Ransomware victim disclosure
← All victimsGrupo Ruiz
Claimed by Lynx · listed 6 months ago
Status timeline
- ListedJan 9, 2026
- Data leakeddate unknown
At a glance
- Group
- Lynx
- Status
- Data leaked
- Country
- Spain
- Sector
- Transportation/Logistics
- Listed on leak site
- Jan 9, 2026
About the victim
AI dossier — public-source company profileGrupo Ruiz is a Spanish transportation company with over a century of experience, specializing in sustainable and innovative mobility. The company operates urban, metropolitan, and interurban bus services, with 50% of its national fleet running on compressed natural gas and 28% fully electric, making it the largest private electric fleet operator in Spain. It also provides personnel transport in Morocco and has a dedicated AI-driven technology division.
- Industry
- Sustainable Public & Urban Transportation
Attack summary
Severity: high — Data has been confirmed as published by the threat actor, indicating successful exfiltration and public release of company data. A transportation company of this scale operating public services likely holds employee PII, operational contracts, and potentially user data, making the disclosure significant.The Lynx ransomware group claims a data disclosure (status: data_published) against Grupo Ruiz, indicating that exfiltrated data has been published. No specific ransom amount or data volume was stated in the post.
Data the group says was taken
AI dossier — extracted from the leak post- Company operational data
- Transportation fleet records
- Business process information
What the group claims
Grupo Ruiz is a leading firm in sustainable and innovative mobility with over a century of experience in transforming transportation responsibly and efficiently. The company operates a significant proportion of its fleet using compressed natural gas and electricity, making it a pioneer in sustainable transport solutions in Spain. They also focus on technological innovation through AI to optimize processes and enhance user experience.
Sources
Source
Indexed 6 months agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

