The State of Ransomware: April 2026

April marked a record-breaking month for ransomware activity, with 105 publicly disclosed attacks, the highest April total since tracking began in 2020. Organizations across 22 countries were impacted, with the United States accounting for 60% of all incidents. Healthcare was the most targeted sector, recording 25 attacks, followed by the services and government sectors with 16 each. In total, 32 ransomware groups were linked to publicly disclosed incidents, with ShinyHunters emerging as the most active, responsible for 15 attacks.

Find out who made ransomware headlines in April.

1. A cyberattack targeting St. Joseph County, Indiana, was revealed after the threat group Handala claimed responsibility for compromising county systems. The group alleged it had accessed and exfiltrated 2 TB of sensitive data, including records from law enforcement and other departments, and threatened to release the information publicly. County officials confirmed a breach had occurred but indicated it was linked to a third-party fax server rather than core government systems and said the incident had been contained. The full scope of the data exposure remains unclear.

2. Lapsus$ listed Mercor on its leak site, claiming to have obtained a wide range of company data. According to the group, the stolen information includes a 200GB database, a 3TB repository of video and identity verification data, and 939GB of source code. The AI recruiting startup confirmed it was affected by a supply chain attack linked to the compromised open-source LiteLLM.

3. In North Dakota, a ransomware attack on the Minot Water Treatment Plant forced operators to temporarily switch to manual gauge readings. The malware impacted the facility’s SCADA system, though the note left by the attackers did not include a ransom demand. City officials confirmed the water supply remained safe throughout the incident, and no ransomware group has publicly claimed responsibility.

4. Gem Terminal Industry stated that certain information was impacted by a cyberattack in early April. Key units including Suzhou Gem Opto-Electronics Terminal and Vietnam Gem Electronic and Metal were impacted by the incident. The organization activated its security response plan and restored affected systems in phases, with the support of external cybersecurity experts. An initial assessment indicated no material impact on its operations. The Gentlemen ransomware group claimed responsibility for the attack. 

5. A cyberattack disrupted operations at a municipal office in Náměšť nad Oslavou in the Třebíč region in the Czech Republic, forcing most systems offline and limiting public services. Around 70 computers had to be reinstalled as IT teams worked to restore servers and recover data from backups. LockBit took credit for the attack.

6. Check City Partnership confirmed it notified 322,687 people about a March 2025 data breach. Personal information including names, SSNs, government-issued IDs and financial information was compromised during the incident. Clop claimed responsibility for that attack in May 2025, adding the payday loan company to its leak site. To prove its claim, Clop posted sample images of alleged stolen documents from the company. 

7. Texas-based gun store Mister Guns notified 21,225 individuals of a data breach after unauthorized access to its systems in November 2025. The group Securotrop claimed responsibility, alleging it exfiltrated 290GB of data. The compromised information included personally identifiable information and various government-issued IDs. In its notification, the company stated there is no evidence that the stolen data has been misused as a result of the incident.

8. Toy manufacturer Hasbro disclosed a cyber incident involving unauthorized access to its systems, which led to disruptions across parts of its IT network. The company took affected systems offline as a precaution and initiated response and recovery efforts. While the full scope of the attack has not been confirmed, including whether data was exfiltrated, Hasbro stated that operations continued through contingency measures. No ransomware group has publicly claimed responsibility for the incident.

9. Brokk, a Swedish manufacturer of remote-controlled demolition machinery, reportedly had a 4GB dataset stolen from its systems by the Play ransomware group. The attackers threatened to release the data unless an undisclosed ransom was paid. The compromised information is said to include internal corporate data such as financial records, budgets, payroll details, identification documents, tax information, and client files.

10. Global law firm Jones Day confirmed a cyber incident after the Silent ransomware group gained access to its systems via a phishing attack. The group claimed responsibility and posted stolen data on its leak site, alleging extortion attempts against the firm. According to reports, the attackers accessed a limited number of older files tied to around 10 clients, all of whom were notified. Evidence shared by the group suggested a ransom demand of $13 million, with threats to publicly release all stolen data and further target the firm if negotiations were not met.

11. Signature Healthcare, a Massachusetts-based healthcare provider, was hit by a cyberattack that significantly disrupted operations at its Brockton Hospital. The incident forced ambulance diversions, canceled some services, and impacted systems including electronic health records and pharmacy operations. Anubis ransomware group claimed responsibility, alleging it had exfiltrated over 2 TB of sensitive data and setting a deadline for a ransom payment, though the group later removed the listing from its leak site. 

12. New Jersey-based Shingle & Gibb Automation is notifying individuals of a cyberattack in November 2025 that resulted in the compromise of certain personal data. A forensic investigation found that an unauthorized third party gained access to the company’s network and obtained specific files. The Akira ransomware group claimed responsibility for the attack, alleging it exfiltrated 25GB of data.

13. Heart South Cardiovascular Group confirmed it notified 46,666 people of a November 2025 data breach that compromised their personal information. Heart South did not disclose what types of data were compromised. Rhysida took credit for the breach on November 10, 2025. The ransomware group demanded six bitcoins in ransom, worth about $630,000 st the time. To support its claims, the group published sample images on its leak site, including ID scans and medical records.

