Ransomware activity edged higher in May 2026, with researchers at Comparitech recording 661 attacks worldwide, a 3% increase from April’s 640 incidents. Despite the rise, attack volumes remained below the 700 to 800 monthly range seen during the first quarter of the year. Education organizations experienced the sharpest increase, with attacks jumping 54% month over month, while food and beverage firms, retailers, transportation companies, and technology businesses also saw notable growth. By contrast, attacks against healthcare providers and utility companies declined by 21% and 29%, respectively.
Comparitech identified Qilin, The Gentlemen, and DragonForce as the most active ransomware groups during the month, with nearly 115 TB of data reportedly stolen across all recorded incidents. The U.S. remained the most targeted country, accounting for 272 attacks. Businesses continued to bear the brunt of ransomware activity, accounting for 581 of the 661 attacks logged in May, including 35 confirmed incidents.
Data revealed that ransomware groups claimed responsibility for 661 cyberattacks worldwide in May. Of these incidents, 48 were confirmed by the affected organizations, including 35 attacks on businesses, seven on government entities, one on a healthcare company, and five on educational institutions. The remaining 613 attacks were unconfirmed claims, comprising 546 attacks on businesses, 15 on government entities, 37 on healthcare companies, and 15 on educational institutions.
Attacks on government entities remained unchanged in May 2026, with 22 incidents recorded in both May and April. To date, seven of May’s attacks have been confirmed by the affected organizations.
Among the confirmed incidents were two attacks in France, where the Qilin ransomware group targeted the municipalities of Ville de Quiberon and Ville d’Eyguières. Officials in Quiberon confirmed that no ransom was paid. In Spain, the municipality of Ayuntamiento de Valdemoro also confirmed it did not pay the ransom demanded by the Kairos ransomware group. Kairos subsequently listed the municipality on its data leak site, claiming to have stolen 1.8 TB of data.
Meanwhile, the healthcare sector has experienced a 10% increase in ransomware attacks so far this year, even as government-targeted incidents have declined 21% compared with the first five months of 2025. Manufacturing organizations were the most frequently affected among confirmed business victims, with attacks reported against companies in the U.S., Japan, India, Germany, Taiwan, Thailand, Malaysia, and Italy.
The only confirmed healthcare attack in May 2026 targeted Central Medical Services of Westrock (CMSW) in the U.S. The attack occurred on May 3 and was later claimed by INC, which said it planned to sell the stolen data in seven batches, each containing between 200 GB and 300 GB. Comparitech recorded 208 ransomware attacks against healthcare organizations during the first five months of 2026, up from 189 during the same period in 2025. Of those 2026 incidents, 38 have been confirmed by the affected organizations.
“While we should take some comfort in the fact that attack figures remained low(er) again in May, it’s important to remember that these figures are still incredibly high, particularly when compared to previous years. Furthermore, this slight reprieve isn’t being witnessed across all sectors and illustrates how hackers are often targeting specific sectors at certain times,” Rebecca Moody, head of data research at Comparitech, commented. “For example, May saw a spike in the number of attacks being carried out in the education sector. This may not be a coincidence. As schools and teachers look forward to the holidays, hackers likely see this as a great opportunity to worm their way in while everyone’s starting to unwind and maybe isn’t as focused as usual.”
Comparitech also found that ransomware attacks on businesses have risen 13% year over year, with 3,090 incidents recorded globally during the first five months of 2026 compared with 2,728 during the same period in 2025.
Qilin remained the most active ransomware group in May 2026, claiming 97 attacks, although this marked a 10% decline from the 108 attacks it claimed in April. The group also recorded the highest number of confirmed incidents, with nine attacks verified by affected organizations.
Australia was a notable target for Qilin during the month. In addition to attacks on Bluize and the Australian College of Business Intelligence, confirmed incidents were reported by service provider Menzies Group Pty Ltd and financial services firm Kennedy McLaughlin & Associates. Other confirmed Qilin victims included the French municipalities of Ville de Quiberon and Ville d’Eyguières, German transport company Schulte-Lindhorst GmbH & Co., Spanish marketing firm Mediapost, and U.S.-based real estate company Cushman & Wakefield.
The Gentlemen ranked second with 71 claimed attacks, four of which have been confirmed. Three of these involved Oriental Diamond, Koa Glass, and the University of Finance and Administration, while the fourth targeted Instituut voor de Nederlandse Taal, a Dutch language institute.
While attacks attributed to The Gentlemen rose by just over 1% from April to May, several other ransomware groups posted far sharper increases. SafePay’s activity rose 160%, Nova/RALord’s increased 213%, Play’s grew 325%, and Genesis recorded a 1,600% surge.
Among groups that disclosed data volumes, DragonForce claimed the largest haul, reporting more than 20.8 TB of stolen data across its 51 attacks. None of these incidents had been confirmed by the victims at the time of reporting.
Comparitech estimated that nearly 115 TB of data was stolen across all reported ransomware attacks in May 2026. The U.S. remained the most targeted country, recording 272 incidents, a 6% increase from 257 in April. Eight of the U.S. attacks have been confirmed, including an attack on West Pharmaceutical Services, which said the intrusion disrupted its systems on May 4 and required two weeks to fully restore operations.
Canada recorded the second-highest number of attacks with 31 incidents, broadly in line with April’s total of 32, although none of May’s attacks have been confirmed. The U.K. and Germany followed with 28 and 26 attacks, respectively, with ransomware activity declining 7% in the U.K. and 19% in Germany compared with the previous month. By contrast, attacks in Spain increased 28% month over month.
In Australia, attack volumes remained largely unchanged from April. Five incidents were confirmed during May, including attacks on several organizations noted earlier, while the remaining confirmed victim was VSP Security Wholesale.
