked documents allegedly showed editorial coordination with Moscow.
The week also produced two significant threat intelligence disclosures. Kaspersky published findings linking official DAEMON Tools Lite installers to a trojanised supply-chain campaign suspected to be the work of a Chinese-speaking threat actor, with hundreds of thousands of infections across more than 100 countries. Separately, researchers documented an Iranian MuddyWater campaign that used Chaos ransomware as a cover for an espionage operation conducted via Microsoft Teams social engineering — a false-flag technique that complicates attribution and post-incident response.
Key Statistics:
- Global: At least 12 confirmed victims across seven threat groups during May 1–8; Qilin remains the highest-volume group by weekly posting frequency
- Europe: 1 confirmed victim (Mediaworks, Hungary); World Leaks was the active group
- Asia: 1 confirmed victim (East Inc., Japan); The Gentlemen was the active group
- US: 8 confirmed victims — ShinyHunters, Everest, Qilin, RansomHouse, DragonForce, Akira, and Sinobi all active
- Other: 2 confirmed victims in Canada and Argentina; Qilin active in both
1. EUROPE
1.1 Government
No ransomware incidents affecting European government agencies or ministries were confirmed during the May 1–8 window.
1.2 Health, Municipalities & Non-commercial
No new healthcare or municipal ransomware incidents were confirmed in Europe during this period. The sector remains under elevated threat following the wave of attacks documented in weeks 15 through 17, which produced record-breaking European healthcare victim counts in April, but no new incidents with confirmed European health or municipal victims surfaced within the strict week 19 window.
1.3 Business
The week’s single confirmed European incident was also its most politically charged. Mediaworks — Hungary’s largest pro-government media conglomerate, which controls a network of newspapers, online outlets, and regional broadcasters aligned with the Orbán government — had 8.5 terabytes of data, comprising approximately 15 million files, published on the dark web by the World Leaks extortion group. The attack appears to have occurred in April 2026, with the data dump surfacing publicly around May 4. Published material included payroll records, financial statements, contracts, and internal editorial communications. Hungarian authorities opened an official investigation after reports emerged that the leaked documents allegedly contained plans to solicit Kremlin assistance in producing articles discrediting Ukrainian President Zelensky. Mediaworks urged its journalists not to report on the leaked material, a request that attracted significant criticism from press-freedom organisations. The incident marks the first confirmed World Leaks operation targeting a Hungarian organisation and underscores the degree to which ransomware and data extortion have become instruments of geopolitical destabilisation.
World Leaks is understood to be a rebranding of the Hunters International ransomware-as-a-service operation, which emerged in late 2023. The group has shifted toward pure data exfiltration rather than encryption-based ransomware, making recovery faster for victims while preserving or amplifying extortion leverage through the threat of politically or commercially damaging publication.
2. ASIA
2.1 Government
No ransomware incidents targeting Asian government agencies were confirmed during the week.
2.2 Health, Municipalities & Non-commercial
No healthcare or municipal incidents were confirmed in Asia during the May 1–8 period.
2.3 Business
The Gentlemen claimed an attack on East Inc., a Japanese outsourcing and commercial facility services provider, on May 6. Details of the exfiltrated data and operational impact remain limited, but the incident is consistent with The Gentlemen’s established pattern of targeting mid-to-large services-sector companies across multiple geographies simultaneously. The group has grown rapidly since its emergence in mid-2025, with Check Point Research analysis of a seized command-and-control server revealing over 1,570 actual victims — a figure that dwarfs the publicly visible count on the group’s leak site and suggests aggressive under-reporting of incidents across the affected industries.
3. UNITED STATES
3.1 Government
No US federal, state, or local government ransomware incidents were confirmed during the week.
3.2 Health, Municipalities & Non-commercial
Two US healthcare-adjacent organisations appeared as confirmed victims during the week. Excel Healthcare was claimed by Akira ransomware on May 8, with limited operational details made public. Neurotrials Research — a clinical research organisation specialising in neurological trials — was listed as a victim by the Sinobi ransomware group, with an estimated attack date of May 5. Sinobi is a relatively new group and this represents one of its first publicly confirmed attacks on a US healthcare target.
The Instructure breach, while rooted in a commercial company, had its greatest impact on educational institutions. Canvas LMS serves as the primary learning management platform for thousands of K–12 school districts, community colleges, and research universities across the United States. ShinyHunters posted their claim on May 3, citing 275 million records across 8,809 institutions and setting a May 12 extortion deadline. Instructure first acknowledged an incident on May 1; Canvas services were disrupted for students and faculty at affected institutions during a period of peak academic activity, with full restoration reported by May 6. The compromised data included names, email addresses, student ID numbers, and internal platform messages; Instructure stated that passwords and financial data were not confirmed as part of the theft. The scale — both in terms of record count and the number of institutions affected — makes the Instructure breach among the largest education-sector incidents ever recorded.
