Eyguières town hall paralyzed by ransomware
Eyguières town hall, a commune of about 7,000 inhabitants located in the Alpilles, was the victim of a ransomware cyberattack on Friday, May 22, 2026.
- Victim
- Eyguières town hall
Incidents by attack type:
Ransomware
Transitions Pro Centre-Val de Loire: tens of GB of data threatened after a ransomware attack
Transitions Pro Centre-Val de Loire, an organisation responsible for supporting employees in their professional retraining projects, is targeted by a
- Victim
- Transitions Pro Centre-Val de Loire
A.R.Ge.Co: accounting and financial data leaked after a cyberattack
The Anubis ransomware group claims to have compromised the systems of A.R.Ge.Co, a French company specializing in accounting services and
- Victim
- A.R.Ge.Co
Foxconn Nitrogen ransomware breach (2026)
The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.
- Victim
- Foxconn (Hon Hai Precision Industry)
Le Domaine des Tournels targeted by a cyberattack
The Qilin ransomware group claims to have compromised the systems of Le Domaine des Tournels, an establishment located in the Gulf of Saint-Tropez. At this
- Victim
- Le Domaine des Tournels
Soprolux: banking documents and customer data released after a cyberattack
The ransomware group BravoX claims a cyberattack against Soprolux, a company specialising in food distribution for
- Victim
- Soprolux
Académie de Montpellier: sensitive document leak after a cyberattack
The MedusaLocker ransomware group claims to have compromised systems linked to the Académie de Montpellier / CSJM and is threatening to publish documents
- Victim
- Montpellier education authority
Erla Technologies: a data leak claimed by a ransomware group
The ransomware group SpaceBears claims to hold data from Erla Technologies SAS, a French company specialising in equipment related
- Victim
- Erla Technologies
Exclusive Networks: cyberattack at a key player in cybersecurity solutions
The ransomware group Qilin claims to have compromised the systems of Exclusive Networks, an international player specialised in the distribution of
- Victim
- Exclusive Networks
Engie: a cyberattack claimed by a ransomware group
The hacker group Coinbasecartel claims to have carried out a cyberattack against Engie, the French energy giant active in electricity, gas and
- Victim
- Engie
Gueguen Avocats: a claimed data leak with thousands of documents exposed
The Gueguen Avocats law firm is reportedly the victim of a cyberattack with a data leak claimed by the Qilin ransomware group, which says it has published a
- Victim
- Gueguen Avocats
Synergy: a key player in data and cloud in France hit by ransomware
Synergy France, a company specialising in data and cloud solutions, is reportedly currently being targeted by a ransomware-type cyberattack. The company
- Victim
- Synergy
Aircos Pascual (Anjac): ongoing ransomware attack by the TheGentlemen group after a cyberattack
French cosmetics manufacturer Aircos Pascual, a subsidiary of the Anjac group, is targeted by a ransomware attack claimed by the group
- Victim
- Aircos Pascual (Anjac)
Veuve Clicquot: visitor data compromised after a cyberattack on the ticketing system
Champagne house Veuve Clicquot was the victim of a ransomware-type cyberattack affecting the booking system for its tours, via a
- Victim
- Veuve Clicquot
Fountain: intrusion and data theft during a ransomware cyberattack
The Belgian company Fountain, specialized in coffee-related services and listed on the stock exchange, was the victim of a ransomware-type cyberattack.
