Ransomware Attacks in May 2026: Monthly Report

Ransomware Attacks in May 2026: Monthly Report

Josh Amishav · Last updated Jun 1, 2026 · 8 min read

Which ransomware groups claimed the most victims in May 2026, which industries got hit hardest, and why every metric pulled back this month.

• There were 646 victims in May, down 16% from April’s 772 and the lowest month of 2026. Still 6% above the 2025 monthly average of 609, but that gap is narrowing fast.
• Qilin held the #1 threat actor spot for the fifth straight month with 101 victims. DragonForce broke its growth streak, falling from 63 victims to 41. SafePay and Bavaqai both debuted in the top seven with 25 victims each.
• Manufacturing reclaimed the #1 targeted industry spot with 58 victims. Technology fell from 56 victims to 31. Healthcare remained high at 54 victims.
• The US stayed the most targeted country, making up 39% of all victims (254 of 646), though the count fell from 304 last month. Active threat actor groups dropped from 70 to 61 and targeted countries from 79 to 73. Overall, May numbers dropped across the board.

For four straight months, 2026 outpaced every month of 2025. May was the first time that trend reversed.

We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or duplicated across groups.

61 distinct ransomware groups were active in May, down from 70 in April. It’s the first contraction in active groups we’ve tracked this year.

Here’s what the May 2026 numbers tell us.

May 2026 ransomware numbers at a glance

April pulled back from March’s high. The May numbers dropped even further. Here’s what changed.

Ransomware leak sites are dark web pages where ransomware operators publish stolen data from victims who refuse to pay. Many groups steal data and threaten to leak it; some also encrypt files. A growing share (ShinyHunters, WorldLeaks, Cl0p) skip encryption entirely and run pure data-extortion operations.

  • 646 victim companies claimed across ransomware leak sites
  • 61 active ransomware groups (down from 70 in April)
  • 73 countries affected (down from 79 in April)
  • 59 industries represented (down from 72)
  • 16% decrease from April’s 772 victims
  • 6% above the 2025 monthly average of 609

Five months in, the 2026 total is 3,583 victims. That annualizes to roughly 8,600, an 18% increase over 2025’s total of 7,307. The year is still tracking up, but May narrowed this year’s lead.

Most active ransomware groups: May 2026

Qilin held the top spot again. DragonForce dropped for the first time this year, and three new names broke into the top eight.

RankGroupVictimsChange from Apr
1Qilin101-2
2TheGentlemen70-12
3Akira52+4
4DragonForce41-22
5INC_RANSOM30-11
6SafePay25new to top 10
7Bavaqai25new to top 10
8Nova23new to top 10
9LockBit18-21
10LAMASHTU14-3

The top 10 groups accounted for 399 victims (61.8%). The remaining 51 groups split the other 247 victims. That’s almost identical to April’s 61.4% concentration, so the long tail held even as the total number of victims fell.

Qilin posted 101 victims, down just 2 from April. Five months in a row above 100 victims, and five months in a row as the most active threat actor. Other groups jump around from month to month. Qilin posts roughly the same number every time.

TheGentlemen held second with 70 victims, down from 82. They’re still firmly in the top three most active threat actors and are still well above their 41-victim January start. They’ve stabilized as a reliable second.

Akira climbed to third with 52 victims, up from 48. Akira’s monthly count is all over the place: Jan 71, Feb 39, Mar 84, Apr 48, May 52. No clear direction, just volatility.

DragonForce posted 41 victims, down from 63. This breaks their streak. They had grown every single month in 2026 (30, 54, 63) before May’s drop. One down month doesn’t undo the trend, but it ends the clean climb.

LockBit fell to 18 victims from 39. That’s their lowest month of the year and a sharp reversal of their slow comeback. One slow month isn’t a trend, so it’s worth watching whether the drop continues next month.

SafePay, Bavaqai, and Nova are all new to the top 10. SafePay and Bavaqai each posted 25 victims, Nova posted 23. Three new groups breaking into the top eight in a single month is a lot. The ecosystem keeps splintering instead of settling around a few big players.

Just outside the top 10: Everest (13), KRYBIT (12), Genesis (12), Payload (12) all posted double-digit counts. KRYBIT dropped from 20 in April, and FulcrumSec, April’s strong debut at 22, fell to 3.

Countries most targeted by ransomware

The US share of victims held steady near 39%, but the absolute count dropped again. The spread keeps shifting.

RankCountryVictims% of Total
1United States25439.3%
2United Kingdom365.6%
3Canada314.8%
4Germany294.5%
5Spain213.3%
6Italy192.9%
7Australia172.6%
8Mexico172.6%
9France162.5%
10India111.7%

The US held 1st place at 39% of all victims, almost exactly April’s share. But the count fell from 304 to 254, a 50-victim drop. The US share has now sat near 39% for two straight months after the bigger swing from March’s 50%.

The UK rose to second place with 36 victims, up from 34. The UK has ranged between 24 and 44 victims a month all year.

Canada climbed to third with 31 victims, up from 28. Canada has risen for two months running now.

Germany slipped to fourth place with 29 victims, down from 37. After rising steadily all year, that’s Germany’s first monthly drop of 2026.

Mexico broke into the top 10 with 17 victims, a new entry. Latin America is showing up more often in the rankings.