3.3 Business
The week’s most strategically concerning US business incident involved Fiserv, one of the world’s largest financial technology companies. Fiserv processes core banking transactions, card payments, and digital banking services for tens of thousands of financial institutions, including community banks, credit unions, and major national banks. The Everest ransomware group posted Fiserv to its leak site on approximately May 3, claiming data exfiltration. Fiserv had not publicly confirmed the incident by May 8. Everest operates primarily as a data theft and extortion group rather than an encryption-based ransomware operation, but its targeting of systemically important financial infrastructure — which underpins the payment and deposit systems of millions of retail banking customers — elevates the potential downstream exposure significantly beyond the initial corporate breach.
Qilin targeted Sysco, the world’s largest foodservice distributor, with a leak-site posting on May 5 and an extortion deadline of May 12. Qilin published what it described as internal documents as proof of access, with reported exposure including 45 compromised employee accounts, over 1,100 internal user credentials, and 38 third-party credentials. Sysco serves restaurants, hospitals, schools, and hotels across North America and internationally; a confirmed encryption event or extended operational disruption would carry supply-chain consequences across multiple critical sectors.
Cushman & Wakefield, the global commercial real estate and property management services firm, was struck twice in the same week. ShinyHunters claimed on approximately May 1 that a voice-phishing attack against an employee with Salesforce administrator access had yielded more than 500,000 records of client personally identifiable information. Qilin listed the same organisation on its leak site on May 4 in what appears to be an independent claim. Cushman & Wakefield confirmed that an incident had occurred but characterised it as limited in scope.
RansomHouse claimed a breach of Trellix on approximately May 7–8, asserting access to source code repositories and publishing screenshots suggesting broader access to internal dashboards and VMware virtualisation infrastructure. Trellix — formed from the merger of McAfee Enterprise and FireEye — provides endpoint detection, network security, and threat intelligence products to enterprise and government clients. A compromise of a security vendor’s own internal infrastructure carries reputational and operational consequences that extend beyond the data exposed: clients must assess whether their security configurations, telemetry, or operational procedures were accessible to the attacker.
DragonForce claimed CF Evans Construction, a US construction and civil engineering firm, on May 8. Akira separately claimed Excel Healthcare, noted above in the non-commercial section. The continued targeting of construction companies by DragonForce affiliates is consistent with the group’s exploitation of SimpleHelp remote monitoring and management software vulnerabilities, for which CISA added the underlying CVEs to its Known Exploited Vulnerabilities catalogue during this week with a May 8 federal remediation deadline.
4. REST OF WORLD
4.1 Government
No government incidents outside Europe, Asia, and the United States were confirmed during the week.
4.2 Health, Municipalities & Non-commercial
No healthcare or municipal incidents were confirmed outside the primary regions during this period.
4.3 Business
Qilin claimed Exco Technologies, a Canadian manufacturer of precision tooling, casting, and extrusion systems primarily serving the automotive industry, on May 8. Exco supplies tooling components to major North American and European automakers; the claimed exfiltration of technical and commercial data could expose proprietary manufacturing specifications and client contractual details.
A ransomware attack against an Argentinian shipping and logistics services company was also attributed to Qilin during the week, though the specific organisation name and detailed impact assessment had not been confirmed by major threat intelligence outlets by May 8. If confirmed, it would represent Qilin’s continued geographic expansion into South American logistics infrastructure, a sector the group has not historically concentrated on.
5. THREAT ACTOR ACTIVITY
Qilin closed the week as the single most prolific ransomware operation by public victim count, posting at least eight new victims across multiple geographies in a single 24-hour window at one point during the period. Intelligence reporting during the week confirmed a formal operational alliance between Qilin, LockBit, and DragonForce — three of the most active RaaS operations in the current landscape. The alliance reportedly involves pooled infrastructure, shared malware tooling, and coordinated negotiation resources, representing a structural consolidation that analysts describe as unprecedented in the recent history of ransomware-as-a-service operations.
The week produced two major supply-chain and nation-state disclosures with ransomware dimensions. Kaspersky published detailed technical findings documenting a trojanised supply-chain campaign in which official DAEMON Tools Lite installers, distributed from the legitimate vendor website from April 8 onward, contained a sophisticated backdoor attributed with moderate confidence to a Chinese-speaking threat actor. The implant supported multiple command-and-control protocols including HTTP, UDP, TCP, WebSocket Secure, QUIC, DNS over HTTPS, and HTTP/3, and could inject payloads into notepad.exe and conhost.exe. Estimated infections numbered in the hundreds of thousands across more than 100 countries, with secondary high-value payloads delivered selectively to government agencies, manufacturing firms, scientific research institutions, and retail organisations. A clean installer was released as version 12.6 on May 5.