14. ProxyCare LLC started to notify individuals impacted by an August 2025 cybersecurity incident. An investigation into the incident confirmed that certain computer systems had been accessed and that patient data had been exposed. At this time, it is not clear how many individuals were affected by the breach. 

15. Qilin has taken responsibility for a cyberattack targeting Germany’s political party Die Linke. The party reported that the breach occurred in late March, when unauthorized access to parts of its infrastructure led to the shutdown of key systems to limit the impact. Attackers were able to extract internal data, including some employees’ personal information. However, Die Linke stressed that its membership database was not accessed or affected.

16. Cybercriminals allegedly stole a 7.7 TB of sensitive internal documents from the Los Angeles Police Department and leaked the data online. The stolen data included personnel files, internal affairs investigations, and discovery documents that include unredacted criminal complaints and personal information. LAPD stated that it is investigating the breach that involved a digital storage system belonging to the police department. Those responsible have not been publicly named.

17. South Illinois Dermatology has notified individuals of a data security incident that took place in late November 2025. An investigation into the incident confirmed unauthorized access to part of its network where patient files were stored. Affected data includes names, address, DOBs, and medical record numbers. Insomnia ransomware group took credit for the attack, claiming to have obtained the data of more than 150,000 patients. Samples of stolen data were added to the group’s leak site as proof, with the full data leak taking place at a later date. 

18. Sydney-based GC Dental has been named on Space Bears’ dark web leak site, where the group claims to have stolen patient information and a “database.” However, the attackers have not provided details about the incident or the data in question, and the links to the alleged leaks are non-functional. GC Dental has not publicly responded to these allegations.

19. Qilin has listed Australian technology company Seeing Machines on its dark web leak site, offering no details beyond the company’s name. Seeing Machines confirmed it is aware of the claim that some its data had been accessed and said it is “investigating this claim as a matter of priority.”

20. Sumitomo Metal Mining disclosed that its Philippine subsidiary, Coral Bay Nickel Corporation, suffered a ransomware attack in which two servers were encrypted. The company immediately isolated the affected servers and launched an investigation into the scope of the breach alongside external specialists. Operations at the company’s production plant remained unaffected. It is not known who is responsible for the attack. 

21. The Dutch healthcare software provider ChipSoft was hit by a significant ransomware attack, disrupting systems used by a large proportion of hospitals across the Netherlands. The incident was confirmed by the sector’s cybersecurity authority, Z-CERT, after unauthorized access was detected, prompting ChipSoft to take key services, including patient portals and mobile applications, offline to contain the breach. The company’s software supports between 70–80% of Dutch hospitals, meaning the attack had widespread impact, with multiple healthcare institutions disconnecting systems as a precaution and some experiencing service disruptions. Subsequent investigations confirmed that cybercriminals were able to steal sensitive personal and medical data, although ChipSoft later stated that the stolen information had been destroyed and not published, without clarifying whether a ransom was paid. Embargo ransomware group took credit for the attack, claiming to have stolen 100 GB of data. 

22. In North Carolina, Atlantic Brain and Spine disclosed a January 2026 cybersecurity incident. Upon discovering suspicious activity in its computer network, the healthcare provider engaged third-party specialists to investigate the incident. It was confirmed that certain patient data had been accessed. The exposed data is still being reviewed but is said to include PII, PHI and financial information. 

23. Innovative Pharmacy Packaging Corp confirmed in a breach report that the protected health information of 133,862 patients had been exposed in a recent security incident. An investigation into the September 2025 attack confirmed that unauthorized access to its network had resulted in the exfiltration of files. IPPC conducted a review of affected files which confirmed that they contained a range of personal and protected health information. It is not clear who is responsible for the attack. 

24. Brooklands of Mornington in Victoria, Australia, was listed on the dark web leak site of Space Bears. The group claimed to have stolen personal data belonging to both guests and staff, financial information, and “other files.” While the ransomware group did not give specific details on the exfiltrated data, it did threaten to publish the allegedly stolen files five days after the post was written. The resort has not yet publicly addressed the group’s claims. 

25. Winona County, Minnesota experienced a significant ransomware attack in early April 2026, marking the second such incident to hit the county that year. The attack was detected on April 7, prompting officials to take parts of the county’s computer network offline as a precaution, which led to disruptions across public services, including vital records and DMV systems, while emergency services remained operational. Due to the scale and complexity of the incident, Minnesota Governor Tim Walz authorized the deployment of the National Guard to assist with response and recovery efforts, alongside federal and third-party cybersecurity experts. The county has gradually restored systems, though delays persisted as backlogs were addressed. Interlock claimed responsibility for the attack. 

26. Gunra ransomware group listed Eric Davis Dental on its leak site, adding a file tree of documents to the post as proof of claims. The data was structered into three folders: HealthCoachData, Scans, and Scans2025, alongside a collection of more than 500 PDFs labelled with potential patient names. The folders contained various letters of referral, DNA results, tax invoices and receipts. Eric Davis Dental confirmed that it is aware of Gunra’s claims and have launched a comprehensive review of its systems. Initial investigations did not identify any evidence of a cybersecurity incident, system compromised, or data breach. 

