Executive Summary
The week of May 15–22, 2026 was defined by both volume and severity. Ransomware trackers logged approximately 95 victim postings across more than 25 countries, with the cartel cluster of Qilin, LockBit, and DragonForce — which together claimed 41 percent of all Q1 2026 victims — remaining hyperactive alongside a fresh wave of postings from APT73 and TheGentlemen across multiple continents simultaneously. The week’s most consequential disclosure came from New York, where NYC Health + Hospitals revealed that attackers had stolen medical records, Social Security numbers, and biometric fingerprint and palm print data belonging to at least 1.8 million people in a breach traced to a compromised third-party vendor active since November 2025. In Europe, the Rhysida group claimed to have exfiltrated data from Stuttgart’s city government and set a demand of 27 Bitcoin — though city officials denied any confirmed incident. The week also saw mass exploitation of a critical cPanel vulnerability carrying a CVSS score of 9.8, with a Go-based encryptor called “Sorry” ransomware deployed across tens of thousands of compromised hosting servers globally.
Key Statistics: - Global: ~95 tracker-confirmed victim postings across 25+ countries; most active groups were Qilin (10+), APT73 (6+), Nova (6+), TheGentlemen (6+), Safepay (6+), Payload (6+), and Akira (6+) - Europe: ~35 postings; Germany and Austria most heavily targeted; Stuttgart city government the prominent public-sector claim - Asia: ~14 postings across 8 countries; Singapore saw a cluster of five victims; APT73 hit government agencies in Turkey and Thailand - US: ~34 postings; healthcare the most impactful sector; ShinyHunters alleged 42 million Charter Communications customer records - Other: ~15 postings; APT73 active across Latin America; Canada, Australia, and Tunisia also affected
1. EUROPE
1.1 Government
The week’s most prominent European government claim came from Rhysida, which on May 19 asserted it had stolen data from Stuttgart’s city administration — the Landeshauptstadt Stuttgart. The group posted downscaled samples including scanned invoices and internal faxes on its dark web leak site and set a demand of 27 Bitcoin, roughly 2.07 million US dollars. Stuttgart officials responded by stating they had no indications of a cyber incident and that no systems had been encrypted. Whether Rhysida exfiltrated data through a peripheral system without triggering detectable encryption remains under investigation. The group has a documented history of targeting European public-sector and healthcare organizations.
1.2 Health, Municipalities & Non-commercial
Healthcare and education were both touched in this week’s European postings. In Germany, a dermatology practice listed as hautarzt-budihardja.de was claimed by Safepay, making it one of the few direct healthcare-provider targets in the region. In Central Europe, the University of Finance and Administration in the Czech Republic appeared on TheGentlemen’s leak site, and Poland’s Wyższa Szkoła Biznesu — National Louis University was posted by Nova. The targeting of two universities within the same week reflects a broader pattern of ransomware groups viewing academic institutions as high-value targets holding sensitive personal and financial records but often operating with underfunded security programs.
1.3 Business
European business bore the heaviest posting volume this week, with Germany, Austria, and the United Kingdom each seeing clusters of victims across multiple groups.
Germany’s private sector was struck from several directions. Ungerer & Company, a family-owned flavoring manufacturer founded in 1893, was claimed by APT73. G Theodor Freese, another long-standing family business, appeared on the Payload group’s site. Play posted Zuther Hautmann, while Safepay added the charter transport firm Berlinmobil.de and the media company mediafrance.de to its list.
Austria proved similarly exposed. Qilin posted two Austrian targets — ROTO Immobilien and Gartengestaltung Muller — in rapid succession. DragonForce claimed ZFG ALTHERM Engineering, a technical building equipment firm. The lesser-known group Lamashtu posted ROTH-TECHNIK AUSTRIA, a metal pipe fittings manufacturer, while TheGentlemen added E-Control Systems to its roster. Across the border, Switzerland’s DEVO-Tech — a family-owned engineering firm — was also claimed by TheGentlemen.
In the United Kingdom, Qilin claimed Hamer Childs and Porter W Yett, both business services firms. Akira posted Acton Electrical. Safepay added two long-established businesses — printroom.co.uk, founded in 1977, and Ashley Timber, founded in 1988. TheGentlemen claimed Polyrack, an electronics group, and Nova posted Asian Lite International, an independent media outlet serving the British-Asian community.
