Ransomware crews posted 646 victims to their leak sites in May 2026 — the quietest month of the year and the first sign that 2026’s record-breaking trajectory may finally be losing momentum. The figure is down 16% from April’s 772 and breaks a four-month streak in which every month of 2026 outpaced its 2025 counterpart. For the first time this year, the trend reversed.
Don’t mistake the dip for a ceasefire. Year-to-date, the leak sites have named 3,583 organizations across five months, and even after May’s pullback the ecosystem remains on pace for roughly 8,600 victims in 2026 — an 18% increase over 2025’s 7,307. A slow month in ransomware still means more than 20 organizations publicly extorted every single day.
Qilin’s grip holds
Qilin claimed 101 victims in May, taking the number-one spot for the fifth consecutive month. No other group has come close to that kind of sustained dominance in 2026. The Russia-linked operation has spent the year converting the vacuum left by LockBit’s disruption into a near-monopoly at the top of the leaderboard, and May extended the streak even as overall volume fell — a sign Qilin is taking share, not just riding the tide.
We have tracked Qilin’s rise across the banking sector with the Habib Bank AG Zurich breach, its dominance of the late-2025 landscape during the Asahi Group investigation, and the broader shift mapped in our analysis of the ransomware-as-a-service ecosystem after LockBit’s collapse.
The rest of the top five rounds out a familiar but shifting field:
- Qilin — 101 victims
- TheGentlemen — 70 victims
- Akira — 52 victims
- DragonForce — 41 victims
- INC_RANSOM — 30 victims
TheGentlemen vaulting to second is the headline of the supporting cast. The group has been climbing steadily since its backend was partially exposed earlier this year — a saga we covered in the Check Point analysis of TheGentlemen’s leaked infrastructure — and 70 victims confirms it has graduated from up-and-comer to top-tier threat. DragonForce, by contrast, posted its first monthly decline after a long run of consistent growth, and INC_RANSOM — profiled in our piece on the group that abandoned all ethical boundaries — held steady at 30.
Fragmentation, not consolidation
The most interesting structural signal in May wasn’t at the top — it was the churn beneath it. 61 distinct groups posted victims, down from 70 in April, yet three new names cracked the top ten: SafePay, Bavaqai, and Nova, each landing in the 23–25 victim range. New entrants displacing established brands while the total group count shrinks points to an ecosystem that is fragmenting rather than consolidating — affiliates splintering off, rebranding, and standing up fresh operations faster than law enforcement can burn them down.
That fragmentation is precisely what makes the overall slowdown so fragile. When a single takedown can no longer meaningfully dent the field — because there are always three new shells waiting — a quiet month tells you more about affiliate logistics than about declining criminal capacity.
Who got hit: sectors and geography
Manufacturing reclaimed the unwanted crown as the most-targeted sector with 58 victims, narrowly edging out healthcare at 54. Construction (42), consumer goods (38), and a finance/technology tie (31 each) filled out the top five. Manufacturing’s return to the top reflects what it has always offered ransomware crews: low tolerance for downtime, sprawling and often unsegmented OT/IT networks, and a strong incentive to pay rather than halt a production line.
Geographically, the United States absorbed 254 victims — 39.3% of the global total, more than seven times the second-place United Kingdom (36). Canada (31), Germany (29), and Spain (21) followed. The concentration is structural: more digitized enterprises, deeper cyber-insurance penetration, and a payment culture that, despite years of “don’t pay” guidance, still makes American targets the most lucrative on the board.
A pause inside a record year
May’s numbers are best read against the backdrop we laid out in our definitive 2026 ransomware landscape analysis and the 30% surge that opened the year. Seen that way, May is not a turning point — it’s the first exhale in a year that has otherwise been a relentless climb. The active group count fell, the country and industry spread narrowed, and the headline number dropped for the first time in 2026.
But the underlying machinery is intact. Qilin is consolidating power, mid-tier brands like TheGentlemen are scaling up, and a fresh crop of operations is replacing every group that fades. The lowest month of 2026 still outpaced most months of 2024. If this is what a slowdown looks like, the new normal has simply moved the floor higher.
