7JUN

Ransomware tempo holds at 95 in May

3 min read

10:08UTC

BlackFog counted 95 publicly disclosed ransomware attacks in May across 17 countries, the US taking 54 and Australia 18. Qilin led with 11 victims among 37 active groups, with no sign of consolidation.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

May ran 95 disclosed ransomware attacks across 37 active groups, with healthcare hit hardest and no consolidation in sight.

BlackFog counted 95 publicly disclosed ransomware attacks worldwide in May 2026 across 17 countries, the United States taking 54 and Australia 18, so the monthly tempo held even as enforcement intensified ¹. The security vendor compiles its figures from leak-site postings and public disclosures, which capture the visible floor of activity rather than the full total.

Healthcare was the hardest-hit sector with 28 incidents, because care delivery cannot tolerate downtime, so hospitals pay faster and crews target them first ². Qilin led all crews with 11 claimed victims, but the more telling figure is the 37 active groups running in a single month with no sign of consolidation ³.

That group count is why the takedown headlines do not translate into falling risk. When US prosecutors unsealed Scattered Spider charges against Peter Stokes in April , they took an individual actor off the board without thinning the ecosystem around him. The bottleneck on the criminal side is the supply of affiliates, the freelance operators who rent a crew's tooling and split the proceeds, and neither an arrest nor a server seizure reduces that pool. For a defender, the lesson is that enforcement wins should not be read as a drop in operational threat; the tempo is the planning baseline, not the takedown.

Deep Analysis

In plain English

Ransomware attacks happen when criminals break into an organisation's computer systems, scramble all the files so the organisation cannot access them, and then demand money to restore access. Sometimes they also steal the files first and threaten to publish sensitive information if the ransom is not paid. BlackFog, a security company that tracks these attacks, counted 95 publicly known ransomware incidents in May 2026 across 17 countries. Healthcare was the hardest hit sector, with 28 hospitals and medical organisations affected. The US accounted for more than half of all known victims. A group called Qilin led all criminal ransomware operators with 11 claimed attacks, one of 37 active groups operating during the month.

What could happen next?

Risk
Healthcare organisations running unpatched legacy infrastructure in the US and Australia face near-term ransomware targeting by Qilin affiliates, given the group's documented sector preference and the disproportionate victim counts in both countries.
Consequence
The absence of consolidation in the 37-group ecosystem means law-enforcement takedowns of individual groups, including the Operation Saffron disruption of First VPN, redistribute affiliates rather than reducing attack volume.

Source Landscape

This story draws on neutral-leaning sources

Healthcare's 28 incidents out of 95 in May 2026 represents 29 per cent of disclosed attacks against a sector that accounts for a fraction of that proportion of GDP, confirming what the Ponemon Institute's 2025 Cost of a Data Breach report documented: healthcare organisations pay the highest average ransom ($4.7 million per incident) and the longest recovery timelines (28 days average) of any sector.

Qilin specifically has targeted hospitals in the UK (the June 2024 Synnovis NHS supplier attack disrupting blood transfusion services) and in Australia, explaining Australia's disproportionate victim count of 18.

The Australia figure of 18 out of 95 globally (19 per cent) is anomalous given Australia's 0.3 per cent share of global GDP.

The Australian Cyber Security Centre (ACSC) attributed the concentration to three converging factors in its 2025 annual threat report: a high proportion of healthcare and critical infrastructure running end-of-life Windows Server deployments, an under-resourced national incident-response capacity relative to incident volume, and time-zone isolation that slows vendor-assisted response during peak attack windows.

Consensus view: Coveware's Q1 2026 ransomware market report and the Institute for Security and Technology's Ransomware Task Force both document that the ransomware ecosystem has shifted decisively toward a commodity affiliate model: any technically competent actor can rent Qilin, Akira or similar RaaS panels for 20-30 per cent of ransom proceeds, removing the need to develop encryptors or manage victim negotiation.

The 37-active-group count BlackFog recorded in May 2026 reflects a stable ceiling imposed by affiliate pool size rather than any enforcement-driven constraint.

Counter-view: Recorded Future's Insikt Group argued in its April 2026 threat intelligence annual that the disclosed-victim count significantly undercounts actual incidents by a factor of three to five, because groups operating under strict non-disclosure agreements with victims, or attacking smaller organisations with lower media profiles, do not post to leak sites. Qilin's 11 disclosed victims may represent 33-55 actual attacks in May.

Key tension: Whether the apparent ecosystem stability at 37 active groups and roughly 95 monthly disclosed victims reflects a market equilibrium reinforced by Bitcoin payment infrastructure, or whether recent law-enforcement actions including Operation Saffron are creating friction that will manifest in victim counts only after a three to six month lag.

Sources:BlackFog

Mentions:BlackFog →Qilin →Peter Stokes →Scattered Spider →Australia →United States →INC_RANSOM →Stuga Machinery →

First Reported In

Update #6 · The 2024 patch that is breaking now

BlackFog· 7 Jun 2026

Read original →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.