27. Reports emerged indicating that the Silent ransomware group breached international law firm Orrick, Herrington & Sutcliffe. The attack occurred in January 2026, with the attackers maintaining access to the firm’s network for several days. During this time, they moved laterally across systems, locating valuable data repositories before exfiltrating sensitive information. The firm is reported to have entered negotiations with the group, but discussions collapsed after Silent deemed the offer inadequate, leading to the publication of the stolen data.

28. Rx Management has been listed on INC’s dark web leak site, with the group claiming to have exfiltrated more than 180 GB of data. While INC provided no further details about the alleged incident, it issued the pharmacy management company a two-day deadline to comply with unspecified demands. Rx Management has not publicly commented on these claims.

29. Siam Okamura International Co Ltd published a notice on its website stating that it had detected unauthorized access to certain servers within its network. In response, the company implemented containment measures and, with the support of external cybersecurity specialists, initiated a detailed investigation. Data believed to be linked to the company has appeared online, with the scope and nature of the information still under review. The ransomware group DragonForce has claimed responsibility for the incident, alleging it exfiltrated 368.7 GB of data.

30. Semiconductor manufacturer Grand Process Technology Co reported that it had been impacted by a ransomware attack. In response, the company isolated affected systems, initiated data recovery processes, and began investigating the incident and its potential impact. No known ransomware group has claimed responsibility.

31. Anubis ransomware group has claimed responsibility for a cyberattack targeting Western Australian operator Shine Aviation. The group added the company to its dark web leak site, alleging it exfiltrated more than 68,000 files amounting to 57 GB of data. According to Anubis, the stolen information includes a broad range of sensitive material, from aircraft and flight details to network access credentials and internal systems data. The post also included several sample files, such as images of employee security passes and login information.

32. Bendigo & District Aboriginal Co-operative (BDAC) has been listed on INC’s dark web leak site, although the group provided few details about the alleged incident. BDAC has since confirmed that it identified and contained a cybersecurity incident on the same day, helping to minimise the impact. The organization is continuing to investigate the matter in coordination with relevant authorities.

33. DermCare Management disclosed that it detected unauthorized access to its computer systems in late February 2026. The investigation found that over a twelve-day period, attackers were able to access and obtain patient information. The company engaged data review specialists, who determined that the compromised data includes names, government-issued identification, financial details, and medical records. While the total number of affected patients has not been specified, DermCare confirmed that 11 of its 70 clinics were impacted.

34. Healthdaq, a Dublin-based recruitment platform, was targeted in a ransomware attack by the relatively new group XP95. The company detected unauthorized access to its data in late March and stated that the incident was quickly contained. Potentially compromised information includes names, CVs, government-issued identification, and some health-related data. XP95 claims to have exfiltrated 431 GB of data.

35. Vilhelmina Municipality in Sweden was impacted by a ransomware attack, believed to be part of a broader IT campaign affecting several councils across the country. The incident disrupted the municipality’s websites, e-services, and telephone systems, while broadband services for network customers were gradually shut down as a precautionary measure. Social services were among the most affected, losing access to critical systems. It remains unclear who is responsible for the attack.

36. INC ransomware group has claimed responsibility for an attack on Dorotea Municipality in Sweden. The incident pushed the council into emergency mode after attackers encrypted municipal systems overnight. Despite the disruption, Dorotea prioritised maintaining essential services such as home care and childcare. It remains unclear whether any data was exfiltrated during the attack, and the council confirmed that no ransom was paid.

37. ShinyHunters has claimed to have breached GTA developer Rockstar Games, alleging it obtained valuable data and issuing a deadline for the company to meet unspecified demands before releasing it. Rockstar acknowledged that a limited amount of non-sensitive company information was accessed, stating that the incident had no impact on its operations or players.

38. In Minnesota, Spring Lake Park Schools suffered a cybersecurity incident that resulted in unauthorized access to some of the district’s systems. Affected systems were shut down to prevent further spread of the attack. All classes, including childcare, community education programs and afterschool activities, were cancelled. The district contacted state law enforcement and the FBI to assist with an investigation into the incident. 

39. Ralph Lauren is believed to have been impacted by a cyberattack originating through a third-party provider rather than its own infrastructure. At present, it is unclear what data, if any, may have been compromised, and the company has not publicly commented on the alleged unauthorized access. The group CoinbaseCartel has claimed responsibility for the incident, though it has not provided any specific details on its leak site.

40. Reports indicate that Mexico’s Ministry of the Navy (SEMAR) suffered a cyber incident resulting in data exfiltration from its Safe Smart Port (PIS) platform. A threat actor subsequently leaked 39.7 GB of data on a public forum. The breach is said to have impacted around 640,000 port operators. No additional details about the incident have been publicly disclosed.

41. Rocky Mountain Associated Physicians disclosed a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. A forensic investigation found that attackers gained access to certain systems, including the patient database, which contained names, Social Security numbers, health information and insurance details. In some cases, financial account information was also exposed. The ransomware group PEAR claimed responsibility for the attack and published the stolen data after ransom demands were not met.

42. Education company McGraw-Hill confirmed that the ShinyHunters group exploited a Salesforce misconfiguration to access internal data. The company stated that the incident was limited in scope and involved only non-sensitive information. However, ShinyHunters claims to have obtained 45 million Salesforce records containing personal data and has threatened to release the information if its ransom demands are not met.

