Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

Ransomware tempo holds at 95 in May

3 min read
08:46UTC

BlackFog counted 95 publicly disclosed ransomware attacks in May across 17 countries, the US taking 54 and Australia 18. Qilin led with 11 victims among 37 active groups, with no sign of consolidation.

TechnologyDeveloping
Key takeaway

May ran 95 disclosed ransomware attacks across 37 active groups, with healthcare hit hardest and no consolidation in sight.

BlackFog counted 95 publicly disclosed ransomware attacks worldwide in May 2026 across 17 countries, the United States taking 54 and Australia 18, so the monthly tempo held even as enforcement intensified 1. The security vendor compiles its figures from leak-site postings and public disclosures, which capture the visible floor of activity rather than the full total.

Healthcare was the hardest-hit sector with 28 incidents, because care delivery cannot tolerate downtime, so hospitals pay faster and crews target them first 2. Qilin led all crews with 11 claimed victims, but the more telling figure is the 37 active groups running in a single month with no sign of consolidation 3.

That group count is why the takedown headlines do not translate into falling risk. When US prosecutors unsealed Scattered Spider charges against Peter Stokes in April , they took an individual actor off the board without thinning the ecosystem around him. The bottleneck on the criminal side is the supply of affiliates, the freelance operators who rent a crew's tooling and split the proceeds, and neither an arrest nor a server seizure reduces that pool. For a defender, the lesson is that enforcement wins should not be read as a drop in operational threat; the tempo is the planning baseline, not the takedown.

Deep Analysis

In plain English

Ransomware attacks happen when criminals break into an organisation's computer systems, scramble all the files so the organisation cannot access them, and then demand money to restore access. Sometimes they also steal the files first and threaten to publish sensitive information if the ransom is not paid. BlackFog, a security company that tracks these attacks, counted 95 publicly known ransomware incidents in May 2026 across 17 countries. Healthcare was the hardest hit sector, with 28 hospitals and medical organisations affected. The US accounted for more than half of all known victims. A group called Qilin led all criminal ransomware operators with 11 claimed attacks, one of 37 active groups operating during the month.

What could happen next?
  • Risk

    Healthcare organisations running unpatched legacy infrastructure in the US and Australia face near-term ransomware targeting by Qilin affiliates, given the group's documented sector preference and the disproportionate victim counts in both countries.

  • Consequence

    The absence of consolidation in the 37-group ecosystem means law-enforcement takedowns of individual groups, including the Operation Saffron disruption of First VPN, redistribute affiliates rather than reducing attack volume.

First Reported In

Update #6 · The 2024 patch that is breaking now

BlackFog· 7 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.