Full Report
Ransomware activity edged higher in May 2026, with researchers at Comparitech recording 661 attacks worldwide, a 3% increase... The post Global ransomware activity rises modestly in May as Qilin, The Gentlemen, and DragonForce lead attacks appeared first on Industrial Cyber.
Analysis Summary
# Industry News: Global Ransomware Activity Edges Higher in May 2026
## Summary
Global ransomware activity saw a modest 3% increase in May 2026, with 661 recorded attacks led by threat actors Qilin, The Gentlemen, and DragonForce. While volumes remain below Q1 peaks, a significant 54% surge in attacks against the education sector highlights a strategic shift in targeting as threat actors exploit seasonal vulnerabilities.
## Key Details
- **Date:** June 05, 2026
- **Companies Involved:** Comparitech (Research), Qilin, The Gentlemen, DragonForce (Threat Actors), Central Medical Services of Westrock (Victim)
- **Category:** Market Analysis / Threat Landscape Report
## The Story
Research from Comparitech indicates that the ransomware landscape is stabilizing at a high plateau. May 2026 saw 661 attacks, a slight rise from April's 640. A staggering 115 TB of data was reportedly stolen during the month.
The report highlights a "sector-shuffling" strategy among attackers. While healthcare and utilities saw decreases (21% and 29% respectively), the education sector was heavily targeted, likely due to the administrative transition periods associated with the end of the academic year. Businesses remain the primary target, accounting for 88% of all recorded incidents (581 out of 661). Manufacturing organizations continue to be the most frequently affected "confirmed" business victims globally, with incidents spanning the U.S., Asia, and Europe.
## Business Impact
### For the Companies Involved
- **Victim Organizations:** Entities like Central Medical Services of Westrock (CMSW) face severe data exfiltration risks; the INC group has threatened to sell CMSW data in seven separate batches, complicating recovery and legal liability.
- **Municipalities:** European local governments (Quiberon, Valdemoro) are increasingly resisting payouts, leading to "name-and-shame" tactics on leak sites.
### For Competitors
- **Security Vendors:** The 10% year-to-date increase in healthcare attacks and the surge in education-sector targeting create a high-growth market for specialized incident response and "Secure-by-Design" consulting services.
- **Threat Actors:** New entrants like "The Gentlemen" and "DragonForce" are successfully competing with established groups like Qilin for "market share" in the ransomware-as-a-service (RaaS) ecosystem.
### For Customers
- **Service Disruption:** Customers of targeted manufacturing and transportation firms face supply chain delays.
- **Data Privacy:** Individuals associated with the education and healthcare sectors face heightened identity theft risks as massive volumes of personal data (115 TB total in May) enter the dark web.
### For the Market
- **Geographic Concentration:** The U.S. continues to be the most lucrative market for attackers (41% of all attacks), maintaining high demand for cyber insurance and domestic security services.
## Technical Implications
- **Exfiltration over Encryption:** The focus on stealing 115 TB of data suggests that "extortion-only" attacks (data theft without encryption) are becoming a primary tactic to bypass traditional backup-and-restore recovery strategies.
- **OT/IT Convergence:** Confirmed attacks on manufacturing across multiple continents emphasize the ongoing vulnerability of interconnected Industrial Control Systems (ICS).
## Strategic Analysis
- **Market Positioning:** Ransomware groups are evolving into highly efficient data-brokerage operations, shifting from disrupting operations to monetizing exfiltrated intellectual property and PII.
- **Competitive Advantage:** Attackers are gaining an advantage by timing their campaigns to industry-specific "weak points," such as the school holiday season for education.
- **Challenges:** Increased refusal to pay ransoms by government entities is forcing groups to find new ways to monetize stolen data, such as auctioning it to third parties.
## Industry Reactions
- **Comparitech Analysis:** Rebecca Moody noted that while the "slight reprieve" from Q1 highs is welcome, the baseline of activity remains dangerously high compared to previous years.
- **Expert Commentary:** Analysts suggest that the decline in healthcare and utility attacks in May may be a temporary reallocation of resources by threat groups rather than a permanent trend.
## Future Outlook
- **Predictive Targeting:** Expect continued high activity in the education sector through the summer months as IT staffing levels fluctuate.
- **Regulatory Pressure:** As "Secure-by-Design" initiatives gain traction, expect more confirmed reports of manufacturing entities being targeted due to legacy vulnerabilities in OT environments.
- **What to watch for:** The emergence of "The Gentlemen" as a top-tier threat actor and the potential for a Q3 spike as groups refine AI-driven phishing tactics.
## For Security Professionals
- **Prioritize Data Loss Prevention (DLP):** With 115 TB stolen in one month, focus should shift from "recovery from encryption" to "prevention of exfiltration."
- **Patch Management:** Manufacturing professionals should review privilege-escalation flaws (e.g., in Phoenix Contact PLCnext controllers) that enable root access.
- **Education Sector Alert:** IT heads in academic institutions should implement heightened monitoring during the off-boarding of staff and students this season.