43. INC listed Mastercom, an Australian communications company, on its leak site. The hackers claim that compromised data includes customer information, HR data and financial information. Soon after the initial post, the ransomware group leaked the full dataset, which includes information from a company called Queensland Communications, which was acquired by Mastercom in 2013. The organization has stated that it is aware of the incident but refused to comment further. 

44. Franziskusschule in Wilhelmshaven was targeted in a cyberattack, which has been confirmed by the relevant authorities, with a report filed to local police. Officials indicated that no lasting damage is expected and that school operations have not been disrupted. The school noted on its website that its “IServ” network was temporarily unavailable but is being addressed. The ransomware group Payload has claimed responsibility, alleging it exfiltrated 13 GB of data.

45. Autovista confirmed that it called in outside support to help with the fallout of a ransomware attack that affected systems in Europe and Australia. Applications experienced disruption as part of the incident and the organization worked to resolve these issues as quickly as possible. Given the early-stage nature of the attack, Autovista was not aware how the cybercriminals were able to breach its systems. 

46. Krybit ransomware group has listed Dencom New Zealand on its leak site, giving the company ten days to comply with unspecified demands. As proof of the breach, the group released a number of documents, including personal data, family correspondence linked to a Dencom employee, tax invoices, and medical records. The total volume of data allegedly stolen has not been disclosed. Dencom’s website was temporarily unavailable, and the company has not publicly responded to the group’s claims.

47. Data reportedly stolen from Hallmark Cards Inc has been released on cybercrime forums after ShinyHunters threatened to publish millions of records linked to the company. The group claims to have obtained nearly eight million records, which have now been made public. The leaked data is said to include both customer information and internal company data.

48. The National Railroad Passenger Corporation (Amtrak) has been listed by ShinyHunters as a victim, with the group claiming to have exfiltrated 9.4 million Salesforce records. According to the attackers, the dataset contains personally identifiable information as well as internal corporate data. However, no sample data has been released to substantiate these claims.

49. Shun Hing Group reported that it identified unauthorized access and damage to its computer systems as a result of a cyberattack. The company has filed a police report, notified relevant authorities, and engaged independent cybersecurity experts to investigate the incident. A review of the affected data is ongoing, but it has been confirmed that compromised information includes names and other contact details. LockBit ransomware group has claimed responsibility for the attack.

50. 1,758 people were notified of a data breach involving the Phoenix Art Museum which led to the compromise of their names and social security numbers. The museum stated that it identified unauthorized access to its systems in early December 2025 and immediately launched an investigation. Rhysida took credit for the attack, stating that it had stolen data from the Museum and demanded 10 BTC in ransom, worth about $667,000 at the time. 

51. Japan-based Cota Co Ltd confirmed that system disruption it disclosed in late March was caused by a ransomware attack. The company isolated potentially infected internal systems and disconnected its network as a precaution, while withholding technical details of the ransomware to prevent further damage. The company reported that, as of now, there is no confirmed leakage of personal or other sensitive information. 

52. FriendlyCare Pharmacies has been listed on Kairos’ leak site, with the group claiming to have exfiltrated 113 GB of data. A sample of the alleged data included medical information such as prescriptions, an incident report, employment-related correspondence, and a licence, all seemingly tied to the company’s Booval location. FriendlyCare has not publicly responded to these claims.

53. Threat actors have publicly released data stolen from Standard Bank of South Africa. In late March, the bank disclosed that it had identified an incident involving unauthorized access to certain data, followed by two further updates to clients in April. The breach exposed a subset of client records, including account numbers, business names, and some identification details. The bank reiterated that its transactional banking services and core operating systems were neither accessed nor compromised.

54. Windward Life Care has begun notifying individuals of a data security incident that occurred in December 2025. A forensic investigation determined that unauthorized access to its network led to the compromise of personal and protected health information. Sinobi ransomware group claimed responsibility, alleging that it both encrypted files and exfiltrated 25 GB of data. The group later published the stolen data after ransom demands were not met.

55. ShinyHunters has listed Alert 360, the fifth-largest home and business security provider in the US, on its victim blog, providing a download link to a purported 10 GB dataset containing 2.5 million records. The exposed data is said to include personally identifiable information as well as internal corporate data. Alert 360 has not publicly responded to these claims.

56. Another victim attributed to ShinyHunters this month is US retailer 7-Eleven. The group reportedly gained access through Salesforce and claims to have exfiltrated more than 600,000 records, including personal and internal corporate data.

57. Carnival Corporation was targeted in a cyberattack claimed by the ShinyHunters, which listed the cruise giant on its leak site this month. The group alleges it exfiltrated more than 8.7 million records containing personally identifiable information and internal corporate data, issuing a deadline for ransom payment before threatening to publish the data. Subsequent reports indicate that the data, linked to a loyalty program operated by a Carnival subsidiary, may include names, dates of birth, and other personal details, with millions of unique email addresses exposed. Carnival has acknowledged a security incident, stating it stemmed from a phishing attack on a single user account and that containment measures were quickly implemented, though the full scope and validity of the attackers’ claims remain under investigation.

