The State of Ransomware: May 2025

In May there were 88 publicly reported ransomware attacks, marking a 35% rise compared to May 2024. The government sector was the most affected, with 13 incidents, followed by education, healthcare, and the services sectors, each experiencing 10 attacks. Despite 40% of the incidents going unclaimed, Qilin emerged as the most active ransomware group, responsible for seven attacks. Overall, 28 different ransomware gangs claimed victims during the month.

1. Fijian hardware retailer R.C. Manubhai fell victim to a ransomware attack by the Qilin group. The attackers claimed to have exfiltrated 148GB of sensitive data, which included senior employee passport scans, salary and loan information, and other confidential materials.

2. Luxury department store Harrods became the third major UK retailer targeted in a coordinated wave of cyberattacks. Harrods confirmed that threat actors attempted to hack into their systems, causing the company to restrict access to sites. During the disruption, all physical stores remained open. Cybersecurity experts suspect the involvement of the DragonForce ransomware group which has claimed responsibility for similar attacks on other UK retailers.

3. South Arkansas University Tech notified an undisclosed number of people about an October 2024 data breach which was the result of a ransomware attack. The school has not stated what data was compromised or how many individuals were impacted. RansomHub claimed responsibility for the attack in February, claiming to have exfiltrated 252GB of data from SAU Tech.

4. Kalamazoo Public Schools experienced a “network security incident” that disrupted internet and email access for several days. In response, the district initiated an investigation and brought in an external IT firm to assist. Citing the ongoing nature of the inquiry, officials have withheld further details. Interlock has claimed responsibility alleging to have exfiltrated 1.42TB of data.

5. In Oklahoma, Bartlesville Public Schools suffered a significant network security incident that disrupted its internet systems and rendered many computer systems inoperable, leading to the cancellation of state testing. The breach, confirmed on May 1, did not affect critical services such as phones, safety systems, or Chromebooks using hotspots. The district promptly initiated an investigation with the help of external cybersecurity experts to assess the scope and impact of the incident. It is not known who was responsible for the attack.

6. Singapore-based creative services firm Kingsmen Creatives Ltd. disclosed a ransomware incident. The company reported that neither its internal team nor external cybersecurity experts found evidence of data exfiltration, suggesting that the attack did not result in data theft. Kingsmen promptly activated its business continuity plan and collaborated with external experts to contain the incident. Embargo ransomware gang has since added the organization to its leak site, claiming to have stolen 80GB of data and providing screenshots as proof of claims.

7. Rhysida claimed responsibility for breaching Gob.pe, the official digital platform of the Peruvian government. The attackers reportedly exfiltrated sensitive documents and demanded a ransom of 5BTC (approx. $550,000), giving the government seven days to comply. Multiple screenshots of sensitive documents were posted by the ransomware group as proof of claims.

8. Fowler Elementary School District in Phoenix, Arizona, was targeted by the Interlock ransomware group. The attackers claimed to have exfiltrated approximately 400 gigabytes of sensitive data, including personal information of students and staff, such as names, dates of birth, addresses, Social Security numbers, medical records, and payroll data. Interlock published a 60,000-line file tree and other evidence on its dark web leak site to substantiate their claims. The school district has not publicly acknowledged the breach or provided updates regarding the incident.

9. In East Idaho, the American Falls School District disclosed that it suffered a ransomware attack in March of this year. The incident forced teachers and staff to temporarily return to using pen and paper due to the unavailability of online services. Fortunately, the district had offline backups in place, which enabled them to restore and rebuild the compromised systems.

10. Jefferson School District in Idaho was also hit by a ransomware attack early in the year, severely affecting all devices and systems and rendering them inoperable. Even three months later, the district continues to collaborate with a recovery team to rebuild and reformat the affected infrastructure, including nearly 5,000 student devices.