Separately, researchers published attribution linking Iran’s MuddyWater advanced persistent threat group — also tracked as Mango Sandstorm and associated with Iran’s Ministry of Intelligence and Security — to a campaign designated Operation Olalampo that used Chaos ransomware as a deliberate false flag. The attack vector involved interactive Microsoft Teams sessions in which threat actors posed as technical support personnel, used screen-sharing to harvest credentials, and manipulated multi-factor authentication prompts. The actual objectives were espionage — credential theft, reconnaissance, and data exfiltration — rather than monetised ransomware deployment. The use of a ransomware variant as cover for an intelligence collection operation complicates both attribution and incident response: organisations that assume a ransomware event conclude with payment or recovery may fail to fully scope the espionage component.
On the law enforcement front, two US cybersecurity professionals were sentenced on May 1 in a case involving insider ransomware attacks. Ryan Goldberg, an incident responder, and Kevin Martin, a ransomware negotiation specialist, received four-year prison sentences after pleading guilty to conducting ALPHV (BlackCat) ransomware attacks against clients they were ostensibly hired to assist, between April and December 2023. The case highlights the persistent insider threat dimension within the ransomware response ecosystem.
6. KEY TAKEAWAYS
The Instructure breach is the defining incident of week 19 and warrants particular attention from any organisation using third-party platforms to process data at scale for educational or other regulated-sector clients. The attack surface was a single corporate vendor, but the downstream exposure touched hundreds of millions of records across nearly nine thousand institutions — a leverage ratio that will not be lost on other extortion groups evaluating future targeting strategies. The ShinyHunters pattern across April and early May is consistent: phishing or voice-phishing to obtain Salesforce or cloud-platform administrative credentials, followed by bulk API-level data extraction with minimal operational footprint. Organisations running cloud CRM and LMS platforms should treat privileged administrator accounts as critical infrastructure requiring hardware token authentication, session anomaly detection, and aggressive API rate-limit monitoring.
The confirmed Qilin-LockBit-DragonForce operational alliance is the week’s most consequential structural development. Shared infrastructure and malware tooling across three major RaaS operations effectively pools their combined affiliate networks and access-broker relationships, increasing the velocity and geographic breadth of their combined campaign. Defenders should expect that initial access obtained by any single affiliate across these three brands may rapidly be monetised or exploited by the broader alliance.
The DragonForce SimpleHelp exploitation campaign, for which CISA issued a Known Exploited Vulnerabilities catalogue entry with an accelerated May 8 federal deadline, represents an active, confirmed attack chain. Any organisation running SimpleHelp RMM software that has not yet applied patches for CVE-2024-57726 and CVE-2024-57728 should treat this as an emergency remediation priority.
Sources
Primary Sources
- Bleeping Computer: Instructure Canvas LMS breach — ShinyHunters claim (May 3, 2026)
- Bleeping Computer: Trellix source code breach claimed by RansomHouse (May 7–8, 2026)
- Bleeping Computer: MuddyWater uses Chaos ransomware as decoy in Microsoft Teams attacks (May 6, 2026)
- The Record by Recorded Future: World Leaks claims breach of pro-Orbán Hungarian media firm Mediaworks (May 4, 2026)
- The Record by Recorded Future: CISA warns of SimpleHelp exploitation by ransomware groups (May 2026)
- The Record by Recorded Future: Two US cybersecurity professionals sentenced for ransomware attacks on clients (May 1, 2026)
- The Hacker News: MuddyWater uses Microsoft Teams to conduct false-flag Chaos ransomware campaign (May 6, 2026)
- The Hacker News: DAEMON Tools supply chain attack attributed to suspected Chinese threat actor (May 5–6, 2026)
- SecurityWeek: Iranian APT intrusion masquerades as Chaos ransomware attack (May 2026)
- SecurityWeek: Ransomware group takes credit for Trellix hack (May 2026)
- CyberNews: Sysco claimed by Qilin ransomware (May 5, 2026)
- CyberNews: Cushman & Wakefield ShinyHunters Salesforce breach claim (May 2026)
- GRC Report: Hungary opens investigation after Mediaworks data leak surfaces on dark web (May 2026)
- HappierIT / dexpose.io: Fiserv data breach — Everest ransomware claim (May 3, 2026)
- dexpose.io: The Gentlemen ransomware attack on East Inc., Japan (May 6, 2026)
- RedPacket Security: DragonForce victim — CF Evans Construction (May 8, 2026)
- RedPacket Security: Qilin victim — Exco Technologies (May 8, 2026)