- Victim
- Fountain
Serap: ransomware with 50 GB of data threatened
The French industrial group Serap, a world leader in milk tanks, is being targeted by a cyberattack claimed by the Akira ransomware. The attack,
- Victim
- Serap
Notre-Dame du Grandchamp: thousands of pupils exposed after a cyberattack
The Catholic school Notre-Dame du Grandchamp is being targeted by a cyberattack claimed by the Nightspire ransomware group, with a database already
- Victim
- Notre-Dame du Grandchamp
Data leak at Vivaticket following a ransomware attack
Vivaticket customers are affected by an announced data leak following a notification from the company. On 2 March 2026, Vivaticket informed its customers that a ransomware attack had…
- Victim
- Vivaticket
Data leak at Tactis
Ransomware
- Victim
- Tactis
Claimed leak at OSAC (Civil Aviation) - Ransomware - see details
People whose ID documents or other documents are held by OSAC may be affected by a claimed leak. According to the claim, the LAPSUS$ group allegedly extracted around 420…
- Victim
- OSAC (Civil Aviation)
Claimed leak at Valgo - internal and customer data (ransomware)
Valgo customers are potentially affected by a data leak, according to the claim by an actor presenting itself as a ransomware-type group. According to this claim, 279 GB…
- Victim
- Valgo
CNRS data leak - ransomware targeting agents before 2007
Permanent and non-permanent staff who worked at CNRS before 31 December 2006 are affected by a data leak confirmed by CNRS. The exact volume of exposed information has not…
- Victim
- CNRS
Claimed data leak at Voyages Robin
Voyages Robin customers could see sensitive information exposed, according to the claim dated 7 February 2026. The claim indicates a ransomware attack with…
- Victim
- Voyages Robin
Claimed data leak at Delko - Ransomware
Delko customers are affected by a claimed leak tied to an incident dated 07/12/2025, communicated to customers and publicly relayed on 20/01/2026. According to the claim, Delko reports…
- Victim
- Delko
Leak at Commune de Lens
probable ransomware
- Victim
- Commune de Lens
Leak at Résidence du Parc (Champdeniers-Saint-Denis)
ransomware
- Victim
- Résidence du Parc (Champdeniers-Saint-Denis)
Leak at Michelin
ransomware, corporate data
- Victim
- Michelin
Leak at Poltronesofa
Ransomware
- Victim
- Poltronesofa
Leak at Haute-Comté intercommunal hospital centre
Ransomware
- Victim
- Haute-Comté intercommunal hospital centre
Asahi Group Holdings Qilin ransomware (2025)
Qilin ransomware operators encrypted servers across Asahi's Japanese data centres, halting ordering, shipment, and production at 30 factories, leaking 27 GB of internal data, and exposing personal information of approximately 1.5 million customers, employees, and contacts.
- Victim
- Asahi Group Holdings
- Loss
- $31.4M
- Records
- 1.5M
Jaguar Land Rover global production halt (Scattered Lapsus$ Hunters, 2025)
A cyberattack on Britain's biggest carmaker forced JLR to shut down its global IT network and halted vehicle production in the UK, China, Slovakia, India, and Brazil for five weeks — now considered the most economically damaging cyber incident in UK history.
- Victim
- Jaguar Land Rover
- Loss
- $2.40B
Leak at France Link Interactive
20GB ransomware
- Victim
- France Link Interactive
Leak at Partner Immo
ransomware
- Victim
- Partner Immo
Marks & Spencer DragonForce ransomware (Scattered Spider, 2025)
Social-engineering of a third-party service desk gave Scattered Spider a domain administrator, which they used to deploy DragonForce ransomware on M&S's VMware ESXi estate at Easter 2025 — knocking out contactless payments, Click & Collect, and online ordering for over six weeks.
- Victim
- Marks & Spencer
- Loss
- $550.0M
Halliburton RansomHub attack (2024)
RansomHub gained access to Halliburton's systems, prompting the oil-services giant to take infrastructure offline. The incident delayed invoicing and purchase orders, and Halliburton booked a $35 million loss in its SEC filings.
- Victim
- Halliburton
- Loss
- $35.0M
Indonesia PDNS Brain Cipher (LockBit 3.0) ransomware (2024)
Brain Cipher — a Lockbit 3.0–derived ransomware — encrypted Indonesia's Temporary National Data Center (PDNS), paralysing 282 government digital services from immigration to passport issuance for weeks. Attackers demanded $8M; the government refused. Brain Cipher subsequently released a decryptor free of charge, with an apology.
- Victim
- Pusat Data Nasional Sementara (PDNS), Indonesia
CDK Global BlackSuit ransomware (2024)
BlackSuit operators encrypted CDK Global's dealer-management platform, knocking ~15,000 North American car dealerships offline for nearly two weeks. A second attack hit on day two of recovery. Industry losses estimated at over $1 billion; CDK reportedly paid a $25 million ransom.
- Victim
- CDK Global
- Loss
- $1.00B
KADOKAWA / Niconico BlackSuit ransomware (2024)
Phishing access let BlackSuit (Russian-linked) encrypt KADOKAWA's infrastructure and the Niconico video-sharing platform, taking services offline for two months. KADOKAWA paid ~$2.9M in cryptocurrency — and BlackSuit leaked the stolen 1.5 TB anyway.
- Victim
- KADOKAWA Corporation
- Loss
- $2.9M
- Records
- 254.2K
Change Healthcare ransomware (ALPHV/BlackCat)
ALPHV/BlackCat compromised Change Healthcare via Citrix portal lacking MFA, paralyzed U.S. prescription claims for weeks, and exfiltrated data on an estimated 100 million people.