11. It was recently confirmed that 47,606 individuals were notified by Alvin Independent School District about a ransomware attack which took place in June 2024. The incident caused interruptions to certain internal computer systems. Compromised data includes PII, medical information and health insurance information. Fog claimed responsibility for the attack in July, allegedly stealing 60GB of data.

12. SAT testing was canceled at three high schools in the Coweta County School District after an unauthorized network intrusion was detected. The district enlisted cybersecurity experts and law enforcement to investigate, with early findings indicating no signs of data exfiltration. The Nitrogen ransomware group later claimed responsibility for the attack, though limited information has been disclosed about the nature of any potentially compromised data.

13. Cobb County has confirmed that a ransomware attack was behind the data breach reported in March. The investigation remains ongoing, and the specific types of data compromised have not yet been determined. Qilin ransomware group has claimed responsibility, alleging the theft of 150GB of data and publishing screenshots on the dark web to support their claim.

14. CBS affiliate WDEF-TV was targeted by a Lynx ransomware attack earlier this month. While limited information is available about the amount or type of data compromised, the ransomware group released several documents as evidence, including confidential agreements involving the station’s employees. WDEF-TV has not yet responded to the claims made by Lynx.

15. Kelly Benefits disclosed a data breach affecting 426,160 individuals, stemming from a vulnerability in the MOVEit Transfer software used by the company. The breach occurred when attackers exploited this flaw to access and exfiltrate sensitive information. The compromised data included names, Social Security numbers, and medical or health insurance details. Kelly Benefits became aware of the incident through its vendor and promptly launched an investigation. The company has since notified impacted individuals and is offering complimentary credit monitoring and identity protection services.

16. IT services company GeoLogics notified 11,948 individuals of a December 2023 data breach. The ransomware attack which caused the data breach went undetected for almost 11 months, with the company only discovering the intrusion in October 2024. DragonForce claimed responsibility for the attack, with a dark web post suggesting that 123GB of data was stolen. Compromised data includes names, SSNs, financial account information and state-issued ID numbers.

17. Interlock ransomware gang has leaked 3.3 million files stolen from West Lothian Council’s school network onto the dark web. During the attack, which exfiltrated 2.6TB of data, both staff and students were locked out of IT systems. A sample of the stolen data includes sensitive documents such as passports, spreadsheets, and driver’s licenses. A criminal investigation into the incident is currently underway.

18. Carlton County Public Health and Human Services has informed 3,502 individuals of a cybersecurity breach that occurred earlier this year. The incident involved unauthorized access to an employee’s email account, which was promptly secured upon discovery. However, a forensic investigation confirmed that the account had been accessed over a two-week period, exposing both personal and private health information. The identity of the attackers remains unknown.

19. Virginia-based Horizon Behavioral Health experienced a cyberattack that disrupted its computer systems. A forensic investigation was initiated to assess the scope of the breach, which was later found to have affected the protected health information (PHI) of 49,822 individuals. The compromised data also included Social Security numbers, addresses, ZIP codes, and other personal details.

20. The newly identified ransomware group J Group has claimed responsibility for an attack on The Distributors, an Australian confectionery and snack food wholesaler. The group alleges it stole 204GB of data, though the full amount of data has not been released. As evidence, the group posted a file listing containing over 120,000 files, primarily including distribution agreements, invoices, product allocation records, and banking documents. The company has not yet issued a public response to these claims.

21. Ransom House has named Oettinger Brewery as a victim of a ransomware attack that reportedly led to extensive data compromise. The group claims to have encrypted three years of internal files, including trade secrets, supplier contracts, employee information, and financial records. Oettinger Brewery is actively investigating both the incident and the claims made by the attackers.

22. South African Airways (SAA) experienced a significant cyberattack that temporarily disrupted its website, mobile application, and several internal operational systems. Despite the breach, the airline’s IT team swiftly activated disaster management and business continuity protocols, ensuring minimal disruption to core flight operations and maintaining the functionality of essential customer service channels such as contact centers and sales offices. Normal system functionality across all affected platforms was restored later the same day. SAA has initiated a comprehensive investigation, involving independent digital forensic experts, to determine the root cause and assess whether any sensitive information was compromised. INC ransomware gang claimed the incident.