58. Zara was another high-profile organization targeted by the ShinyHunters, after being listed on the group’s dark web leak site alongside other major brands. The attackers claimed to have gained access to sensitive data, reportedly via a third-party connection linked to broader cloud and analytics compromises, and issued a “pay or leak” ultimatum, threatening to publish the stolen information if ransom demands were not met. Subsequent reports suggest that data tied to Zara was later released following failed negotiations, with the breach believed to involve customer and internal corporate data, although the full scope and impact have not been publicly confirmed by the company.

59. Blackwater ransomware group took credit for a cybersecurity incident at Minidoka Memorial Hospital in Idaho. The incident itself took place on Easter morning and temporarily impacted certain systems within the healthcare provider. The ransomware group claimed to have stolen 577 GB of data from the hospital and demanded that an undisclosed ransom be paid within a week of the initial post. 

60. Glendale Obstetrics & Gynecology has begun notifying individuals of a security incident that occurred in October 2025. Initially described as a network disruption impacting part of its digital environment, it was later confirmed that unauthorized access had taken place, resulting in the compromise of sensitive data. The exposed information includes both personally identifiable information (PII) and protected health information (PHI). The SafePay ransomware group claimed responsibility for the attack and subsequently released the stolen data.

61. Lymphedema Therapy Specialists disclosed a data breach stemming from unauthorized access to its systems in February 2026. A subsequent review determined that the compromised data includes names, Social Security numbers, government-issued identification, medical information, and health insurance details. INC ransomware group has claimed responsibility for the attack.

62. City Health notified certain patients of a hacking incident that was identified at the end of March 2026. An unauthorized party gained access to its network for a nine-day period and viewed or acquired files containing sensitive information. Data accessed includes names, insurance details, and procedure codes. It was reported that the incident impacted around 65,000 individuals. 

63. Canada Life announced that it had identified a cyber incident involving access to certain applications through an employee account. The incident was quickly contained and regular operations and services continue. An investigation was immediately launched with support from third-party cybersecurity experts. ShinyHunters added Canada Life to its leak site, claiming to have stolen 5.6 million Salesforce records. 

64. Strata management firm Strata Republic was listed on Kairos’ victim portal, with the group claiming to have exfiltrated 441 GB of data. The group published several files as evidence of the hack, including employee documents, an income tax report and a driver’s licence of an employee. Strata Republic has not yet publicly acknowledged these claims. 

65. Adaptavist Group initiated an investigation into a security incident after a threat actor gained access using stolen credentials. The company stated that the affected systems contained standard business data. The Gentlemen ransomware group has claimed responsibility, alleging a “complete infrastructure compromise” and significant data exfiltration. According to the group’s dark web post, the stolen data includes hundreds of thousands of purported customer records, product source code, credentials, and elements of production systems.

66. Citizens Financial Group stated that it is dealing with a data security incident tied to a third-party provider. The company acknowledged that data had been exfiltrated but stated that most of it was masked test data, with a limited set of information for a small number of customers. Everest ransomware group claimed responsibility for the attack, adding sample data and a deadline to its dark web leak site listing. 

67. In Vermont, Springfield Hospital started notifying patients advising them that some of their personal and protected health information had been exposed during a cybersecurity incident late last year. A forensic examination determined that an unauthorized individual had accessed information. Data exposed includes names, DOBs and SSNs, alongside information such as medical record numbers, physician’s names and reasons for visits. A file review confirmed that 5,892 individuals were affected by the breach. 

68. Chicago’s Saint Anthony Hospital started notifying patients about the theft of some of their personal and protected health information. The breach notification does not state when the unauthorized access was detected, only that an unauthorized third-party access and/or acquired files and folders of unstructured information. Electronic medical records were not impacted by the breach. It is reported that 146,108 individuals were impacted by the incident. 

69. 285,086 patients have been impacted by a cyberattack on North Texas Behavioral Health Authority. NTBHA identified unauthorized activity within its computer systems in mid-October 2025, with an investigation determining that patient information was accessed during a two-day intrusion period. The types of data involved have not been made public, although for some individuals, Social Security numbers have been exposed.

70. Architectural firm Grace Design Studios LLC is facing a proposed class action alleging that its failure to safeguard sensitive data led to a ransomware attack. According to the lawsuit, an unauthorized party accessed the company’s network in mid-April and stole private information involving customers and employees. Payouts King was responsible for the attack and claimed to have exfiltrated 2.5 TB of data from the organization. 

71. Malaysian heavy crane manufacturer Favelle Favco has been listed as a victim on SafePay’s dark web leak site, with the group claiming to have published a 237 GB dataset. The leaked data reportedly includes around 140,000 files related to the company’s Australian operations and Sydney production facilities. Exposed information is said to include government-issued IDs of Australian employees, internal and customer communications, financial records, and technical documents. Favelle Favco has not publicly commented on these claims.

72. Frost Bank was reportedly targeted by the Everest ransomware group, which threatened to release large volumes of stolen data if its demands were not met. The group claims the breach includes data relating to nearly 250,000 customers. Sample files shared as proof appear to contain Social Security numbers, tax identification numbers, mortgage interest rates, and other sensitive information.

73. Murray Medical Center in Minnesota announced a data security incident that affected current and former patients. The incident was first detected in August 2025, when suspicious activity was observed in its IT systems. With the help of external cybersecurity experts, it took until the end of January 2026 to determine that patient and employee data had been compromised during the incident. Exposed information includes both PII and PHI. The breach impacted approximately 5,073 individuals. 

