Executive Summary
The week of May 8 to 15, 2026 produced three high-profile incidents that together underscore ransomware’s escalating reach into global manufacturing and supply-chain sectors. The most prominent was the Nitrogen ransomware group’s attack on Foxconn’s North American operations, affecting facilities in Mount Pleasant, Wisconsin and Houston, Texas. Nitrogen claimed 8 TB of data and approximately 11 million files, publishing evidence of access to confidential project documentation tied to Apple, Nvidia, Google, Dell, and Intel. Foxconn confirmed the attack on May 12, noting that some staff were reduced to working with pen and paper during the disruption, while factory production began recovering by May 13. The incident marks Nitrogen’s largest and most publicly consequential attack since its emergence as an independent operation in 2024.
West Pharmaceutical Services — the world’s leading manufacturer of drug-delivery components including injectable-drug stoppers, vials, and containment systems — disclosed a ransomware incident that disrupted global manufacturing and logistics operations from approximately May 4. Palo Alto Networks Unit 42 led the incident response, and law enforcement was notified. Notably, no ransomware group publicly claimed the attack by May 15 — a pattern that analysts associate strongly with a paid ransom and the attacker’s fulfilment of a non-disclosure term. West Pharmaceutical’s systems serve pharmaceutical manufacturers and regulators worldwide; the disruption of receiving, manufacturing, and shipping systems at multiple global facilities carries direct implications for drug-supply continuity.
In the Asia-Pacific region, a supply-chain attack on Scope Systems — a Western Australia-based cloud software deployment specialist serving the resources and mining sector — cascaded into confirmed disruptions at Northern Star Resources and Evolution Mining, two of Australia’s largest gold producers. The attack exploited Scope Systems’ privileged access to its mining clients’ IT environments, a pattern that security researchers have flagged as increasingly common in the resources sector. Scope Systems stated no data loss occurred, but both mining companies initiated recovery procedures during the week.
The week also saw the final chapter of the Instructure-Canvas crisis that began in week 19. ShinyHunters conducted a second breach of Canvas on May 7 — replacing the platform’s login page with a ransom note in a dramatic public escalation — before Instructure announced on May 11 that it had reached a settlement with the attacker and received technical confirmation of data destruction. A class-action lawsuit was filed on May 13 in San Diego federal court. The saga remains the largest confirmed educational data breach on record and is likely to reshape vendor liability standards for cloud learning platforms across the United States.
Key Statistics: - Global: At least 18 confirmed victims across eight threat groups during May 8–15; Qilin, DragonForce, and Nitrogen were the most active - Europe: 2 confirmed victims — DragonForce active in Sweden; unattributed attack in Italy - Asia: 3 confirmed victims across Japan, India, and Thailand; Qilin and DragonForce active - US: 9 confirmed victims — Nitrogen, ShinyHunters, Qilin, and DragonForce all active; West Pharmaceutical unattributed - Other: 4 confirmed victims across Australia and the UAE; Qilin and Inc Ransom active; supply-chain attack affecting Australian gold miners
1. EUROPE
1.1 Government
No ransomware incidents affecting European government agencies or ministries were confirmed during the May 8–15 window.
1.2 Health, Municipalities & Non-commercial
No new healthcare or municipal ransomware incidents were confirmed in Europe during this period.
1.3 Business
Two European businesses were confirmed or claimed as ransomware victims during week 20. In Italy, Unoaerre — a major gold jewelry manufacturer founded in 1926 and headquartered in Arezzo — suffered a ransomware attack that disrupted operational IT systems on approximately May 10. Management evacuated the manufacturing plant and isolated systems following anomaly detection. Initial forensic analysis found no irreversible infrastructure damage, and no ransomware group had publicly claimed the attack by May 15, raising the possibility of a private negotiation or ransom payment. The incident is significant given Unoaerre’s position as one of Europe’s largest gold jewelry producers, with supply relationships across European and international retail chains.
In Sweden, DragonForce claimed Pamil Modulsystem on May 13, posting the modular-building construction company on its dark web leak site. Pamil Modulsystem designs and manufactures prefabricated modular structures primarily for commercial and residential construction markets in Scandinavia. Detailed impact data and the volume of any exfiltrated data had not been confirmed by major threat intelligence outlets by the end of the week. The attack is consistent with DragonForce’s established pattern of claiming victims across multiple geographies in single-day posting bursts — on May 13 alone, DragonForce posted victims on three continents.