23. Esse Health, an independent physician group in the St. Louis metropolitan area, suffered a cyberattack that disrupted its computer network, halting healthcare services for many patients. The breach rendered company and physician phones largely inoperable, and appointments and procedures were postponed due to inaccessible records. Esse Health engaged third-party specialists to investigate the matter and has not yet determined whether patient personal information was compromised.

24. NightSpire allegedly hacked into the systems of Future Microfinance Association, posting the non-profit organization on its dark web portal. The group claim to have stolen 8GB of data including financial documents such as invoices details, transaction records, and order forms. The organization is yet to publicly acknowledge these claims.

25. The UK’s Legal Aid Agency (LAA) experienced a significant cyberattack, compromising sensitive personal data of individuals who applied for legal aid since 2010. The breach which was detected on April 23, involved the unauthorized access and potential theft of information including names, addresses, dates of birth, national ID numbers, criminal records, employment status, and financial details such as debts and payments. Hackers claimed to have accessed approximately 2.1 million records, though this figure remains unverified by authorities.

26. Nova Scotia Power, a major Canadian utility provider fell victim to a ransomware attack which went undetected for approximately five weeks. The breach compromised sensitive data including names, birthdates, Social Insurance Numbers, bank account details, and credit histories, affecting around 280,000 customers. In an immediate response to the incident impacted servers were shut down and isolated to prevent further intrusion. Although no group has publicly claimed the attack, the organization’s CEO has a “good sense of who the threat actor is”. Details on these suspicions cannot be disclosed due to the ongoing nature of an investigation into the attack.

27. Victims of a data breach that occurred in November 2024 at the Westfield Fire District in Connecticut have been informed that their personal information was exposed. The department has not revealed the number of individuals affected or the specific nature of the compromised data. In December 2024, the Medusa ransomware group claimed responsibility for the attack and demanded a $100,000 ransom, giving the department a two-week deadline to comply.

28. In the Philippines, GMA Network confirmed that it suffered a cybersecurity incident, but downplayed the impact, stating that data accessed was of “low value.” The TV channel launched an investigation with help of its technology partners, to establish the nature and scope of the attack. Devman claimed responsibility for the attack, allegedly stealing 65GB of information. The threat actors posted a ransom of $2.5million and added proof of claims to its dark web portal. It also claims to have encrypted files and used PowerShell tools during the attack.

29. AllTrust Insurance recently disclosed a data breach that exposed the personal information of 161,612 individuals. The incident was discovered in January 2024 and involved unauthorized access to sensitive data, including names, Social Security numbers, and medical information. AllTrust has notified affected individuals and is offering complimentary credit monitoring and identity protection services.

30. UK based education company Pearson suffered a cyberattack which led to the theft of corporate data and customer information. It is believed that the data is mostly “legacy data.” Upon identifying the incident, steps were taken to limit the impact, and an investigation was launched to discover what happened and what data was affected. It was confirmed that no employee data was accessed.

31. Masimo Corporation, a California-based health technology and consumer electronics company, was targeted by a cyberattack that impacted its manufacturing facilities. Unauthorized access to the company’s network was detected in late April, with an immediate response taken to isolated affected systems. The investigation into the incident is ongoing and the organization has not mentioned whether sensitive data was stolen.

32. Medusa claimed responsibility for an attack on the Russell Child Development Center in Kansas. The threat actors claimed to have exfiltrated and encrypted around 215GB of sensitive data during the breach. The stolen information reportedly includes employee records, budgetary documents, medical files, and some data pertaining to children. A ransom of $120,000 was demanded, with a deadline of seven days to comply.