74. A major data breach was announced by Hospital Caribbean Medical Center in Puerto Rico. An intrusion was detected by its monitoring systems in early February, with steps immediately taken to contain the incident. It is believed that the incident has impacted 92,000 individuals. The Gentlemen took responsibility for the attack, claiming to have exfiltrated sensitive data including patient information. 

75. The Town of Orange, Virginia was reportedly targeted in a ransomware attack claimed by the LockBit group, which listed the municipality on its dark web leak site. The claim followed a February technology outage that forced the closure of Town Hall and several municipal offices for parts of three days, disrupting local services and limiting payment methods while systems were restored. LockBit alleged it had compromised the town’s network and threatened to release sensitive government data unless negotiations were initiated. Officials have not publicly confirmed any link between the outage and the ransomware claim or disclosed whether data was accessed or exfiltrated.

76. Yamaichi Electronics disclosed that its Philippine subsidiary, Pricon Microelectronics, was impacted by a ransomware attack affecting certain servers, confirmed on April 17, 2026. In response, the company engaged external cybersecurity experts to secure and restore affected systems while investigating the cause and scope of the incident. Yamaichi apologized to customers and stakeholders for the disruption and concern caused. The company is still assessing the potential impact on its consolidated business performance and has not yet determined any financial or operational effects, noting that further updates will be provided if disclosure requirements are triggered.

77. France’s National Agency for Secure Titles (ANTS), the government body responsible for issuing identity documents, confirmed a data breach following a cyber incident detected in mid-April. The breach is believed to have exposed data from both individual and professional accounts on its portal, including names, contact details, dates of birth, and other account-related information. A threat actor known as “breach3d” claimed to have stolen and attempted to sell up to 19 million records on cybercrime forums, though the full scale of the incident remains under investigation. Authorities have stated that while personal data was accessed, there is no evidence that user accounts or the platform itself were compromised, and the agency is working with law enforcement and cybersecurity experts as the investigation continues.

78. Yau Yat Chuen Garden City Club, a private club in Hong Kong, was impacted by a ransomware attack that compromised the personal data of more than 9,000 individuals, including current and former members. The breach stemmed from the club’s customer management system, which was rendered inoperable after attackers encrypted files on a server. Exposed data included names, ID and passport numbers, dates of birth, contact details, and addresses. Investigations found the incident was linked to multiple security weaknesses, including outdated software, poor authentication controls, and inadequate cybersecurity measures. While there is no evidence the data has been publicly leaked, authorities determined the club had failed to adequately protect personal data and issued enforcement actions, prompting remedial security improvements.

79. A South Australia-based genealogical research organization, Genealogy SA, confirmed it experienced a cyber incident after being listed by the SafePay ransomware group on its dark web leak site. The organization detected the breach earlier in the year and engaged external cybersecurity experts to contain and investigate the incident, later notifying affected members. SafePay claimed to have exfiltrated a range of sensitive data, including business and financial documents, insurance records, historical genealogical data, personal correspondence, and internal materials, and subsequently leaked the information after ransom demands were not met.

80. Real estate investment firm JRK Property Holdings Inc. was reportedly impacted by a ransomware attack in early April 2026, with claims from the group The Gentlemen that it compromised data relating to approximately 111,000 individuals. According to a newly filed class action lawsuit, the breach exposed sensitive personal information, including names and Social Security numbers. The incident was first identified via a ransomware monitoring site that published alleged ransom notes, suggesting that attackers were able to access and exfiltrate data, raising concerns around identity theft and financial fraud.

81. The City of Suffolk, Virginia is investigating an attempted ransomware attack after a threat actor gained unauthorized access to its network and tried to deploy ransomware. The intrusion was identified after a federal alert flagged suspicious activity, allowing IT staff to respond quickly and prevent full encryption of systems. However, officials acknowledged that data may have been accessed or exfiltrated during the window of unauthorized access, with potentially sensitive personal information at risk. The incident prompted an ongoing investigation, with authorities working to determine the scope of any data exposure while implementing additional security measures to strengthen defenses.

82. Online learning platform Udemy was recently listed as a victim by ShinyHunters, which alleged it had exfiltrated more than 1.4 million user records containing personally identifiable information and internal corporate data. The group issued a “pay or leak” ultimatum, threatening to publish the stolen data if its demands were not met. Subsequent reports indicate that the dataset, linked to both users and instructors, was later released on cybercrime forums, with exposed information including email addresses, names, contact details, and additional account-related data. Udemy has not publicly confirmed the breach.

83. The University of Warsaw disclosed a cyber incident involving unauthorized access to its IT systems, where attackers used compromised credentials to infiltrate the network and move laterally across systems. During the intrusion, large volumes of data were copied and later published online, including tens of thousands of files containing personal data such as identification details, contact information, financial records, and health-related data. Interlock ransomware group has claimed responsibility, alleging it exfiltrated approximately 850 GB of data and sharing sample images on its leak site as proof.