2. ASIA
2.1 Government
No ransomware incidents targeting Asian government agencies were confirmed during the week.
2.2 Health, Municipalities & Non-commercial
Qilin claimed B.Care Medical Center — a healthcare provider in the Asia-Pacific region — on May 15. Detailed operational impact and the scope of any data exfiltration had not been confirmed by major reporting outlets by the close of the week. The attack continues Qilin’s pattern of targeting healthcare institutions across multiple geographies simultaneously, a sector the group has struck repeatedly throughout 2026.
2.3 Business
Three Asian business victims were confirmed or claimed during the week. Qilin claimed NR Engineering, a Japanese engineering and manufacturing company, on May 15. Limited public detail was available at the time of publication. DragonForce posted Tricon Infotech, an Indian IT services firm, on May 13. No detailed exfiltration volume or operational impact was confirmed, though the attack is consistent with DragonForce’s targeting of mid-market managed-service and IT-services providers, which offer attractive access to multiple downstream client environments.
The most systemically significant Asia-Pacific incident of the week was the supply-chain attack affecting Scope Systems in Western Australia. Scope Systems provides cloud-based software deployment and infrastructure management services to mining and resources sector clients. Attackers exploited the company’s privileged access to breach the IT environments of Northern Star Resources and Evolution Mining, two of Australia’s largest ASX-listed gold producers. Both companies reported operational disruptions during recovery, though Scope Systems stated publicly that no data loss had been confirmed on its own systems. The attack reflects a well-documented risk pattern in the resources sector, where IT and operational technology service providers hold persistent privileged access to geographically distributed mining infrastructure, creating an attractive lateral-movement pathway for attackers seeking both financial leverage and operational disruption.
3. UNITED STATES
3.1 Government
No US federal, state, or local government ransomware incidents were confirmed during the May 8–15 window.
3.2 Health, Municipalities & Non-commercial
The most consequential story in this category during week 20 was the conclusion of the Instructure-Canvas crisis. ShinyHunters conducted a second breach of Canvas on May 7, replacing the platform’s login page with a ransom note — a highly public escalation that disrupted access for students and faculty at thousands of US colleges and universities during final examination period. Instructure announced on May 11 that it had reached a settlement with the attacker and received technical confirmation that stolen data had been destroyed. A class-action lawsuit was filed on May 13 in San Diego federal court. The full incident, spanning May 1 through May 13, affected 8,809 institutions, with ShinyHunters claiming 275 million records stolen including names, email addresses, student identifiers, and platform messages. It is regarded as the largest educational data breach on record and is expected to drive regulatory scrutiny of cloud learning platform security standards across the United States.
WholeHealth Chicago — an integrative and functional medicine practice — and the Louisiana Association for Justice, a state bar association, both appeared as new victims in ransomware tracking databases on May 15. No threat group had publicly claimed either organisation, and detailed impact assessments had not been confirmed by major reporting outlets by the end of the week.
3.3 Business
West Pharmaceutical Services, headquartered in Exton, Pennsylvania, is the world’s leading manufacturer of drug-delivery containment components — stoppers, seals, vials, and closure systems for injectable drugs used by pharmaceutical manufacturers globally to meet regulatory packaging requirements. The company disclosed on approximately May 8 that it had suffered a ransomware attack beginning around May 4, which disrupted manufacturing, receiving, and shipping operations at multiple global facilities. Palo Alto Networks Unit 42 led the incident response engagement, and law enforcement was notified. West Pharmaceutical began restoring systems by mid-May. Crucially, no ransomware group publicly claimed the attack by May 15 — analysts noted that the absence of a public claim is strongly associated with a paid ransom accompanied by an attacker commitment not to disclose the victim publicly. The targeting of a company whose output is mandated by pharmaceutical regulatory agencies for injectable drug packaging creates a potential downstream risk for drug-supply chains if manufacturing disruptions persist.