33. An attack on Morocco’s National Social Security Fund, known as CNSS, is suspected to have compromised the personal data of nearly 2 million employees. CNSS confirmed that its information system was subjected to a series of cyberattacks and that the origins and scope of the incident is currently being assessed. It is not known who is responsible for the attack.

34. American media conglomerate iHeartMedia is facing a class action lawsuit following a cyberattack in December 2024 that compromised the personal information of an undisclosed number of individuals. Hackers infiltrated the organization’s systems to gain access to files stored by several local radio stations. A wide range of sensitive information was obtained, including SSNs, financial account details, and health insurance data.

35. A social engineering attack on Insight Partners resulted in the breach of confidential information related to its employees and partners. The venture capital firm reported discovering unauthorized access to its internal network in January, with a subsequent investigation confirming that sensitive personal data had been affected. The compromised information includes details pertaining to specific funds, the management company, portfolio companies, as well as banking, tax, and certain personal records. As of now, no hacker group has taken responsibility for the incident.

36. Kittrich Corporation fell victim to a cyberattack involving an attacker exfiltrating data from its network. It was recently disclosed that the attack took place in February and that the incident was reported to the FBI and other relevant law enforcement. An investigation determined that stolen information may include PII and employee data.

37. Illinois-based security firm Andy Frain Services experienced a cyberattack October during which the personal information of over 100,000 individuals was stolen. The ransomware group Black Basta claimed responsibility for the incident, alleging it exfiltrated more than 750GB of data from the company. While the recent breach notification issued by the firm did not specify the nature of the attack or the types of compromised data, Black Basta stated that files from the company’s accounting, legal, and human resources departments were among those taken.

38. Alabama officials launched an investigation into a data breach that impacted several state government computer systems. The Office of Information Technology confirmed it was working with law enforcement and cybersecurity experts to assess the extent of the incident. While specific details about the breach, including which departments were affected or what data may have been compromised, were not disclosed, officials stated that some systems were taken offline as a precaution while the investigation continued.

39. Christian Dior has confirmed a data breach involving customer information in China after unauthorized access was gained to part of its database. The compromised data includes customer names, gender, phone numbers, email and mailing addresses, purchase amounts, and shopping preferences. The company assured customers that no financial information was affected by the breach. The total number of impacted individuals has not yet been revealed, and no group has claimed responsibility for the incident.

40. 34,249 people were notified of a cyberattack on Weiser Memorial Hospital which led to the compromise of personal information. Compromised data includes PII, medical diagnoses, and health insurance information. Ransomware group Embargo claimed responsibility for the breach late last year, claiming to have stolen 200GB of data from the hospital.

41. Central Point School District 6 in Oregon addressed a cybersecurity issue that impacted its digital systems. Unauthorized access was detected which led to the immediate activation of cybersecurity protocols and the isolation of affected systems. Cybersecurity experts and law enforcement are currently conducting an investigation, and no further information is available at this time.

42. BlackSuit claimed responsibility for a data breach that occurred in April involving Gloucester County, Virginia. County officials reported experiencing a network disruption during that time, which caused operational delays and connectivity problems for staff. The county confirmed it is actively investigating the cybersecurity incident and has acknowledged the claims made by BlackSuit.

43. Coinbase disclosed a ransomware attack that took place earlier this year, during which the attacker allegedly bribed Coinbase customer support agents to collect data on a small number of customers. The attacker, who remains unnamed, demanded $20 million to cover up the attack, but Coinbase did not pay the ransom. Stolen data includes PII, government issued ID information, account data and limited corporate data.

44. One of the biggest steel manufacturers in the USA, Nucor, was forced to shut down parts of its operations to address a cyberattack. The organization observed an unauthorized third party accessing certain information technology systems. Upon discovering the activity, potentially affected systems were taken offline and an incident response plan activated. No threat actors have yet claimed responsibility.

45. Attackers breached Duo Broadband, a Kentucky-based communications company, stealing personal details of more than 42,500 individuals. The company identified the cybersecurity incident within its networks on Valentine’s Day 2025 and immediately acted to secure systems, terminate unauthorized access and notify law enforcement. Threat actors managed to access details including first and last names, addresses, dates of birth and SSNs.