84. ViaQuest, a U.S.-based healthcare and social services provider, was listed as a victim of a ransomware attack claimed by the Anubis group, which alleged it had compromised company systems and exfiltrated a substantial volume of sensitive data. According to the group, approximately 4.1 TB of data, comprising over one million files, was stolen during the intrusion, potentially impacting more than 37,500 patients and 3,900 employees. The reportedly exposed data includes extensive personal and medical information, alongside employee records and internal administrative documents. At the time of reporting, the full scope of the incident had not been independently verified, and ViaQuest had not publicly commented on the claims.

85. Florida Physician Specialists, a Jacksonville-based multi-specialty practice, began notifying patients about a data breach stemming from a November 2025 cyber incident. An investigation confirmed that an unauthorized third party accessed its network over a two-day period, with a subsequent data review determining that a limited amount of patient information may have been exfiltrated. Potentially compromised data includes names combined with sensitive details such as Social Security numbers, government-issued IDs, financial information, and medical and health insurance data.

86. ADT confirmed it experienced a data breach after detecting unauthorized access to customer and prospective customer data, prompting an immediate response to contain the intrusion and launch an investigation. The company determined that exposed information primarily included names, phone numbers, and physical addresses, with a smaller subset of records also containing dates of birth and partial Social Security or tax identification numbers. No payment information or home security systems were impacted. ShinyHunters claimed responsibility, alleging it stole millions of records by exploiting an employee account through a vishing attack to access ADT’s Salesforce environment.

87. Mile Bluff Medical Center in Mauston, Wisconsin, responded to a cyberattack that resulted in the encryption of files across parts of its network. Upon discovery, the organization implemented security protocols and engaged third-party experts to assist with the investigation and recovery efforts. The incident caused limited, temporary disruptions to certain systems, including its phone services, with clinical teams operating under downtime procedures to ensure continuity of patient care. While restoration efforts are ongoing, it remains unclear whether any patient data was impacted. No ransomware group has claimed responsibility for the attack at this stage.

88. Rodenburg Law Firm has begun notifying 81,307 individuals of a data breach linked to an August 2025 cyber incident, following the completion of its internal investigation. The firm confirmed that sensitive data, including Social Security numbers, payment card details, and medical information, was compromised. Akira ransomware group claimed responsibility for the attack, alleging it exfiltrated around 144 GB of data from the firm’s systems, including employee records, confidential legal files, court documents, and client information.

89. Video platform Vimeo confirmed a data breach after an attack linked to its third-party analytics provider, Anodot, which allowed unauthorized access to user and customer data. The ShinyHunters extortion group claimed responsibility, alleging it had extracted large volumes of data and issuing a “pay or leak” ultimatum. The compromised information primarily included technical data, video metadata, and some customer email addresses, while Vimeo stated that login credentials, payment information, and video content were not affected.

90. The Massachusetts Development Finance Agency (MassDevelopment) was reportedly targeted in a March 2026 cyberattack, with the ransomware group DragonForce claiming responsibility. According to breach notifications, unauthorized access to the agency’s network led to files being copied on the same day the intrusion was identified. The group alleges it stole approximately 1.56 TB of data, including personal information such as names, Social Security numbers, driver’s license details, and financial account data. MassDevelopment has not confirmed the group’s claims, and the full scope of the breach, including the number of individuals affected, remains unclear.

91. BELFOR Asia confirmed it was impacted by a cyberattack affecting its regional operations, prompting the shutdown of IT systems and disconnection of network access to contain the incident. The company later disclosed that data had been exfiltrated and subsequently leaked online. INC ransomware group has claimed responsibility, alleging it stole approximately 430 GB of data and publishing sample files as proof on its leak site. The compromised information is understood to include project-related, corporate, and personal data such as case details, damage reports, and contact information. BELFOR has engaged external cybersecurity experts and continues to investigate the full scope of the breach.

92. The Rural Municipality of Gimli in Manitoba was recently impacted by a cyberattack that disrupted municipal operations and led to systems being taken offline while the incident was investigated. Officials engaged external cybersecurity experts to assist with containment and recovery, and residents were advised to use alternative methods for payments during the outage. The ransomware group Payload has claimed responsibility, alleging it encrypted systems and exfiltrated 69 GB of data, and has threatened to release the information if its demands are not met.

93. Application security firm Checkmarx confirmed that a recent supply chain attack led to the theft and public release of internal data from its GitHub environment. The breach stemmed from a compromise of third-party tooling, allowing attackers to inject malicious code into development workflows and gain access to repositories. As a result, source code, employee databases, API keys, and MongoDB and MySQL credentials were exfiltrated before being leaked online. The incident is part of a broader campaign targeting software supply chains, with the Lapsus$ group claiming responsibility for the attack.

94. Sandhills Medical Foundation has begun notifying 169,017 individuals of a data breach stemming from a May 2025 ransomware attack, following the completion of a lengthy forensic investigation into the incident. Notification letters were issued in late April 2026, nearly a year after the breach was first identified, confirming that sensitive personal and health information, including Social Security numbers, financial data, and medical records, had been accessed by an unauthorized third party. INC ransomware group claimed responsibility, alleging it exfiltrated the data and later published it after ransom demands were not met, though the organization has not publicly verified these claims.