- Victim
- Change Healthcare (UnitedHealth Group)
- Loss
- $2.87B
- Records
- 100.0M
Schneider Electric Sustainability Business Cactus ransomware (2024)
Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data — including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.
- Victim
- Schneider Electric — Sustainability Business division
Westpole LockBit ransomware — Italian PA outage (2023)
LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform — which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.
- Victim
- Westpole / PA Digitale (Urbi platform)
ICBC Financial Services LockBit ransomware (2023)
LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.
- Victim
- ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
- Loss
- $9.00B
British Library Rhysida ransomware (2023)
Rhysida ransomware operators destroyed servers, demanded ~£600,000, and leaked 600 GB of internal data when the British Library refused to pay. The main catalogue did not return online — read-only — until January 2024. Recovery is consuming 40% of the Library's financial reserves.
- Victim
- British Library
- Loss
- $8.5M
Boeing LockBit ransomware via Citrix Bleed (2023)
LockBit operators exploited the Citrix Bleed vulnerability (CVE-2023-4966) to enter Boeing's parts and distribution business. Boeing did not pay; LockBit leaked roughly 45 GB of data, including Citrix logs, email backups, supplier lists, and 2020 pricing data.
- Victim
- Boeing — Parts and Distribution business
MGM Resorts ransomware (Scattered Spider + ALPHV)
Scattered Spider vished an MGM IT-desk agent, gained Okta admin, and let ALPHV detonate ransomware. Casinos went offline for ten days; the loss to MGM exceeded $100 million.
- Victim
- MGM Resorts International
- Loss
- $100.0M
Caesars Entertainment Scattered Spider ransom payment (2023)
Scattered Spider impersonated a Caesars employee on a call to a third-party IT support vendor and convinced the vendor to grant Okta credentials, then exfiltrated customer loyalty data including SSNs and driver's licences. Caesars paid roughly $15 million ransom; the FBI later froze a substantial portion of the funds with Chainalysis assistance.
- Victim
- Caesars Entertainment
- Loss
- $15.0M
Xplain Play ransomware and Swiss federal documents leak (2023)
Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration — including classified content, personal data, and readable passwords — were published on Play's dark-web leak site in June 2023.
- Victim
- Xplain (Swiss IT services provider to the Federal Administration)
- Records
- 1.3M
Indigo Books LockBit ransomware
LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.
- Victim
- Indigo Books & Music Inc.
- Loss
- $40.0M
- Records
- 5.0K
Royal Mail LockBit ransomware
LockBit affiliates encrypted Royal Mail's international export systems, halting all overseas postal services from the U.K. for six weeks. Royal Mail publicly refused the £65.7M ransom demand; LockBit progressively leaked exfiltrated data.
- Victim
- Royal Mail International
- Loss
- $60.0M
AIIMS Delhi ransomware
Ransomware encrypted the All India Institute of Medical Sciences in New Delhi — India's most prestigious public hospital — taking patient registration and clinical records offline for two weeks during peak winter patient load.
- Victim
- All India Institute of Medical Sciences (AIIMS) New Delhi
- Loss
- $15.0M
Medibank ransomware (REvil-affiliated)
Russian-speaking attackers exfiltrated full health-claim records on 9.7 million current and former Medibank customers, then released them in tranches on the dark web after the Australian insurer refused to pay.
- Victim
- Medibank Private
- Loss
- $250.0M
- Records
- 9.7M
Continental AG LockBit ransomware (Germany, 2022)
LockBit operators infiltrated parts of German auto-parts giant Continental AG's IT systems in August 2022. Containment was initially declared, but in November the group put 40 terabytes of stolen Continental data on its dark-web leak site, offered for sale or destruction for $50 million.
- Victim
- Continental AG
Conti ransomware attack on the Government of Costa Rica
Conti encrypted 27 Costa Rican government institutions including the Ministry of Finance, paralyzing tax collection and customs for months. President Chaves declared a national emergency — the first cyber-incident state of emergency in history.
- Victim
- Government of Costa Rica (27 institutions incl. Ministry of Finance, Customs, Social Security)
- Loss
- $130.0M
Toyota Kojima Industries supply-chain cyberattack (2022)
An attack on Toyota plastics-and-electronics supplier Kojima Industries paralysed one server enough to halt production at all 14 of Toyota's Japanese plants — about 13,000 vehicles of daily output — making the case the canonical example of just-in-time manufacturing's cyber-fragility.