46. Qilin listed Australian accounting firm MKA Accountants as a victim on its darknet leak site. Qilin shared evidence of the attack, posting 12 documents as part of its leak post, including internal correspondence, financial statements, and insurance information. The ransomware gang did not share details of its ransom demand or a set deadline. MKA Accountants is aware of Qilin’s claims and is currently investigating the incident.

47. Stormous claimed responsibility for a cyberattack targeting the API infrastructure of HyperGuest, a technology platform widely used by hotels and resorts worldwide. The breach resulted in the unauthorized access to a large volume of sensitive data including over 30,000 payment cardholder records. Other sensitive information stolen includes customer data, CVs, bank card and internal hotel data. HyperGuest has yet to publicly acknowledge the claims made by the ransomware group.

48. Ransomware group Qilin has claimed responsibility for a cyberattack on the City of Abilene, Texas. The incident disrupted several city department networks and affected payment processing systems. Qilin alleges that it exfiltrated 477GB of data and issued an undisclosed ransom demand with a deadline of May 27th. The group also published a sample of the stolen files, which reportedly include tax returns and government documents. City officials have not yet confirmed the validity of Qilin’s claims, and the investigation into the breach is ongoing.

49. The City of Blaine in Minnesota experienced a network security incident that has since been claimed by the Qilin ransomware group. Qilin asserts that it exfiltrated 489GB of data and shared a proof pack containing various documents, including an internal police department investigation and files with personal information. The city has not released any further updates regarding the breach.

50. Hire Velocity has disclosed a data breach involving potential unauthorized access to sensitive personal information stored within its systems. While the company has not publicly released specific details about the incident, the compromised data is believed to include names, Social Security numbers, and financial account information. Lynx claimed responsibility for the breach, though it has not shared any additional information on its leak site.

51. Personal information of Broadcom employees has appeared on the dark web following a 2024 ransomware attack on its payroll service provider, Business Systems House (BSH). BlackLock ransomware group has claimed responsibility for the breach, which compromised BSH’s systems and resulted in the theft of unstructured employee data. ADP, who also worked with BSH, confirmed that a limited number of its clients in select Middle Eastern countries were impacted by the incident.

52. Peter Green Chilled, a Somerset-based logistics firm supplying major UK supermarkets such as Tesco, Sainsbury’s, and Aldi, fell victim to a ransomware attack on the evening of May 14. The incident forced the company to halt order processing temporarily, though transport operations continued unaffected. The attackers encrypted the company’s data and demanded a ransom, effectively locking Peter Green Chilled out of its critical computer systems.

53. Kettering Health, a major healthcare network operating 14 medical centers and over 120 outpatient facilities across Ohio, suffered a significant ransomware attack attributed to the Interlock group. The cyberattack which occurred on May 20, led to a system-wide technology outage, forcing the cancellation of elective inpatient and outpatient procedures and disrupting the organization’s call center and patient care systems. Emergency rooms and clinics remained operational under contingency protocols.

54. In Kenya, the National Social Security Fund (NSSF) has denied allegations that its systems were hacked and its financial transaction database compromised. The organization assured the public that its core systems, which store critical data, remained secure. According to preliminary findings from the ongoing investigation, there is no evidence that any public member data has been breached. Despite this, threat actors Devman claimed responsibility for infiltrating the NSSF’s systems, alleging the theft of 2.5TB of member data and demanding a $4.5 million ransom from the government.

55. Adidas disclosed a data breach resulting from unauthorized access to a third-party customer service provider’s system. The compromised data primarily included contact information, such as names, email addresses, and phone numbers, of individuals who had previously interacted with Adidas’s customer service help desk. Importantly, no passwords, credit card details, or other payment information was affected. Adidas promptly initiated a comprehensive investigation in collaboration with cybersecurity experts and began notifying potentially impacted customers, as well as informing relevant data protection and law enforcement authorities.