Elsewhere across Europe, France saw Groupe CRIT SA — a staffing and recruitment conglomerate — claimed by Titan, alongside smaller targets in private security and IT services. Spain’s olipes.com, an independent lubricants distributor, appeared on Safepay’s site. In North Macedonia, Alkaloid — the country’s oldest pharmaceutical company, founded in 1936 — was posted by APT73, a particularly notable targeting given the firm’s role in regional pharmaceutical supply. Italy’s Abp Autoricambi appeared on Titan’s list, Norway’s Nordfjord Hotell was posted by Nova, and in Cyprus, DragonForce claimed the global real estate investment firm Taurus Investment Holdings, established in 1976. Even Russia was not exempt: Akira posted Gitis, a rubber components manufacturer.
2. ASIA
2.1 Government
APT73 demonstrated a particular appetite for government targets in Asia this week, posting two national agencies within a 24-hour window. Thailand’s National Astronomical Research Institute — NARIT — appeared on APT73’s leak site on May 21, followed on May 22 by Turkey’s TKGM, the General Directorate of Land Registry and Cadastre. The Turkish agency holds land and property registry data for the entire country, making the potential scope of any exfiltration significant. TKGM had not publicly confirmed the claim as of this writing.
2.2 Health, Municipalities & Non-commercial
No confirmed healthcare or municipal incidents were reported in the Asia-Pacific region during this period.
2.3 Business
Asia’s business sector faced a geographically diverse set of postings, with Singapore emerging as the most frequently targeted single location in the region. The Payload group claimed three Singaporean firms in rapid succession — Robinsons, the historic department store founded in 1858; Tang Seng Nitrogen & Pump Systems, an engineering company; and Elohim Law Corporation, a law firm established in 2014. Krybit separately listed the enterprise operations platform mindmastersg.com, and Titan posted business services firm Quahe Woo & Palmer. Japan’s Kabushiki Gaisha Hodozuka Setsubi also appeared in Payload’s listings.
India saw two separate incidents. The most significant was the cybersecurity disclosure by HDFC Asset Management Company on May 18, when the firm notified the Bombay and National Stock Exchanges of unauthorized access to parts of its IT infrastructure, flagged two days earlier via an anonymous tip. Shares fell 2.3 percent on the news, and a forensic investigation was ongoing as of the disclosure date. No ransomware group claimed responsibility. Separately, Hotelogix — an Indian hospitality technology provider — was posted by a group calling itself Shadowbyt3$.
Elsewhere in the region, Nightspire claimed TAKOSAN Otomobil in Turkey. Nova posted AMACCAO, a Vietnamese multi-industry corporation. WorldLeaks — identified as a rebrand of Hunters International — claimed BMJ Paperpack in Indonesia. Incransom listed Nothing, the consumer technology brand headquartered in Taiwan. Krybit posted a corporate administrative services firm in Hong Kong.
3. UNITED STATES
3.1 Government
Two government-adjacent infrastructure targets appeared in US listings this week. Safepay claimed Harrison County, West Virginia’s county commission. More significantly, the Pear ransomware group posted the Indian Creek Valley Water Authority — a public water utility — marking another instance of ransomware actors probing critical water infrastructure, an area that CISA has repeatedly identified as dangerously underprotected.
3.2 Health, Municipalities & Non-commercial
The most consequential US incident of the week — and arguably of the entire global reporting period — was the public disclosure by NYC Health + Hospitals of a breach affecting at least 1.8 million people. The attack, traced to unauthorized access via a third-party vendor, began in November 2025 and went undetected until February 2026. The scope of stolen data was exceptional: in addition to medical records and health insurance details, attackers obtained Social Security numbers, passport information, driver’s license numbers, precise geolocation data, and biometric fingerprint and palm print scans. The breach was reported to the US Department of Health and Human Services on May 19. No ransomware group has been publicly linked to the intrusion, and the involvement of a vendor as the initial access point underscores the systemic vulnerability of healthcare supply chains.
Beyond NYC Health + Hospitals, DentaQuest — a dental healthcare benefits administrator — was claimed by ShinyHunters. Internal Medicine and Pediatrics of Cullman in Alabama appeared on Payload’s list, and a medical practice listed as “Internal Medicine” was posted by TheGentlemen. The YMCA of Columbia — a non-profit community services organization founded in 1854 — was also claimed by TheGentlemen.
3.3 Business
The US business sector saw the highest volume of postings of any geography this week, with Qilin, Akira, ShinyHunters, and DragonForce among the most active groups.
