Ransomware roundup_ May 2026

Ransomware attacks increased by just over three percent from April 2026 to May 2026, but remained low when compared to the other months of the year. In total, Comparitech researchers logged 661 attacks in May, up from 640 in April. Attacks ranged from 700 to 800 per month during the first quarter of the year.

Attacks on the education sector rose significantly from April to May 2026, jumping by 54 percent from 13 to 20. Other sectors seeing significant increases were food and beverage companies (up 80%), retail (up 19%), transportation (up 20%), and technology (up 29%).

In contrast, healthcare providers and utilities companies saw the biggest declines, where attacks fell 21 and 29 percent, respectively.

Key findings for May 2026

  • 661 attacks in total — 48 confirmed attacks (confirmed by the entity involved)
  • Of the 48 confirmed attacks:
    • 35 were on businesses
    • 7 were on government entities
    • 1 was on a healthcare company
    • 5 were on educational institutions
  • Of the 613 unconfirmed attacks:
    • 546 were on businesses
    • 15 were on government entities
    • 37 were on healthcare companies
    • 15 were on educational institutions
  • The most prolific ransomware gangs were Qilin (97), The Gentlemen (71), and DragonForce (51)
  • Qilin had the most confirmed attacks (9), followed by The Gentlemen (4) and INC (3)
  • Nearly 115 TB of data was stolen across all of these attacks
  • The US saw the most attacks (272), followed by Canada (31), the United Kingdom (28), and Germany (26)

Ransomware attacks by sector

Healthcare


Attacks on healthcare providers decreased by 21 percent from April 2026 to May 2026, dropping from 48 to 38. One attack was confirmed in May.

Central Medical Services of Westrock (CMSW) in the US was the one confirmed attack in May 2026. The attack was carried out on May 3 and was later claimed by INC. INC said it would be selling the data in seven parts, with each part containing 200 to 300 GB of data.

Central Medical Services of Westrock (CMSW) added to INC's data leak site
Central Medical Services of Westrock (CMSW) added to INC’s data leak site

During the first five months of 2026, we’ve recorded 208 attacks on the healthcare sector. This is a 10 percent increase from the same period of 2025 (189). 38 attacks throughout 2026 have been confirmed.

Government


Attacks on government entities remained level in May 2026 (when compared to April), with both months seeing 22 attacks each. Seven attacks in May have been confirmed to date.

Two of the confirmed attacks took place in France and were carried out by Qilin against Ville de Quiberon and Ville d’Eyguières. Quiberon confirmed it hadn’t paid a ransom.

The Spanish municipality Ayuntamiento de Valdemoro also confirmed it hadn’t paid the ransom demand from its hackers, Kairos. Kairos later added Valdemoro to its data leak site, saying it had stolen 1.8 TB of data.

Ayuntamiento de Valdemoro is added to Kairos' data leak site

Elsewhere, Grad Jastrebarsko, Croatia, was targeted by ThreeAM. Direction Générale de la Comptabilité Publique et du Trésor (DGCPT), Senegal, was hit by AUDIT TEAM. And Bangkok Metropolitan Administration, Thailand, confirmed its systems had been breached after KRYBIT added the administration to its site.

Câmara de Serpa in Portugal confirmed its systems had been encrypted, but the hackers remain unknown at the time of writing.

From January to May 2026, we’ve noted 145 attacks on government entities – a 21 percent decrease from the same period of 2025 (184). 59 attacks have been confirmed in 2026 so far.

Education


Attacks on the education sector rose by 54 percent in May 2026, jumping from 13 in April to 20 in May. Five attacks were confirmed in May.

An attack on Universitat de València was claimed by Nova (RALord) toward the end of the month, with 300 GB allegedly stolen. The Spanish university confirmed data had been exfiltrated but said the hackers had only accessed an obsolete server belonging to a university research group, which contained videos. No personal data is believed to have been affected. No ransom was paid.

University of Valencia added to Nova's data leak site
University of Valencia added to Nova’s data leak site

Delano Public Schools in the US also confirmed it hadn’t met its hackers’ demands as no communication had been received. Classes were canceled for a day, but the incident was contained relatively quickly. No data breach has been confirmed as of yet.

The other confirmed attacks were:

  • University of Finance and Administration (Vysoká škola finanční a správní), Czechia – targeted by The Gentlemen
  • Australian College of Business Intelligence – targeted by Qilin
  • CKC Network, Inc. and Gakusan Co., Ltd., Japan – confirmed their systems were targeted in a coordinated attack by unknown hackers

2026 so far (up to May) has seen 88 attacks on the education sector – a drop of 25 percent (from 118) in the same period of 2025. Throughout 2026, 26 attacks have been confirmed.

Businesses


581 attacks on businesses were recorded in May 2026, a rise of four percent from April 2026 (557). 35 attacks were confirmed in May.