95. Australian gelato chain Gelatissimo confirmed it is investigating a cyber incident after being listed by DragonForce ransomware group on its dark web leak site. The group claims to have exfiltrated approximately 352 GB of data from the company’s systems and has shared sample files as proof, including employee records, financial information, and internal documents. Gelatissimo stated it is working with cybersecurity experts to assess the scope and impact of the incident, while the threat actors have issued a deadline and threatened to publish the full dataset if their demands are not met.

96. The City of Ardmore, Oklahoma has begun notifying residents following a ransomware attack on its internal computer servers. The incident, identified in early April, involved unauthorized access to systems containing information related to individuals involved in criminal complaints and investigations. The exposed data is understood to include personal details such as names, addresses, and phone numbers, though officials stated that financial systems were not affected as they are housed separately. The notification was issued out of an abundance of caution as the city continues to assess the scope of the incident and any potential impact on affected individuals.

97. Adams County, Mississippi was impacted by a ransomware attack that significantly disrupted government operations, with the incident effectively locking staff out of critical systems for over a week. The attack began after threat actors gained access through an outdated computer, allowing the malware to spread across the county’s network and restrict access to services including court records, public documents, and payment systems. County offices were forced to halt online services and accept only cash payments while recovery efforts were underway. Authorities confirmed the FBI is investigating the incident, though no ransomware group has publicly claimed responsibility and the full scope of any data exposure remains unclear.

98. STELIA Aerospace North America confirmed it was impacted by a ransomware attack affecting its North American IT environment, prompting the company to activate incident response protocols and isolate affected systems to contain the breach. Rhysida claimed responsibility, alleging it exfiltrated approximately 10 TB of data and issued a ransom demand of 27 BTC (around $2.07 million), alongside a deadline before the data would be released. The group also published sample files as proof of the intrusion, including identity documents, employee records, and technical drawings, suggesting a significant compromise of sensitive corporate and partner-related information.

99. Starr Insurance disclosed a data security incident after identifying unauthorized access to its systems, where a threat actor was able to copy files containing sensitive information. The compromised data is believed to include names, Social Security numbers, government-issued IDs, financial details, medical information, and health insurance data. Akira ransomware group claimed responsibility, alleging it exfiltrated approximately 15 GB of corporate and personal data.

100. The Asian Football Confederation (AFC) was reportedly impacted by a large-scale cyberattack, with threat actors claiming to have accessed and leaked a database containing sensitive information on more than 150,000 players and staff. The exposed data is said to include passport scans, contracts, email addresses, and detailed personal and registration information tied to both the AFC and affiliated clubs. The dataset was advertised and partially released on a cybercrime forum, with sample files shared to validate the breach. The incident has been described as one of the most significant data exposures in football, raising concerns around identity theft, fraud, and targeted attacks against high-profile individuals. ShinyHunters referenced the breach, though it remains unclear whether the group was directly responsible or if its name was used to bolster credibility.

101. Kent District Library in Michigan was impacted by a ransomware attack that forced the closure of all its branches and disrupted core services across its network. The incident began as a reported “network outage” before being confirmed as a ransomware event affecting system operability, including public access to computers and library services. In response, the library shut down systems, engaged third-party cybersecurity and forensic experts, and launched an investigation to determine the scope of the attack. While some branches have since reopened with limited services, the full extent of the disruption and any potential data exposure remains under investigation.

102. Kreis Kassel in Germany continues to investigate a cyberattack that impacted parts of its IT infrastructure, particularly within its waste management and youth services entities. Authorities confirmed that data from the affected systems has since been published on the dark web, indicating that information was exfiltrated during the incident. SafePay ransomware group has claimed responsibility for the attack. Investigations are ongoing to determine the scope of any compromised personal data, with officials working alongside data protection authorities and law enforcement. 

103. Medtronic confirmed it was impacted by a cyberattack involving unauthorized access to data within certain corporate IT systems. The incident was detected and contained, with the company activating incident response measures and engaging external cybersecurity experts to investigate the scope of the intrusion. ShinyHunters claimed responsibility, alleging it exfiltrated more than 9 million records containing personally identifiable information, along with terabytes of internal corporate data, and issued a deadline for ransom payment under threat of a leak. Medtronic stated that the breach did not affect its products, patient safety, or core operations, and that customer and hospital networks remain separate, while investigations continue to determine whether sensitive data was accessed.

104. Denso confirmed that a cyber incident involving unauthorized access affected parts of its group network, specifically systems linked to subsidiaries in Italy and Morocco. The intrusion was identified after a third party gained access to internal networks, prompting the company to activate emergency response measures, isolate affected systems, and engage external cybersecurity experts to investigate and contain the breach. Ongoing investigations have indicated that some internal and third party-related information may have been exfiltrated, although no significant impact on production or product delivery has been reported. Qilin ransomware group claimed responsibility, listing Denso on its leak site and threatening to release stolen data if demands are not met, though the extent of any data compromise remains unconfirmed.

105. U.S. logistics technology firm Pitney Bowes was listed as a victim by ShinyHunters, which claimed to have stolen and subsequently leaked company data. The exposed dataset reportedly includes around 8.2 million unique email addresses, along with names, phone numbers, and physical addresses, as well as a subset of employee-related information such as job titles. The data was published after alleged ransom negotiations failed, though Pitney Bowes has not publicly confirmed the incident or the extent of any compromise.