The week’s most headline-generating US data claims came from ShinyHunters, which posted what it described as over 42 million records containing personal information allegedly taken from Charter Communications, the second-largest cable operator in the United States. The group also claimed over 260,000 Salesforce records from Baker Distributing Company, a national HVAC and refrigeration distributor. The scale of the Charter claim, if verified, would rank among the larger telecommunications breaches of recent years.
RansomHouse drew attention for targeting Trellix, a prominent cybersecurity company, posting what it alleged were source code repositories, internal management dashboards, and access to internal services. Trellix confirmed unauthorized access to “a portion” of its source code but stated that no release or distribution processes were affected. A cybersecurity vendor being breached carries particular significance, as it raises questions about the security of tooling used by downstream enterprise customers.
Qilin was prolific in the US this week, posting Vernon & Ginsburg, Snyder Packaging, CJ Architects, WNS Lowery, Air Conditioning Florida, and Semgrep — the open-source static analysis tool widely used in software development pipelines. Akira continued its high pace, claiming Karlin Foods, Buffalo Niagara Convention Center, Function Enterprises, Sid Harvey’s, and TSG Enterprises. DragonForce posted the US operations of bakery chain Le Pain Quotidien and the environmental consulting firm Vega. Nightspire claimed Vantage Energy, an oil and gas operator, and Huse Incorporated, a hospitality business. The Pear group posted Pro Farm Group and Fana Jewelry alongside its water utility target. Nova claimed Hoy Construction and Veda Consulting. SilentRansomGroup posted Barclay Damon, a large regional law firm. Titan listed DFI America and ETM-Electromatic, while TheGentlemen added MBM Corp and Modern Display.
4. REST OF WORLD
4.1 Government
No confirmed government ransomware incidents were reported outside Europe, Asia, and the United States during this period.
4.2 Health, Municipalities & Non-commercial
No confirmed healthcare or municipal incidents were reported in the rest-of-world category this week.
4.3 Business
Latin America, Canada, Australia, and Africa all saw postings during the week, with APT73 proving especially active south of the US border.
In Hungary, WorldLeaks published approximately 8.5 terabytes of stolen data from Mediaworks, the country’s largest pro-government media conglomerate. The leaked files reportedly included payroll records, contracts, financial statements, and internal editorial communications — among them notes from a January 2025 meeting allegedly referencing plans to consult Moscow for framing coverage of the war in Ukraine. It was the first confirmed WorldLeaks operation in Hungary and attracted significant political attention given the organization’s alignment with the Orbán government.
APT73 demonstrated an aggressive Latin American footprint, posting Grupo Petersen in Argentina — a major financial and industrial conglomerate — alongside minsa.com.mx in Mexico, a corn masa producer, and tvnmedia.com in Panama, a national broadcaster. Titan listed Mezta Corporativo in Mexico. Qilin claimed Vial Agro in Argentina. TheGentlemen posted Ecuador’s Grupo Pasquel, an agri-food producer. In Brazil, Nova claimed both Softseba, a software provider, and Neubox, a technology services company.
Canada saw three postings: Incransom claimed threadinnovations, Safepay posted adlan.com — an IT infrastructure and cybersecurity company — and Pear listed the Exchange Group, an accounting and consulting firm. In Australia, Qilin claimed RCR Industrial Flooring and Braincipher posted a business advisory firm. Tunisia’s CRIT Tunisie, a human resources subsidiary of the French Groupe CRIT staffing conglomerate, was listed by Titan.
5. THREAT ACTOR ACTIVITY
The week’s most consequential infrastructure campaign was the mass exploitation of CVE-2026-41940, a critical pre-authentication bypass in cPanel and WHM with a CVSS score of 9.8. Disclosed on April 29, the vulnerability was weaponized at scale during this reporting period, with at least 44,000 internet-facing cPanel instances compromised. Attackers deployed a Go-based Linux encryptor called “Sorry” ransomware — appending a .sorry extension to encrypted files — primarily against managed service providers, web hosting companies, and government entities in South-East Asia, the Philippines, Laos, Canada, South Africa, and the United States. The campaign illustrates how quickly ransomware operators can operationalize publicly disclosed vulnerabilities in widely deployed management software.
Qilin continued to cement its position as the most prolific individual group in 2026, with over ten new victim postings across four geographies in a single week. Combined with LockBit and DragonForce, this cartel bloc accounted for 41 percent of all Q1 2026 ransomware victims globally — a concentration that the pace of week 21 shows no signs of diminishing.