Foxconn confirmed on May 12 that ransomware had struck its North American manufacturing operations, affecting facilities in Wisconsin and Texas. The Nitrogen ransomware group claimed the attack on May 11, asserting that 8 TB of data had been exfiltrated — approximately 11 million files — and publishing what it described as confidential project documentation tied to Apple, Nvidia, Google, Dell, and Intel. Staff at affected facilities were reduced to paper-based workflows during the disruption, with factory production beginning to recover by May 13. Foxconn acknowledged the incident but declined to confirm which customer data had been accessed. Nitrogen has operated since approximately 2024 and previously gained attention for its use of malicious advertising to distribute initial-access payloads through search engine results, though it has since diversified its access techniques.
Qilin claimed Keller Williams Realty Group on May 11, targeting one of the largest real estate franchise networks in the United States. Generation Life, a financial services and insurance company, and Foot Solutions, a specialty footwear and orthotics retail chain, were both listed as Qilin victims on May 15. DragonForce claimed MicroMarketing, a US provider of specialised library cataloguing and book collection services, on May 13. Impact details for these four victims had not been confirmed by major reporting outlets by the end of the week, but the breadth of Qilin and DragonForce targeting — spanning financial services, retail, real estate, and library services in a single week — reflects the indiscriminate, volume-driven posture both groups maintain.
4. REST OF WORLD
4.1 Government
No government ransomware incidents were confirmed outside Europe, Asia, and the United States during the week.
4.2 Health, Municipalities & Non-commercial
The Australian College of Business Intelligence, a private registered training organisation operating in the Australian vocational education sector, was claimed by Qilin on May 15. No detailed reporting had been confirmed by major outlets by the end of the week.
4.3 Business
Qilin claimed Menzies Group — a major aviation ground handling and services company with operations at airports across Australia and internationally — on May 15. The claim noted 31 compromised employee accounts and three third-party credentials among the exfiltrated data. Aviation ground services companies handle time-sensitive logistics across passenger and cargo operations at major airports; the exposure of employee access credentials carries direct operational security implications for the airports and airlines Menzies serves.
Inc Ransom claimed Lals Group, a UAE-based family business conglomerate, on approximately May 11, attributing the breach to May 10. Lals Group operates retail chains including Homes r Us, a Daiso Japan franchise, Carter’s, and several other consumer brands across the UAE, Qatar, Bahrain, Oman, Kuwait, and Saudi Arabia. Inc Ransom reported approximately 400 GB of data stolen, with nine compromised employee accounts and four third-party credentials identified. The attack represents one of Inc Ransom’s highest-profile Middle Eastern targets to date and reflects the group’s growing geographic reach beyond North America and Europe.
5. THREAT ACTOR ACTIVITY
Nitrogen dominated the week’s threat actor headlines with its claim against Foxconn North American facilities — the group’s largest and most publicised attack. Nitrogen first attracted wide attention in 2024 for its malvertising-based initial-access technique, in which sponsored search-engine results for commonly searched IT and administration tools were replaced with lookalike pages hosting trojanised installers. The Foxconn claim suggests a continuing evolution in both targeting ambition and access sophistication, with the group now operating against large-scale manufacturing targets rather than opportunistic enterprise victims.
Qilin maintained its position as the highest-volume ransomware group by public victim posting rate, with at least eight new victims claimed across four geographic regions during the May 8–15 window. The operational alliance between Qilin, LockBit, and DragonForce — confirmed in week 19 reporting — appears to be functioning as intended. DragonForce claimed victims on three continents in a single day on May 13, a pattern consistent with pooled affiliate capacity and shared access-broker relationships under the cartel model.
ShinyHunters concluded its Instructure-Canvas extortion campaign with a reported settlement on May 11, representing one of the few confirmed cases in recent years where an extortion group publicly acknowledged the outcome of negotiations and provided a technical commitment regarding data destruction. Whether the data was actually destroyed as claimed cannot be independently verified, and law enforcement has not confirmed independent evidence of deletion.
Kaspersky published its International Anti-Ransomware Day report on May 12, which highlighted two structural trends dominating the 2026 ransomware landscape. The first is the continued rise of encryption-less extortion — attacks in which data theft and the threat of publication serve as the sole leverage mechanism — which reduces attacker operational complexity while preserving financial leverage. The second is the early adoption by ransomware groups of post-quantum cryptography implementations in their encryption schemes, a pre-positioning for a future in which classical decryption attacks against standard RSA or elliptic-curve-based ransomware may become feasible.
