State of Ransomware: May 2026

Published 1 June 2026 · ThreatVectr Intelligence

759-5%
Claimed attacks
vs 803 the month before
64
Groups active
76
Countries affected
53
Busiest day
1 May

Ransomware groups claimed 759 attacks on organisations worldwide in May 2026, down 5% on the previous month's 803. 64 distinct groups posted at least one victim during the month, across 76 countries. The busiest single day was 1 May, with 53 victims listed.

Qilin was the most active operation of the month, claiming 111 victims — 15% of all listings. The Gentlemen (77) and DragonForce (58) followed. 6 groups appeared for the first time, including DeadLock, Fulcrumsec, Icarus, Doommageddon.

Business Services bore the heaviest targeting, with 148 claimed victims, ahead of Manufacturing (95) and Technology (68). By geography, United States accounted for 283 claims — 37% of the month — with United Kingdom (47) and Germany (40) next.

Claims per day — May 2026

Most active groups

  1. 1Qilin·111
  2. 2The Gentlemen·77
  3. 3DragonForce·58
  4. 4Akira231
  5. 5INC Ransom329
  6. 6LockBit128
  7. 7NightSpire325
  8. 8Nova1725
  9. 9SafePay1024
  10. 10FulcrumsecNew23

First seen this month:DeadLock, Fulcrumsec, Icarus, Doommageddon, 0day syndicate, Triple x

Most-targeted sectors

  1. 1Business Services148
  2. 2Manufacturing95
  3. 3Technology68
  4. 4Healthcare60
  5. 5Consumer Services51
  6. 6Agriculture and Food Production39
  7. 7Financial Services35
  8. 8Transportation/Logistics32
  9. 9Construction29
  10. 10Education29

Most-affected countries

  1. 1United States283
  2. 2United Kingdom47
  3. 3Germany40
  4. 4Canada26
  5. 5Spain23
  6. 6Italy22
  7. 7Australia18
  8. 8Japan16
  9. 9Mexico15
  10. 10France14

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: May 2026”, https://threatvectr.com/ransomware-tracker/reports/may-2026

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr