CyberXtron
Back to Blogs
Ransomware Report - May 2026
RansomwareThreat IntelCybersecurity

Ransomware Report - May 2026

May 2026 Ransomware Report

Executive Summary

In May 2026, ransomware activity recorded a total of 789 victims globally, marking a 9.0% decline from the 867 victims reported in April 2026. While this represents the first month-over-month reduction since Q4 2025.

The United States retained its position as the most impacted geography, accounting for 308 victims and representing approximately 39% of globally attributed incidents. Business Services remained the most heavily targeted confirmed sector with 160 victims, continuing the pattern established in April.

Qilin maintained its dominant position for a fifth consecutive month with 114 victims. TheGentlemen (90 victims) and DragonForce (55 victims) continued their high-volume trajectories. FulcrumSec emerged at scale for the first time with 23 victims, operating as a cloud-native data extortion actor without traditional encryption. Victim organizations were identified across 74 countries, sustaining the global reach established in recent months.

Introduction

This report provides an in-depth assessment of ransomware victim distribution by sector and geography during May 2026, including a comparative analysis with April 2026 to identify shifts in threat actor activity, sector targeting patterns, geographic impact, and overall victim volume. The findings are intended to support cybersecurity leaders and response teams in strengthening defensive posture and operational preparedness.

Key Points

  • A total of 789 ransomware victims were recorded globally in May 2026.

  • Ransomware activity declined by approximately 9.0% from April to May 2026 — the first month-over-month decrease in the current reporting cycle, though the absolute level remains historically elevated.

  • The United States accounted for 308 victims, representing approximately 39% of globally attributed incidents and remaining the dominant target geography.

  • "Not Found" sector classification accounted for 103 victims — the lowest in the current reporting cycle — indicating improved attribution coverage in underground reporting channels.

  • Among confirmed sectors, Business Services (160 victims), Manufacturing (102 victims), and Technology (70 victims) were the most heavily targeted.

  • Healthcare recorded 68 victims and Consumer Services 52, reflecting continued pressure on operationally sensitive and data-rich environments.

  • Agriculture and Food Production (39 victims) and Transportation/Logistics (35 victims) recorded meaningful volumes, reinforcing attackers' interest in supply-chain-dependent sectors.

  • The United Kingdom (49 victims), Germany (40 victims), and Canada (32 victims) were the most impacted countries outside the United States.

  • Spain (23 victims) re-emerged as a notable target, ranking fifth globally for the first time in the current reporting cycle.

  • Qilin led all threat groups with 114 victims, extending its dominance for a fifth consecutive month.

  • FulcrumSec emerged with 23 victims in its first month of significant activity — a cloud-native extortion actor operating entirely through data exfiltration without encryption.

  • Nova (25 victims) and SafePay (29 victims) both recorded strong surges from their April counts of 8 and 10 respectively.

  • 62 distinct threat groups were active during May 2026. Victim organizations were identified across 74 countries.

Ransomware Activity — May 2026

Ransomware activity in May 2026 demonstrated continued global reach and operational depth, with victim counts remaining concentrated in North America and Western Europe while showing sustained exposure across Asia-Pacific, Latin America, and the Middle East.

Qilin maintained its dominant position as the most active threat group with 114 recorded victims, extending its unbroken streak as the leading operator for a fifth consecutive month. The group continues to offer affiliates a high revenue share of up to 85% of ransom payments, making it an attractive platform for experienced threat actors who might otherwise operate independently, and its victim list spans hospitals, school systems, industrial manufacturers, and municipal governments. TheGentlemen (90 victims) followed as the second most active group, marginally expanding on its April count of 86 and sustaining its position as one of the defining high-volume operators of 2026. TheGentlemen is a Russian-speaking operation that rose from 40 victims in Q4 2025 to 166 in Q1 2026, becoming the breakout story of the first quarter.

DragonForce (55 victims) declined from its April count of 65, a moderate pullback consistent with affiliate-driven fluctuation rather than structural retreat. DragonForce rose to greater prominence in 2025 after a series of notable attacks and is defined by its aggressive, affiliate-driven model. Akira followed with 43 victims, maintaining steady mid-tier pressure after modestly declining from its April count of 49.

Incransom (31 victims) and SafePay (29 victims) held the fifth and sixth positions, with SafePay recording a particularly sharp expansion from just 10 victims in April — nearly tripling its monthly output and signaling significant affiliate scaling. Nova (25 victims), formerly known as RALord, continued its upward trajectory from 8 victims in April, consolidating its status as a fast-growing mid-tier operator. Nova is a ransomware-as-a-service group employing double-extortion tactics whose top targeted sectors include Manufacturing, Technology, and Healthcare, with the United States, France, and Brazil as primary victim geographies.

FulcrumSec (23 victims) represented one of the most structurally significant developments of the month, emerging at scale for the first time after recording zero victims in April. FulcrumSec is a data extortion group active since approximately September 2025, specializing in high-speed exfiltration of cloud-hosted databases by exploiting unrotated API keys and misconfigured cloud permissions rather than deploying encryption. The group targets cloud environments including AWS, Azure, Databricks, MongoDB, and GCP using standard platform tools, and employs an "Index of /Shame" campaign to target organizations with staging servers and cloud storage left publicly accessible, requiring no exploitation in some cases.

APT73, which had surged to 62 victims in April, fell sharply to 6 in May — consistent with a concentrated single-month campaign burst rather than a durable operational baseline. Numerous smaller collectives including Stormous (9), Payload (9), LeakBazaar (9), ThreeAM (9), Titan (9), Chaos (9), SpaceBears (8), and Lynx (8) sustained the ecosystem's broad lower tier. In total, 62 distinct groups were identified as active during May 2026, reflecting continued ecosystem density across both concentration at the top and broad-based distribution at mid and lower tiers.

Ransomware Activity — April 2026 vs. May 2026

Ransomware activity declined from 867 victims in April 2026 to 789 victims in May 2026, a 9.0% month-over-month decrease and the first downward movement in the current reporting cycle. While this moderation is notable, it does not signal a fundamental weakening of the threat landscape — victim numbers have stabilized at historically high levels rather than declining substantially, consistent with an elevated "new normal" established through the second half of 2025.

Qilin extended its lead from 108 victims in April to 114 in May, a marginal increase that reinforces its sustained dominance. TheGentlemen rose from 86 to 90, maintaining its trajectory as the second most active operator. DragonForce declined from 65 to 55, a moderate pullback. Akira moved from 49 to 43 victims, and Incransom from 39 to 31 — both reflecting modest tactical recalibration rather than significant operational change.

SafePay was the standout acceleration story of May, rising from 10 to 29 victims and demonstrating the sharpest proportional growth among established operators. Nova similarly expanded from 8 to 25 victims, marking a clear upward inflection. FulcrumSec moved from zero to 23 victims — a full first-month emergence at scale, confirming cloud-native extortion as a maturing and distinct threat category. Genesis surged from 2 to 21 victims, consistent with a batch-upload campaign or new affiliate cohort activation.

The overall decline in May may reflect a degree of natural oscillation after April's elevated output, combined with increased defensive resistance in previously targeted sectors.

Industry Impact in May 2026 — Ransomware Continues to Target Critical Sectors

In May 2026, ransomware attacks maintained concentrated pressure on high-value industries, with the sectoral targeting pattern broadly consistent with April but reflecting notable shifts in relative volume.

Business Services recorded the highest confirmed victim count at 160, retaining the top position it first claimed in April. This sustained dominance reflects continued attacker interest in professional services organizations — including law firms, consulting firms, managed service providers, and staffing agencies — whose client data, operational dependencies, and broad third-party access create acute extortion leverage. Ransomware targeting is increasingly shaped by access rather than intent, with industries such as manufacturing, healthcare, and business services remaining heavily impacted due to their operational complexity and downtime sensitivity.

Manufacturing followed with 102 victims, holding firm as the second most targeted confirmed sector. Manufacturing remains a top target because when a production line stops, costs spiral instantly — supply chains break, perishable goods spoil, and contracts are voided — creating acute payment pressure even when organizations maintain backups. Technology recorded 70 victims, maintaining its position as a primary target due to intellectual property exposure, cloud infrastructure vulnerabilities, and SaaS integration dependencies.

Healthcare recorded 68 victims, sustaining its pattern as a consistently high-priority target. Hospitals cannot afford to have life-saving systems offline, making healthcare organizations more likely to pay quickly and creating strong leverage for ransomware operators. Consumer Services (52 victims) and Agriculture and Food Production (39 victims) each recorded substantial volumes. Agriculture's 39 victims is a notable figure — reflecting a growing attacker preference for food and supply-chain sectors where operational disruption translates directly into perishable loss and regulatory pressure.

Geographical Distribution of Victims

The United States remained the most targeted country in May 2026 by a substantial margin, accounting for 308 victims and approximately 39% of globally attributed incidents. North America continued to represent the global epicenter of ransomware activity. North America's outsized share of activity is fueled by its large economy, ubiquitous internet connectivity, extensive IoT and OT networks, and the high concentration of enterprise targets.

The United Kingdom recorded 49 victims, maintaining its position as the second most impacted country outside North America and reflecting sustained pressure on British organizations across professional services, financial, and public-sector verticals. Germany followed with 40 victims, and Canada with 32 — an uptick from its April count of 22, indicating renewed targeting pressure on Canadian organizations. Spain emerged prominently with 23 victims, ranking fifth globally and representing one of the more notable geographic shifts of the month. Italy and Australia each recorded 20 victims.

Japan (17 victims), Mexico (16 victims), and France (16 victims) maintained consistent exposure. The Netherlands (12 victims) appeared as a notable presence, reflecting sustained pressure on Western European digital infrastructure. India (11 victims) retained its position as the primary Asia-Pacific emerging-market target.

Brazil (10 victims), Singapore (10 victims), Thailand (10 victims), and Turkey (10 victims) each recorded double-digit counts. Taiwan (7), Austria (7), Malaysia (7), and Argentina (7) sustained measurable exposure. The United Arab Emirates (6), Poland (6), and Egypt (6) each recorded meaningful activity.

In total, victim organizations were identified across 74 countries, with 42 incidents carrying incomplete or unconfirmed geographic attribution. APAC's share of global ransomware activity is rising as digital adoption grows, though many incidents in Asia-Pacific may go unreported or unmentioned in Western media, meaning the true regional exposure is likely understated. Threat actors continued prioritizing regions with advanced digital infrastructure and higher ransom payment capacity, while simultaneously demonstrating increased opportunistic targeting across emerging markets.

Major Ransomware Breaches Across Global Sectors — May 2026

During May 2026, ransomware and cyber-extortion activity produced a number of significant confirmed or claimed incidents across critical industries and regions.

Education and Technology — United States (Global Impact) The month's most consequential and publicly visible incident involved ShinyHunters' extortion campaign against Instructure, the company behind the Canvas learning management system. Unauthorized actors accessed Canvas systems on April 25, with Instructure detecting the intrusion four days later. On May 1, Instructure disclosed the incident, and ShinyHunters claimed responsibility on May 3, asserting they had stolen 3.65 terabytes of data covering approximately 275 million users across nearly 9,000 educational institutions, including names, email addresses, student ID numbers, and private messages. Although the breach was assumed to be initially contained, a second wave of unauthorized activity was detected on May 7, defacing Canvas login portals with extortion messages at roughly 330 institutions and issuing a May 12 deadline to negotiate or face a public data leak.

Technology and Distribution — United States FulcrumSec also claimed a breach against Avnet, a global electronic components distributor and technology solutions provider, with the claim discovered in early May 2026. The incident reflects continued attacker interest in technology distribution and supply chain organizations, whose downstream customer data and integration access create compounding extortion leverage beyond the primary victim.