France fell again to 16 victims, down from 27 in April and 36 in March. That’s two straight months of decline, well off its March high.

73 countries were hit in total, down from 79 in April. Fewer countries, fewer groups, fewer victims.

Industries hit hardest

Manufacturing took back the top spot. Technology fell almost as fast as it had risen the month before.

Double extortion ransomware is an attack where criminals steal your data before encrypting it. If you restore from backups and refuse to pay, they threaten to publish the stolen data on leak sites. This makes backups alone an incomplete defense.

RankIndustryVictimsChange from Apr
1Manufacturing58+8
2Healthcare54-10
3Construction42+5
4Consumer Goods38+1
5Finance31+3
6Technology31-25
7Legal27-13
8IT26-5
9Engineering23-6
10Government22-6

Manufacturing reclaimed #1 with 58 victims, up from 50 in April. Manufacturing’s 2026 run goes 94, 76, 50, 58. It’s well down from February’s peak, but it’s still the sector attackers focus on most.

Healthcare held second with 54 victims, down from 64. Healthcare’s monthly volume this year: 40, 93, 47, 64, 54. Volatile, but consistently near the top.

Construction climbed to third place with 42 victims, up from 37. After a March surge and an April dip, it’s rising again.

Technology collapsed to 31 victims, down from 56. That’s a 25-victim drop and the biggest single-sector swing of the month. April’s jump to second place didn’t hold for very long.

Finance edged up to 31 victims, tied with technology. Finance has been a steady mid-tier target all year.

Legal fell to 27 victims from 40, and government dropped to 22 from 28. Most sectors moved down in line with the overall pullback.

New and rising groups

SafePay (25 victims): New to the top 10 and straight into the top six. A strong showing for a group that wasn’t in April’s leaders.

Bavaqai (25 victims): Another new name matching SafePay’s count. Two groups debuting at 25 victims each is unusual.

Nova (23 victims): Rounds out the trio of newcomers in the top eight.

Genesis (12 victims): A newer name posting a solid double-digit month.

The number of active groups fell from 70 to 61, the first monthly contraction of the year. But that’s not consolidation. As older groups faded, new ones replaced them just as fast.

Month over month and YTD summary

MetricJanuaryFebruaryMarchAprilMayYTD Total
Total victims6776808087726463,583
Active groups5854657061
Countries hit6072757973
Industries hit6163727259
Top groupQilin (107)Qilin (104)Qilin (131)Qilin (103)Qilin (101)Qilin (546)

May was the slowest month of 2026, but it still ran ahead of the 2025 monthly average of 609. Every 2026 month so far has cleared that bar.

Qilin led the YTD chart with 546 total victims across five months. TheGentlemen is second with 335 victims, and DragonForce has 248. The top three have held their positions all year even as the monthly totals swung.

What security teams should do

May’s drop is real, but don’t read it as a retreat. The threat is rebalancing, not receding.

A slow month isn’t a safe month. A lower victim count means fewer companies were posted to leak sites, not that ransomware crews slowed down. The stolen credentials feeding the next round are still being bought and sold.

It doesn’t matter which group hits you. The lineup at the top changes every month. The group that gets your company probably won’t even be the biggest name, and it’ll hurt just as much.

Manufacturing and healthcare stayed on top. If you’re in those sectors or your vendors are, the pressure hasn’t let up. Manufacturing hit 58 victims this month and healthcare 54. That’s 112 victims in two industries, roughly 17% of all attacks in May.

Check your credential exposure. Most ransomware attacks start with stolen credentials purchased from infostealer logs. There’s a gap between when credentials are stolen and when ransomware deploys. Dark web monitoring catches stolen credentials in that window. With new groups appearing every month, waiting until something attacks your network is too late. You need to find your leaked credentials before attackers use them.

Methodology

This data reflects publicly claimed victims only. The actual number of attacks is higher because:

  • Many victims pay before being listed publicly
  • Some groups operate private negotiation channels without public leak sites
  • Not all ransomware attacks involve data theft or public claims

When multiple groups claim the same victim, we count it once for the total but list it under each claiming group in the per-group breakdown. Industry and country are based on the company’s primary business and headquarters.

May 2026 Ransomware FAQ

Breachsense tracked 646 companies listed on ransomware leak sites in May 2026, from 61 distinct groups across 73 countries. The actual number of attacks is higher since many victims pay before being publicly listed.
Qilin claimed 101 victims in May 2026, holding the top spot for the fifth straight month. TheGentlemen was second with 70 victims, and Akira moved up to third with 52.
The US accounted for 39% of all ransomware victims in May 2026 with 254 claims. The UK was second with 36 victims, Canada third with 31, Germany fourth with 29, and Spain fifth with 21.
Manufacturing was the most targeted sector in May 2026 with 58 victims, reclaiming the top spot. Healthcare was second with 54 victims and construction third with 42. Finance and technology tied with 31 victims each.
Year to date, the five-month total of 3,583 victims puts 2026 on pace for roughly 8,600 by year-end, up about 18% from 2025’s total of 7,307. May was the slowest month of the year, but still ran ahead of the 2025 monthly average.
Most ransomware groups buy stolen credentials from infostealer malware logs rather than breaking in themselves. There’s often a gap of days to weeks between when credentials are stolen and when ransomware gets deployed. Monitoring for leaked credentials can help you catch and reset them before attackers use them.