56. The Community Hospital of Anaconda recently confirmed it notified 21,243 people of an August 2024 data breach that compromised personal information. The information includes PII, financial information, medical data and health insurance info. Meow claimed the attack, saying it stole 540GB and demanding a $120,000 ransom payment. The group also posted images of stolen files as proof of claims. The healthcare provider has not verified Meow’s claims.

57. The Gehenna hacking group claimed to have breached Coca-Cola Europacific Partners’ (CCEP) Salesforce dashboard in early May. The group allegedly exfiltrated more than 23 million records containing sensitive customer relationship management data. Gehenna shared samples of the stolen data on a public breach forum and stated that it was “open to offers” in exchange for the data.

58. Coca-Cola was added to Everest’s dark web leak site, with the group sharing screenshots that suggest access to internal documents and personal information of approximately 959 employees. Everest released samples of stolen data that contain employee identification details and documents and gave the organization five days to make contact to negotiate. The group posted the full stolen dataset online on May 27^th.

59. BlackLock ransomware gang claimed to have breached world-renowned Japanese entertainment company Toho. However, the sample links shared by the group lacked specific details to validate their claims. As of now, Toho has not issued a response regarding the alleged cyberattack.

60. 1.2TB of data has allegedly been stolen from the systems of major U.S student housing developer Landmark Properties. Morpheus ransomware group alleged that the stolen information included financial records, confidential agreements, and client data. Landmark Properties has not yet issued a public statement in response to these claims.

61. Marlboro-Chesterfield Pathology (MCP) in North Carolina was targeted by a ransomware attack that resulted in personal information being stolen. It discovered unauthorized activity on some internal IT systems in January, with a subsequent investigation revealing that hackers had stolen files. Compromised data included personal information, medical treatment information and health insurance data. Safepay claimed the attack which is now believed to have impacted 235,911 individuals.

62. RISE Racing posted a notice on its website addressing a recent cybersecurity incident had temporarily disrupted access to one of its platforms. Upon discovering unauthorized access to the system, immediate response measures were enacted. Preliminary analysis indicated that a limited subset of system data was accessed, but that there was no evidence that core participant or transaction records were impacted. Sarcoma ransomware gang claimed the incident.

63. INC ransomware claimed responsibility for an April 2025 cyberattack that disrupted libraries in Pierce County, Washington. Pierce County Library System was added to the group’s leak site along with claims that personal data was stolen. To support their claims, the group posted images of files, including scans of driver’s licenses, and passports. The attack itself crippled many library services, with some services still not fully operational.

64. Choski Laboratories Limited became aware of a ransomware attack when the company’s IT head discovered that the entire system had been locked and all data rendered inaccessible. A ransom note was displayed on the server screen. The organization has reported the incident to the appropriate authorities, who are currently conducting an investigation. The identity of the attackers remains unknown at this time.

65. U.S.-based telecommunications company Cellcom experienced a significant cyberattack that disrupted its voice and text messaging services. While data services remained operational, customers reported widespread issues with making calls and sending texts. The company confirmed the outage was caused by a cyberattack and assured that it was working diligently to restore full service. At the time of reporting, no further details had been disclosed regarding the nature of the attack or who was responsible.

66. Carrera Chevrolet, one of Brazil’s largest car dealerships, was targeted in a ransomware attack carried out by Rhysida. The attackers listed the company on their dark web leak site and issued a seven-day ultimatum to pay a $1 million ransom. Although the exact extent of the breach was not disclosed, the threat actors shared two images appearing to show stolen data, including copies of passports, identification documents, and contracts.

