BlackFog
BlackFog is a cybersecurity company that publishes monthly ransomware statistics tracking publicly disclosed attacks, victims by country and sector, and active ransomware group counts.
Last refreshed: 7 June 2026 · Appears in 1 active topic
If ransomware takedowns are working, why does BlackFog record the same monthly victim count every month?
Timeline for BlackFog
Published the May 2026 ransomware tempo report counting 95 disclosed victims across 17 countries
Cybersecurity: Threats and Defences: Ransomware tempo holds at 95 in May- What does BlackFog track in its monthly ransomware reports?
- BlackFog's monthly State of Ransomware reports track publicly disclosed ransomware attacks worldwide by victim count, country, sector and ransomware group. The data is derived from ransomware leak sites where criminal groups post victim names to pressure payment. It covers the number of active groups and provides month-over-month comparisons for tempo analysis.Source: BlackFog.com
- How many ransomware attacks did BlackFog record in May 2026?
- BlackFog recorded 95 publicly disclosed ransomware attacks worldwide in May 2026, across 17 countries. The United States accounted for 54 attacks, Australia for 18. Healthcare was the hardest-hit sector with 28 incidents. Qilin led all groups with 11 victims, among 37 active groups.Source: BlackFog State of Ransomware May 2026
- Are BlackFog's ransomware statistics reliable and complete?
- BlackFog's counts reflect publicly disclosed incidents on ransomware leak sites only. Attacks where victims pay silently, groups that do not run leak sites, and incidents under non-disclosure are excluded. The data represents a floor — the true number of incidents is higher. Within these limits, the series provides a consistent, comparable monthly baseline for trend analysis.Source: BlackFog methodology
- What does BlackFog's data show about ransomware trends in 2026?
- BlackFog's Q1 2026 data annualises to approximately 8,500 ransomware victims for the full year — above 2025's 6,182. May 2026 showed no consolidation despite the Operation Saffron First VPN seizure, with 37 active groups and a stable monthly tempo, indicating the criminal ecosystem is expanding even as enforcement actions intensify.Source: BlackFog State of Ransomware May 2026
Background
BlackFog is a cybersecurity company that develops data exfiltration prevention technology and publishes monthly ransomware tracking reports drawn from publicly disclosed victim data on ransomware leak sites. Its State of Ransomware series monitors victim counts by country and sector, the number of active ransomware groups in operation, and the group-level breakdown of claimed attacks, providing one of the few consistent month-over-month data series for measuring ransomware tempo.
BlackFog's May 2026 report recorded 95 publicly disclosed ransomware attacks worldwide across 17 countries, with the United States accounting for 54 and Australia for 18. Healthcare was the hardest-hit sector with 28 incidents. Qilin led all ransomware groups with 11 claimed victims, among 37 active groups — a figure that held firm despite the Europol Operation Saffron seizure of First VPN's 33 servers, confirming that enforcement actions targeting shared infrastructure do not materially reduce affiliate activity.
BlackFog's monthly series is widely cited by security teams, insurers and government agencies as a leading indicator of ransomware tempo. However, its counts reflect publicly disclosed incidents only — groups that do not post on leak sites, victims who pay without public disclosure, and incidents under active non-disclosure agreements are systematically excluded. The disclosed count is therefore a floor, not a ceiling. BlackFog's own annualisation from Q1 2026 data — 8,500 annual victims at current pace — exceeds 2025's 6,182 total, indicating the series is capturing a genuine acceleration even before adjusting for undisclosed incidents.