The LockBit ransomware operation added 26 new victims to its dark web leak site in roughly 48 hours, according to IntelFusions incident tracking data, the loudest burst of activity from the rebuilt brand since its comeback gathered pace this year.
All 26 entries were posted on June 11 and span 16 countries, from the United States, Brazil, and Germany to Singapore, Indonesia, and Bolivia. In the same 48 hour window our tracker logged 75 leak site claims across 18 different ransomware groups, meaning LockBit alone accounted for more than a third of global claim volume. The data is drawn from leak site monitoring fed by ransomware.live and is browsable on the IntelFusions incident tracker.
What the data shows
The victims read like a cross section of the global economy rather than a targeted campaign: five manufacturers (including steel producer Shougang Hierro Peru and German toolmaker Stahlwille), seven business services firms, two US healthcare providers (Columbia Orthopaedic Group and Sierra Vista Hospital), three education sector victims (among them a junior school in England and a Minnesota school district), and food and agriculture companies including Central Romana, one of the Dominican Republic's largest employers.
One entry stands out: a Russian factoring company. LockBit's affiliate rules long forbade attacks inside Russia and the CIS, a line the original operation treated as existential. Whether the listing reflects a genuine break with that rule, a careless affiliate, or simple mislabeling cannot be determined from the leak site alone, but its presence on the list is notable.
A brand rebuilt after a takedown
LockBit was the world's most prolific ransomware operation until February 2024, when the international Operation Cronos seized its infrastructure and the UK's National Crime Agency later unmasked and sanctioned its alleged leader. The brand limped along before launching LockBit 5.0 on the RAMP crime forum in September 2025, with encryptors for Windows, Linux, and VMware ESXi. Researchers at Check Point counted 163 LockBit victims in the first quarter of 2026, a 106 percent jump over the prior quarter that put the group back in fourth place globally, as detailed in Check Point's quarterly ransomware report.
Read the numbers with care
Leak site listings are criminal claims, not confirmed breaches. That caution applies doubly to LockBit: Trend Micro found that the large majority of entries posted to the group's rebuilt leak site in the period after the takedown were recycled from old attacks or lifted from other groups' victims. A high volume burst is exactly what a brand trying to project strength would publish. Even so, the spread of fresh, mostly small and mid sized victims across LockBit's current list is consistent with a functioning affiliate base, and the same 48 hour window saw heavy posting from Qilin and from ShinyHunters, whose education sector extortion campaign accounts for another seven claims.
What you should do
A resurgent, high volume LockBit means commodity intrusion vectors are once again feeding a mass extortion pipeline: exposed remote access services, stolen credentials, and unpatched edge devices. Organizations that find themselves named on a leak site should bring in incident response and verify the claim independently before engaging, since recycled listings are common. Everyone else should treat the burst as a reminder to patch edge infrastructure, enforce multi factor authentication on remote access, and keep tested offline backups.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.