67. Qilin listed Elit Avia, a European private jet operator, to its leak site, claiming to have stolen data from the company. The dark web post features several screenshots that appear to show air crew information but does not include any data related to the company’s clients. Elit Avia has not yet issued a public response to the allegations

68. Tiffany & Co. confirmed a data breach affecting its South Korean customers, marking the second incident involving an LVMH Moët Hennessy Louis Vuitton brand after a similar case at Dior. The breach occurred in April but was not discovered until May 9. It involved unauthorized access to a third-party vendor platform used for managing customer data. The compromised information included customers’ names, addresses, phone numbers, email addresses, internal customer ID numbers, and purchase histories. Tiffany Korea notified affected customers via email on May 26, 2025. The company stated that no financial information, such as payment card data, was compromised.

69. Cooper Health System disclosed a data breach affecting nearly 60,000 individuals, resulting from a cyberattack on its file transfer vendor, Fortra. The incident, which occurred in late January 2023, involved unauthorized access to sensitive information. Exposed data included names, dates of birth, medical record numbers, treatment details, and billing information. Cooper Health System notified affected individuals, offering complimentary credit monitoring and identity theft protection services.

70. Mediclinic, a global private healthcare provider operating in South Africa, Switzerland, the UAE, and Namibia, fell victim to a ransomware attack orchestrated by the Everest group. The cybercriminals claimed to have exfiltrated 4GB of internal documents and personal data belonging to approximately 1,000 employees. They issued a five-day ultimatum, threatening to publicly release the stolen information unless their ransom demands were met. The breach led to temporary disruptions in patient-facing platforms and internal communication systems, though core clinical services remained operational. Mediclinic has launched an investigation with cybersecurity experts and legal advisors, while regulatory authorities have been notified.

71. Leading developer of mathematical computing software MathWorks revealed that a recent ransomware attack is behind an ongoing service outage. The incident affected access to some customer-facing online applications as well as certain internal systems used by employees. MathWorks has not provided further details about the breach, and no ransomware group has claimed responsibility for the attack.

72. The Legal Practice Board of Western Australia fell victim to a ransomware attack carried out by the cybercriminal group Dire Wolf. The breach led to the unauthorized access and subsequent leak of sensitive data, including bank account details and contact information of legal practitioners, some of which were posted on the dark web. The compromised data also encompassed internal correspondence and operational information. In response, the Board obtained a court injunction to prevent further dissemination of the stolen data and temporarily took certain IT systems offline. Manual processes were implemented to maintain essential services, such as the renewal of practising certificates. The Board has engaged external cybersecurity experts and is collaborating with relevant authorities to investigate the incident and mitigate its impact.

73. Akira claimed responsibility for a major data breach involving Laboratorios Belloch, a prominent Spanish manufacturer of hair and beauty products. According to the group, they exfiltrated 25GB of highly sensitive corporate data. The stolen information reportedly includes project documents, detailed financial records, client data, and other confidential materials. Laboratorios Belloch has not released a public statement confirming the breach.

74. Flagship Bank became a victim of an Akira ransomware attack, resulting in the exfiltration of 40GB of data. This information includes highly sensitive client details such as dates of birth, Social Security Numbers (SSNs), passport numbers, addresses, driver’s licenses (DLs), phone numbers, detailed financial data, contracts, agreements, and various certificates. Flagship Bank has not publicly addressed the claims made by Akira.

75. Fujipoly Ltd has allegedly fallen victim to a cyberattack orchestrated by SpaceBears. The ransomware group claims to have accessed a significant cache of sensitive information from the company’s systems. Exfiltrated data includes databases, SQL files, financial documents, and the personal information of both employees and clients. The group gave the organization seven days to negotiate with them.

76. The City Council of Níjar was hit by a ransomware attack that disrupted several of its systems. An investigation is currently underway, though specific details about the incident remain limited. Devman has claimed responsibility for the attack but has not disclosed what data, if any, was compromised.

77. Safepay listed Ruddy, Tomlins and Baxter (RTB Legal) on its dark web site, allegedly exfiltrating 200GB of data. The ransomware group did not provide any details of the breach on the listing, but did post a sample that contains a file tree of stolen data which allegedly includes court documents, specific case documents, client data, emails, permits, client information, police documents, and more. RTB Legal is aware of the claims and is currently investigating the incident.

78. The Salvation Army has appeared on Chaos ransomware group’s dark web leak site, accompanied by claims of data exfiltration. However, the post provides no specifics about the nature of the incident, or the data allegedly stolen. A link titled “Show leaked data” merely redirects to the original listing, offering no additional evidence. The Salvation Army has not yet issued a statement regarding the claims.

79. Ransomware gang Medusa allegedly breached RE/MAX, an international real estate network with over 9000 offices worldwide. The group who claimed to have exfiltrated 150GB of data, issued an 18-day deadline for the payment of an undisclosed ransom to prevent public disclosure. To support their claims, they uploaded screenshots of what appears to be confidential information to their dark web listing.

80. Victoria’s Secret experienced a significant cybersecurity incident that led to the temporary shutdown of its U.S. website and disruption of some in-store services. The company promptly enacted its incident response protocols, engaging third-party cybersecurity experts to investigate and mitigate the issue. Despite the digital setbacks, Victoria’s Secret and PINK physical stores remained open, and the company has since restored its online operations.

81. Qilin took credit for a cyberattack on Botetourt County Public Schools which disrupted some of the district’s IT systems. The ransomware gang stated that it stole 315GB of data and is demanding an undisclosed ransom from BCPS by June 12. Stolen information is said to include contracts, payroll, documents, employee information, and private correspondence from the district.

82. In Sri Lanka, the Department of Pensions announced that its information systems have been fully restored following a cyberattack in April. A statement assured the public that no data was lost or compromised during the incident. Swift action ensured that operations returned to normal with no lasting impact. However, Cloak has claimed responsibility for the attack and is claiming to have stolen 617GB of confidential information from the government body.

83. Singapore-based data handling company DataPost is in the early stages of investigating a ransomware attack which led to personal information of at least 146 Income Insurance policy holders being compromised. The compromised data included information such as names, postal addresses, policy numbers and plans, and annual bonuses for the year 2024. The threat actor Dire Wolf has claimed the attack.

84. Space Bears ransomware group added Curewell Specialty Pharmacy & Surgicals to its leak site, claiming to have exfiltrated personal information belonging to employees and patients. Curewell has not yet publicly addressed these claims.

85. Mercy Surgical Dressing Group, Inc., operating as Mercy Supply Collaborative, recently disclosed a data breach affecting 4,159 individuals. The incident was detected on December 25, 2024, when suspicious activity was identified within its computer network. An investigation, supported by third-party cybersecurity experts, revealed that a threat actor had accessed and downloaded data between December 18 and December 25, 2024. The compromised information was limited to customer names and medical supply order details.

86. Bradford Health Services in Birmingham, Alabama, disclosed a data breach that was originally detected on December 8, 2023. An investigation revealed that an unauthorized third party accessed its network and potentially acquired sensitive patient data, including names, medical and financial information, and Social Security numbers. Hunters International ransomware group claimed responsibility, alleging it manged to exfiltrate 760GB of data. While the full scope remains unclear, affected individuals have been notified.

87. OmniRide confirmed that it notified victims of a December 2024 data breach that compromised their personal information. Potomac & Rappahannock Transportation Commission, which provides the OmniRide public bus service in the Washington, D.C. suburban area, has not disclosed what data or how many people were compromised yet. Fog claimed responsibility for the attack and allegedly exfiltrated 7.2GB of data.

88. Melbourne-based packaging and supply chain solutions provider 3P Corporation was targeted in a ransomware attack by the Space Bears group. The cybercriminals claimed to have exfiltrated approximately 500GB of sensitive data, including financial records, corporate documents, and client information. They posted 20 files on their leak site as proof, setting a ransom deadline of May 31. As of now, 3P Corporation has not publicly acknowledged the breach or issued any comment regarding the incident.