Ransomware Attacks and Operational Disruptions Tracker
88
May 2026
Security & Stability
Confirmed ransomware attacks and cyber incidents that caused operational disruptions, structured each month from cybersecurity publications, threat intelligence feeds, government advisories, and company disclosures. Each record covers the targeted organisation, industry sector, ransomware group or threat actor where identified, nature of the operational impact (system outages, service disruptions, data exfiltration), ransom demand or payment where disclosed, and the incident date. Events confirmed only by threat actor leak sites without corroborating news or official disclosure are categorised separately.
Ransomware attacks on companies causing operational disruption in May 2026
CISOs and security operations teams use it to track active ransomware groups and attack patterns across sectors. Cyber insurance underwriters assess frequency and severity of ransomware events by industry vertical through it. Incident response firms use it for situational awareness during active campaigns. Journalists and researchers covering cybercrime use it as a structured, sourced record of confirmed attacks.
3545
<table class="catchall-table"><thead><tr><th style="min-width:40px">#</th><th style="min-width:200px">Affected Company</th><th style="min-width:150px">Ransomware Family</th><th style="min-width:120px;white-space:nowrap">Ransom Amount</th><th style="min-width:300px">Disruption Description</th><th style="min-width:110px;white-space:nowrap">Attack Date</th><th style="min-width:100px;white-space:nowrap">Source</th></tr></thead><tbody><tr><td style="min-width:40px">1</td><td>OSG (Machining Tool Manufacturer)</td><td>LockBit 3.0</td><td>—</td><td>Core systems infected via overseas VPN vulnerability, operational disruption</td><td>2026-05-29</td><td>—</td></tr><tr><td style="min-width:40px">2</td><td>Austrian Manufacturing, Health & Logistics Firms</td><td>Ransomware</td><td>EUR 10M</td><td>Longest periods of operational unavailability caused by ransomware</td><td>2026-05-01</td><td>—</td></tr><tr><td style="min-width:40px">3</td><td>Hospitals & Healthcare Providers (US)</td><td>Ransomware-as-a-Service</td><td>—</td><td>System shutdowns, delayed surgeries, diverted ambulances, disrupted emergency care</td><td>2026-05-01</td><td>—</td></tr><tr><td style="min-width:40px">4</td><td>Large Commercial Structures</td><td>Trojan Ransomware</td><td>USD 1M</td><td>Data theft, encryption for ransom, access to workstations and state registers</td><td>2026-05-01</td><td>—</td></tr><tr><td style="min-width:40px">5</td><td>Transport & Retail Companies (South Africa)</td><td>LockBit 3.0</td><td>USD 1M</td><td>Systems offline, stock delays, cold chain disruption, order processing failures</td><td>2026-05-01</td><td>—</td></tr><tr class="catchall-blurred"><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td></tr><tr class="catchall-blurred"><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td></tr><tr class="catchall-blurred"><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td><td>████████████</td></tr></tbody></table>
<h3>How does CatchAll confirm an incident is a ransomware attack rather than another type of cyber event?</h3><p>Inclusion requires at least one authoritative source – a company disclosure, government advisory, or credible threat intelligence report – confirming ransomware involvement. Incidents labelled only as 'cyber incidents' without confirmed ransomware attribution are categorised separately.</p><h3>Are attacks on critical infrastructure flagged separately?</h3><p>Yes. Events involving critical infrastructure sectors are tagged with a sector classification, making it straightforward to filter for healthcare, energy, water, or government targets.</p><h3>How does this differ from Ransomware.live?</h3><p>Ransomware.live focuses on victim listings from ransomware group leak sites. This Tracker covers operationally disruptive attacks reported through news and official disclosures, including attacks where the victim has not appeared on a leak site.</p><h3>What is the refresh rate of this dataset?</h3><p>We rerun this dataset once a month. You can create your own dataset that updates as frequently as every one hour on <a href="https://platform.newscatcherapi.com/catchall">platform.newscatcherapi.com/catchall</a></p>