We analysed 16,699 ransomware leak-site posts from 200 groups over 24 months. The data shows ransomware now runs on a workweek calendar: 84% of leaks land Monday to Friday, half of all activity happens in 8 UTC hours, October is open season, and the ecosystem is growing not consolidating. Here is the full timing picture.

Lithuania’s Centre of Registers (Registrų centras) disclosed a May 2026 breach exposing roughly 600,000 records. Attackers reused credentials of authorised institutions, queried from abroad. Alerts.bar data shows 117 stealer-log accounts tied to the agency and 60+ live infected staff endpoints across the wider Lithuanian institutional ecosystem.

A 5-year census of 65,907 exposed databases found 30,515 carry a ransom or wipe marker. Of 512 attacker wallets we traced on-chain, 318 received nothing. The 9.78 BTC ($753K) that did move concentrates into the top 10 wallets, which captured 43% of receipts. Mass database extortion is industrial, automated, and mostly failing.