The most confirmed attacks were carried out within the manufacturing sector, with 11 attacks in total:

  • UnoAerre Industries S.p.A., Italy – unknown hackers demanded $4.48 million, which wasn’t paid
  • Foxconn – North America, US – claimed by Nitrogen with 8 TB stolen
  • Accretech America Inc., US – claimed by AiLock with 319 GB stolen
  • Oriental Diamond Co., Ltd., Japan – claimed by The Gentlemen
  • Koa Glass Co., Ltd., Japan – also claimed by The Gentlemen
  • Chuoh Pack Industry Co., Ltd., Japan – unknown hackers
  • Shri Balaji Valve Components Ltd, India – unknown hackers
  • Elken Sdn Bhd, Malaysia – claimed by Bavacai
  • CSB Energy Technology Co., Ltd., Taiwan – claimed by Lynx
  • NaRaYa, Thailand – claimed by Lamashtu
  • GTF Freese (G. Theodor Freese GmbH), Germany – claimed by Payload with 206 GB stolen

Attacks on the manufacturing sector increased two percent from April to May. But, as we’ve already noted, it was food and beverage companies that saw the biggest increase – 80 percent.

One attack on a food and beverage company was confirmed in May. Mopaş Online Supermarket in Turkey confirmed a breach of its systems after AUDIT TEAM added it to its data leak site.

Tech companies saw the second-highest increase (29%) with five attacks confirmed. Two of the confirmed attacks took place in Australia – Scope Systems and Bluize. The latter was claimed by Qilin, while the hackers remain unknown in Scope’s case. Elsewhere, a tech company for Spanish notaries, Notin.es, was targeted by Crypto24, Egnyte, Inc. in the US was targeted by INC, and Solati SAS in Colombia was targeted by Everest.

In the case of Solati SAS, Everest initially added a government utility company, Empresas Publicas de Medellin (EPM), to its site, but EPM later confirmed the attack had been carried out on its technology provider.

From January to May of this year, we’ve noted 3,090 attacks on businesses worldwide, an increase of 13 percent from the same period in 2025 (2,728).

The most prolific ransomware groups in May 2026

Remaining at the top spot is Qilin with 97 claims throughout May 2026. This was a 10 percent decline from April (108). Qilin also had the most confirmed attacks with nine in total.

Australia was a key target for Qilin in May. As well as Bluize and the Australian College of Business Intelligence (noted above), attacks were also confirmed on service-based business Menzies Group Pty Ltd and finance company Kennedy McLaughlin & Associates.

Two attacks on French government entities were also confirmed (Ville de Quiberon and Ville d’Eyguières), as well as an attack on a German transport company, Schulte-Lindhorst GmbH & Co., a Spanish marketing company, Mediapost in Spain, and a US real estate business, Cushman & Wakefield.

The Gentlemen saw the second-highest number of attacks in total (71) with four of these being confirmed. Three were mentioned above (Oriental Diamond, Koa Glass, and the University of Finance and Administration). The fourth was Instituut voor de Nederlandse Taal, a Dutch language institute.

Attacks by The Gentlemen increased just over one percent from April to May. Other groups saw far more significant increases, including SafePay (up 160%), Nova/RALord (up 213%), Play (up 325%), and Genesis (up 1600%).

DragonForce claimed to have stolen the most data (where figures are provided), with over 20.8 TB across its 51 attacks. None of these have been confirmed as of yet.

May 2026 ransomware attacks by country

The US was the top target last month with 272 attacks in total. This was a six percent increase from April 2026 (257). Eight attacks were confirmed in the US with one of these being West Pharmaceutical Services, Inc. It confirmed an attack had crippled its systems on May 4. It took two weeks before the healthcare manufacturer was fully operational again.

Canada saw the second-highest number of attacks (31), a similar figure to April’s (32). None of May’s attacks have been confirmed to date.

Attacks decreased in the UK (down 7%) and Germany (down 19%), but increased in Spain (up 28%).

In Australia, attacks plateaued. Five attacks were confirmed here. All but one (VSP Security Wholesale) were noted above.

Data breaches confirmed in May 2026

A number of significant data breaches following ransomware attacks were reported in May:

  • IMA Diligence Services, LLC, US – 525,306 people have been notified following a breach in December 2025, which was claimed by Genesis.
  • Unimed, Germany – at least 120,000 people are confirmed to have been impacted in an attack on the German healthcare tech company. 54,000 patients from University Hospitals in Baden-Württemberg are among those affected.
  • Cardinal Services, Inc., US – confirmed not one but two attacks impacting over 142,000 people. The first took place in June and was claimed by Rhysida with a $940,000 demand, and the second in August, which INC claimed.
  • Western Orthopaedics, P.C., US – over 113,000 patients were notified of a September 2025 data breach. PEAR claimed this attack and said it stole 1.7 TB of data.
  • American Lending Center, US – 123,158 people are confirmed to have been impacted in a July 2025 data breach following a ransomware attack. The hackers remain unknown.
  • Sefas (Frost Bank), US – Sefas, a US tech company, started issuing notifications on behalf of Frost Bank following an attack via Everest. So far, nearly 192,000 people are confirmed to have been impacted.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2026, it may later be confirmed as an attack in December 2025 and will, therefore, be attributed to a different month.

You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.