APT73 emerged as one of the week’s most notable actors, posting simultaneously across Europe, Asia, and Latin America in a pattern more consistent with a large affiliate network than a single threat actor. Its targeting of a government agency in Turkey, a research institute in Thailand, a pharmaceutical company in North Macedonia, and media organizations in Panama within days of each other suggests either extensive pre-positioned access or a distributed affiliate structure operating under a single brand.
WorldLeaks — confirmed as a rebrand of Hunters International — made its most politically visible move yet with the Mediaworks publication in Hungary, apparently prioritizing reputational and political impact over straightforward extortion.
ShinyHunters returned with large-scale data theft claims against Charter Communications and Baker Distributing. The Charter claim of 42 million records would, if verified, rank among the most volumetrically significant database thefts alleged by any group in 2026.
Nightspire continued expanding its victim list across the US and Europe, claiming targets in energy, hospitality, and manufacturing — consistent with its profile as an opportunistic actor targeting smaller enterprises with limited security resources.
6. KEY TAKEAWAYS
Healthcare data remains the most sensitive ransomware target. The NYC Health + Hospitals breach — affecting 1.8 million people and including biometric fingerprint and palm print data — reinforces that healthcare organizations must treat third-party vendor access as a primary attack surface. Biometric data is irreplaceable: unlike passwords or payment card numbers, fingerprints cannot be changed after compromise.
The cPanel CVE-2026-41940 exploitation campaign demonstrates that patch latency for internet-exposed management software is still measured in weeks, not hours — and ransomware operators exploit that gap at machine speed. Organizations running shared hosting stacks, and particularly managed service providers, must treat critical vulnerabilities in externally reachable administration software as emergency-tier responses requiring same-day action.
The consolidation of Qilin, LockBit, and DragonForce into a coordinated cartel — combined with the rapid rise of APT73 as a high-volume multi-geography actor — signals that the ransomware ecosystem is re-concentrating after the law enforcement disruptions of 2024 and 2025. Manufacturing, logistics, and professional services firms, which account for the majority of this week’s victims, should calibrate their threat models to reflect that they are now primary targets rather than collateral targets.
The Trellix breach serves as a reminder that security vendors are themselves high-value targets. Organizations should inventory which security tools hold privileged access to their environments and maintain contingency plans for the scenario in which a security vendor is compromised.
Sources
Primary Sources
- TechCrunch — NYC Health + Hospitals breach (May 18, 2026): https://techcrunch.com/2026/05/18/nyc-health-and-hospitals-says-hackers-stole-medical-data-and-fingerprints-during-breach-affecting-at-least-1-8-million-people/
- Heise Online — Rhysida / Stuttgart city government (May 19, 2026): https://www.heise.de/en/news/Cyber-gang-Rhysida-claims-data-theft-from-Stuttgart-city-11301876.html
- The Record by Recorded Future — Mediaworks / WorldLeaks / Hungary: https://therecord.media/ransomware-group-claims-breach-of-pro-orban-media-firm
- SecurityWeek — Trellix / RansomHouse: https://www.securityweek.com/ransomware-group-takes-credit-for-trellix-hack/
- BleepingComputer — cPanel CVE-2026-41940 / “Sorry” ransomware: https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/
- Business Standard — HDFC AMC cybersecurity incident (May 18, 2026): https://www.business-standard.com/markets/capital-market-news/hdfc-amc-drops-after-cyber-security-incident-disclosure-126051800216_1.html
- Check Point Research — State of Ransomware Q1 2026: https://research.checkpoint.com/2026/the-state-of-ransomware-q1-2026/
- Industrial Cyber — Ransomware cartel Q1 2026: https://industrialcyber.co/ransomware/ransomware-sector-reconsolidating-as-qilin-lockbit-and-the-gentlemen-expand-influence-in-q1-2026/
- Barracuda — Nightspire group profile (May 1, 2026): https://blog.barracuda.com/2026/05/01/nightspire-wannabe-warlords-in-ransomwares-shadow-realm
- Help Net Security — cPanel vulnerability exploitation: https://www.helpnetsecurity.com/2026/05/04/multiple-threat-actors-actively-exploit-cpanel-vulnerability-cve-2026-41940/
- Ransomware.live — victim tracker (primary source for postings): https://www.ransomware.live/