- Victim
- Kojima Industries (Toyota supplier)
Hillel Yaffe Medical Center DeepBlueMagic ransomware (Israel, 2021)
DeepBlueMagic ransomware — attributed by Israeli officials to a Chinese criminal group — hit Hillel Yaffe Medical Center in Hadera, becoming the first known successful ransomware attack on an Israeli healthcare entity. Recovery extended for months. Israeli authorities subsequently reported a wave of follow-on attempts against nine more hospitals.
- Victim
- Hillel Yaffe Medical Center
Transnet 'Death Kitty' ransomware (South Africa, 2021)
A ransomware attack on South Africa's state-owned logistics firm Transnet shut down operations at Durban, Ngqura, Port Elizabeth and Cape Town container terminals, forcing the operator to declare force majeure. Durban — 60% of Southern Africa's containerised trade — reverted to paper-based clearance for cargo for a week.
- Victim
- Transnet SOC (state-owned freight & port operator)
JBS Foods REvil ransomware
REvil affiliates encrypted the world's largest meat processor, shutting down beef and pork plants across the U.S., Canada, and Australia. JBS paid an $11 million ransom — one of the largest publicly-confirmed ransomware payments at the time.
- Victim
- JBS S.A. / JBS USA
- Loss
- $100.0M
HSE Ireland ransomware (Conti)
Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated €100M+.
- Victim
- Health Service Executive (HSE) of Ireland
- Loss
- $130.0M
- Records
- 700.0K
HSE Ireland Conti ransomware national healthcare shutdown (2021)
Conti operators tricked an HSE user into downloading a booby-trapped Excel attachment; the resulting ransomware forced the Health Service Executive to shut down all of Ireland's healthcare IT systems and exfiltrated 700 GB including COVID-19 vaccination PHI. Recovery cost exceeded €100 million.
- Victim
- Health Service Executive (HSE) of Ireland
- Loss
- $110.0M
Colonial Pipeline ransomware (DarkSide)
A reused VPN password let DarkSide encrypt Colonial Pipeline's billing systems. The operator shut down 5,500 miles of fuel pipeline for six days, paid $4.4M, and triggered a federal emergency.
- Victim
- Colonial Pipeline Company
- Loss
- $4.4M
CD Projekt Red HelloKitty ransomware and source-code theft (2021)
HelloKitty ransomware encrypted CD Projekt Red devices and exfiltrated source code for Cyberpunk 2077, The Witcher 3, Gwent, and an unreleased version of The Witcher 3. CDPR refused to pay; the data was auctioned and reportedly sold to a private buyer.
- Victim
- CD Projekt Red
Garmin WastedLocker ransomware (Evil Corp)
Evil Corp deployed the WastedLocker ransomware against Garmin, taking flyGarmin aviation services, Garmin Connect, and inReach satellite messaging offline for five days. Garmin paid an estimated $10M ransom despite OFAC sanctions on Evil Corp.
- Victim
- Garmin Ltd.
- Loss
- $30.0M
Picanol Group ransomware production halt (Belgium, 2020)
A ransomware attack paralysed weaving-machine manufacturer Picanol's plants in Ieper (Belgium), Romania, and China, halting production for ~2,300 employees for over a week. Trading in Picanol shares was suspended during the disruption.
- Victim
- Picanol Group
Travelex Sodinokibi ransomware and collapse (2019–2020)
REvil/Sodinokibi operators detonated against Travelex on New Year's Eve 2019 after dwelling in the network for six months via an unpatched Pulse Secure VPN. Travelex paid $2.3 million; parent Finablr failed; PwC put Travelex into administration with the loss of over 1,300 jobs.
- Victim
- Travelex
- Loss
- $2.3M
Maastricht University Clop ransomware (Netherlands, 2019)
TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15–16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin — later seized from a money mule — was returned and had appreciated, leaving the university ahead by ~$300,000.
- Victim
- Maastricht University
- Loss
- $220.0K
Pemex DoppelPaymer ransomware (Mexico, 2019)
DoppelPaymer ransomware paralysed corporate IT systems at Mexican state oil company Pemex, freezing payments and communications for weeks. Attackers demanded 565 BTC (~$5M). Pemex refused to pay; total recovery cost reached approximately $71 million.
- Victim
- Petróleos Mexicanos (Pemex)
- Loss
- $71.0M
Norsk Hydro LockerGoga ransomware
Aluminium producer Norsk Hydro lost most of its global IT estate to the LockerGoga ransomware. Hydro publicly refused to pay, ran operations on paper for weeks, and set the editorial standard for transparent incident communication.
- Victim
- Norsk Hydro
- Loss
- $75.0M
WannaCry ransomware worm
A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.
- Victim
- ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
- Loss
- $6.00B