6. KEY TAKEAWAYS
The Foxconn and West Pharmaceutical incidents together constitute the most significant week for ransomware against manufacturing in 2026 to date. Both attacks hit companies whose outputs are embedded in global supply chains serving multiple downstream industries — consumer electronics and pharmaceutical packaging, respectively. The absence of a public claim in the West Pharmaceutical case is itself significant: it suggests the attacker received a payment, possibly a substantial one given the strategic importance of the target. Pharmaceutical manufacturers and medical device companies should treat the absence of a ransomware claim after an incident as evidence of payment rather than exoneration, and should disclose to regulators accordingly rather than assuming a non-public resolution precludes disclosure obligations.
The Scope Systems supply-chain attack against Australian gold miners is a textbook illustration of the IT-as-attack-vector pattern that has dominated the most consequential supply-chain breaches over recent years. Any managed-service or cloud-software provider with privileged access to client operational technology environments should be treated as a critical-path risk by those clients. Network segmentation between the managed service provider management plane and business-critical or operational technology systems is the primary control that would have limited the blast radius of the Scope Systems breach.
The Nitrogen-Foxconn attack reinforces a pattern of ransomware groups — previously associated primarily with phishing or malvertising campaigns — now demonstrating the capability to operate against large-scale manufacturing environments with the operational discipline required to exfiltrate terabytes of data before triggering visible disruption. If 8 TB was staged and exfiltrated before Foxconn detected the attack, that data was likely staged over days or weeks — a window in which network anomaly detection, egress monitoring, and privileged-account behaviour analytics should have generated alerts. Organisations in electronics manufacturing, defence contracting, and precision manufacturing should revisit their assumptions about attacker dwell time and data-exfiltration detection capability.
Sources
Primary Sources
- BleepingComputer: Foxconn confirms cyberattack on North American factories (May 12, 2026)
- BleepingComputer: West Pharmaceutical says hackers stole data and encrypted systems (May 8–12, 2026)
- BleepingComputer: Instructure Canvas hacker claims data theft from 8,800 schools and universities (May 2026)
- The Record by Recorded Future: West Pharmaceutical warns of ransomware attack impacting operations (May 2026)
- SecurityWeek: West Pharmaceutical Services hit by disruptive ransomware attack (May 2026)
- Cybersecurity Dive: Foxconn confirms cyberattack affecting North American facilities (May 2026)
- Cybersecurity Dive: West Pharmaceutical restoring operations after ransomware attack (May 2026)
- TechCrunch: Ransomware hackers claim breach at Foxconn, major electronics manufacturer for Apple, Google, and Nvidia (May 13, 2026)
- The Register: Foxconn confirms cyberattack after Nitrogen claims Apple and Nvidia data theft (May 12, 2026)
- TechNadu: Unoaerre ransomware attack disrupts manufacturing operations (May 10, 2026)
- Dark Reading: Gold mining company struck by ransomware attack — Scope Systems and Australian gold miners (May 2026)
- Kaspersky Securelist: International Anti-Ransomware Day report 2026 (May 12, 2026)
- ransomware.live: Qilin victim listings — Menzies Group, Keller Williams Realty Group, B.Care Medical Center, Australian College of Business Intelligence, Generation Life, Foot Solutions (May 15, 2026)
- ransomware.live: Inc Ransom victim listing — Lals Group (May 11, 2026)
- dexpose.io: DragonForce ransomware attack on Pamil Modulsystem, Sweden (May 13, 2026)
- dexpose.io: DragonForce targets Tricon Infotech, India (May 13, 2026)
- dexpose.io: DragonForce ransomware attack on MicroMarketing, US (May 13, 2026)
- Halcyon ransomware tracker: Keller Williams Realty faces major ransomware breach (May 11, 2026)
- Industrial Cyber: Ransomware attacks on West Pharmaceutical and Foxconn highlight growing cyber risks to manufacturing sector (May 2026)
- CYFIRMA Weekly Intelligence Report: May 15, 2026
- CYFIRMA Weekly Intelligence Report: May 8, 2026