14JUN

Ransomware tempo holds at 95 in May

3 min read

11:51UTC

BlackFog counted 95 publicly disclosed ransomware attacks in May across 17 countries, the US taking 54 and Australia 18. Qilin led with 11 victims among 37 active groups, with no sign of consolidation.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

May ran 95 disclosed ransomware attacks across 37 active groups, with healthcare hit hardest and no consolidation in sight.

BlackFog counted 95 publicly disclosed ransomware attacks worldwide in May 2026 across 17 countries, the United States taking 54 and Australia 18, so the monthly tempo held even as enforcement intensified ¹. The security vendor compiles its figures from leak-site postings and public disclosures, which capture the visible floor of activity rather than the full total.

Healthcare was the hardest-hit sector with 28 incidents, because care delivery cannot tolerate downtime, so hospitals pay faster and crews target them first ². Qilin led all crews with 11 claimed victims, but the more telling figure is the 37 active groups running in a single month with no sign of consolidation ³.

That group count is why the takedown headlines do not translate into falling risk. When US prosecutors unsealed Scattered Spider charges against Peter Stokes in April , they took an individual actor off the board without thinning the ecosystem around him. The bottleneck on the criminal side is the supply of affiliates, the freelance operators who rent a crew's tooling and split the proceeds, and neither an arrest nor a server seizure reduces that pool. For a defender, the lesson is that enforcement wins should not be read as a drop in operational threat; the tempo is the planning baseline, not the takedown.

Deep Analysis

In plain English

Ransomware attacks happen when criminals break into an organisation's computer systems, scramble all the files so the organisation cannot access them, and then demand money to restore access. Sometimes they also steal the files first and threaten to publish sensitive information if the ransom is not paid. BlackFog, a security company that tracks these attacks, counted 95 publicly known ransomware incidents in May 2026 across 17 countries. Healthcare was the hardest hit sector, with 28 hospitals and medical organisations affected. The US accounted for more than half of all known victims. A group called Qilin led all criminal ransomware operators with 11 claimed attacks, one of 37 active groups operating during the month.

What could happen next?

Risk
Healthcare organisations running unpatched legacy infrastructure in the US and Australia face near-term ransomware targeting by Qilin affiliates, given the group's documented sector preference and the disproportionate victim counts in both countries.
Consequence
The absence of consolidation in the 37-group ecosystem means law-enforcement takedowns of individual groups, including the Operation Saffron disruption of First VPN, redistribute affiliates rather than reducing attack volume.

Source Landscape

This story draws on neutral-leaning sources

Healthcare's 28 incidents out of 95 in May 2026 represents 29 per cent of disclosed attacks against a sector that accounts for a fraction of that proportion of GDP, confirming what the Ponemon Institute's 2025 Cost of a Data Breach report documented: healthcare organisations pay the highest average ransom ($4.7 million per incident) and the longest recovery timelines (28 days average) of any sector.

Qilin specifically has targeted hospitals in the UK (the June 2024 Synnovis NHS supplier attack disrupting blood transfusion services) and in Australia, explaining Australia's disproportionate victim count of 18.

The Australia figure of 18 out of 95 globally (19 per cent) is anomalous given Australia's 0.3 per cent share of global GDP.

The Australian Cyber Security Centre (ACSC) attributed the concentration to three converging factors in its 2025 annual threat report: a high proportion of healthcare and critical infrastructure running end-of-life Windows Server deployments, an under-resourced national incident-response capacity relative to incident volume, and time-zone isolation that slows vendor-assisted response during peak attack windows.

Consensus view: Coveware's Q1 2026 ransomware market report and the Institute for Security and Technology's Ransomware Task Force both document that the ransomware ecosystem has shifted decisively toward a commodity affiliate model: any technically competent actor can rent Qilin, Akira or similar RaaS panels for 20-30 per cent of ransom proceeds, removing the need to develop encryptors or manage victim negotiation.

The 37-active-group count BlackFog recorded in May 2026 reflects a stable ceiling imposed by affiliate pool size rather than any enforcement-driven constraint.

Counter-view: Recorded Future's Insikt Group argued in its April 2026 threat intelligence annual that the disclosed-victim count significantly undercounts actual incidents by a factor of three to five, because groups operating under strict non-disclosure agreements with victims, or attacking smaller organisations with lower media profiles, do not post to leak sites. Qilin's 11 disclosed victims may represent 33-55 actual attacks in May.

Key tension: Whether the apparent ecosystem stability at 37 active groups and roughly 95 monthly disclosed victims reflects a market equilibrium reinforced by Bitcoin payment infrastructure, or whether recent law-enforcement actions including Operation Saffron are creating friction that will manifest in victim counts only after a three to six month lag.

Sources:BlackFog

Mentions:BlackFog →Peter Stokes →Scattered Spider →Australia →United States →INC_RANSOM →Stuga Machinery →Qilin →

First Reported In

Update #6 · The 2024 patch that is breaking now

BlackFog· 7 Jun 2026

Read original →

Causes and effects

This Event

Ransomware tempo holds at 95 in May

A record takedown season has not reduced the monthly attack count, because the constraint on the criminal side is the supply of affiliates, not the infrastructure law enforcement keeps seizing.

Led to

VPN zero-day open a month pre-patch

Qilin led May 2026 ransomware disclosures with 95 victims; its confirmed affiliate activity inside a Check Point VPN victim in June is a direct continuation of its position as the most active operator.

Occurred 8 Jun 2026

Read story →

Crews now cross-claim each rival victim

BlackFog's May count of 95 disclosed ransomware victims with 37 active groups is the data backdrop against which Bitdefender's June structural-shift findings — affiliate cross-claiming, physical infiltration — represent a further escalation.

Occurred 7 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.