Healthcare — Multi-region Healthcare continued to face persistent targeting throughout May, with Qilin and TheGentlemen identified as the most active groups in the sector. Healthcare organizations remained a key target, with Qilin and NightSpire compromising entities in this sector, and observed attack methods including the use of file transfer tools for data exfiltration and attacker-controlled cloud storage. The ongoing concentration of ransomware activity against hospitals and healthcare providers reflects the sector's combination of patient data sensitivity, regulatory exposure, and the operational urgency created when clinical systems are disrupted.

These incidents collectively underscore ransomware groups' continued emphasis on data exfiltration as the primary extortion lever, the growing prominence of cloud-native extortion actors operating without encryption, and the broadening of target profiles to include educational platforms, engineering firms, and agricultural organizations alongside the traditionally dominant sectors.

Recommendations — May 2026 Ransomware Outlook

To mitigate the ongoing ransomware threat, organizations should continue strengthening defensive resilience through layered controls. The May 2026 incidents highlight several critical vectors requiring immediate attention, including cloud misconfiguration exploitation, educational platform vulnerabilities, and the growing threat of encryption-free data extortion that bypasses traditional ransomware defenses.

  • Deploy advanced EDR/XDR solutions and continuously monitor for indicators of compromise across endpoint, network, and cloud telemetry. Apply behavioral detection capabilities to identify abnormal data access patterns.

  • Enforce rigorous cloud security hygiene. The FulcrumSec incidents against Arup Group and Avnet illustrate how unrotated API keys, misconfigured cloud permissions, and publicly accessible staging environments can provide initial access without any exploitation of software vulnerabilities.

  • Implement phishing-resistant MFA across all remote access channels and review session-token lifecycles.

  • Enforce rapid patch management for VPNs, cloud services, exposed web applications, and third-party software dependencies.

  • Segment enterprise networks to limit lateral movement and reduce blast radius following initial compromise. Maintain offline, encrypted, and regularly tested backup systems.

  • Extend third-party and supply chain risk management to software dependencies, managed service providers, educational technology platforms, and vendor ecosystems. Conduct regular incident response exercises calibrated to current threat actor TTPs, with specific scenarios addressing cloud-native extortion, SaaS platform compromise, and encryption-free data theft.

Conclusion

The ransomware landscape in May 2026 reflected a modest moderation in victim volume — the first month-over-month decline in the current reporting cycle — while sustaining the structurally elevated baseline that has defined the threat environment since Q4 2025. The 789 globally recorded victims, distributed across 74 countries and 62 active threat groups, confirm that the RaaS ecosystem remains deeply resilient despite a 9.0% reduction from April's 867.

The United States remained disproportionately affected, while the United Kingdom, Germany, Canada, and Spain each recorded significant activity. Business Services retained its position as the most targeted confirmed sector for the second consecutive month — a shift from prior cycles where Manufacturing and Technology alternated at the top — reflecting sustained attacker interest in professional services organizations whose client data and operational dependencies create compounding extortion leverage.

The emergence of FulcrumSec as a 23-victim cloud-native extortion actor operating entirely without encryption, alongside SafePay's near-tripling of its monthly count and Nova's continued expansion, signals that the ecosystem's diversification is continuing across both operational models and mid-tier actor counts. The ShinyHunters campaign against Instructure's Canvas platform — affecting an estimated 275 million users across 9,000 institutions — stands as one of the most disruptive single incidents of the current reporting cycle and underscores the acute risk posed by large-scale SaaS platform compromise.

Ransomware remains a persistent, adaptive, and strategically driven threat. The continued structural resilience of the RaaS ecosystem, the growing normalization of encryption-free data extortion, and the demonstrated willingness to target an expanding range of geographies, sectors, and access vectors underscore the need for sustained investment in cloud security, detection, response, and recovery capabilities across all industries and organizational sizes.

Elevate your security—get curated threat insights in your inbox.

Ransomware Report - May 2026 | CyberXTron Blog