May 2026 Threat Trend Report on Ransomware

May 2026 Threat Trend Report on Ransomware

Purpose and Scope


This report summarizes the quantity of new ransomware samples collected during the month of May 2026, the number of affected systems, statistics on targeted businesses, and major Korean & Global ransomware issues. Statistics on samples and affected systems are based on AhnLab’s detection names, while statistics on targeted businesses are aggregated based on the time when publicly available information from ransomware groups’ DLS (Dedicated Leaks Sites, ransomware PR sites or PR pages) was collected via the ATIP (AhnLab Threat Intelligence Platform) infrastructure.

Key Statistics


In May 2026, the manufacturing sector accounted for the highest proportion of affected industries. Attacks were also confirmed in the Information and communication sector, Wholesale and distribution, Health and social welfare services, and Professional, scientific, and technical services. By region, the US (us) had the highest number of incidents, followed by Mexico (mx), Canada (ca), Germany (de), the United Kingdom (gb), France (fr), Cyprus (cy), Spain (es), Egypt (eg), and Italy (it).

Among the top 10 groups, Qilin maintained its top position with 104 incidents. Silent newly entered the rankings in second place with 99 incidents, while DragonForce recorded 54 incidents and Chaos recorded 39. SafePay and Inc_Ransom each recorded 30 incidents, Kairos and Nova each recorded 27, EVEREST recorded 26, and NightSpire recorded 19. Overall, the report showed a combination of activity from established major groups and the emergence of new or rapidly growing groups.

In terms of Statistics on Ransomware DLS and Detection, the number of DLS incidents and detections have followed similar trends over the past three years, and both metrics have risen together over the past month. The decline in detections since August 2023 was attributed to the suspension of Magniber’s distribution.

Major Issues


In May 2026, established groups such as The Gentlemen, Nova, Coinbase Cartel, DragonForce, SafePay, Akira, Qilin, Nitrogen, Everest, Titan, RansomHouse, Kill Security 3.0, Payload, Space Bears, BravoX, INC Ransom, and FulcrumSec, while new groups such as Mortar, Leak Bazaar, ICARUS, and PayDay also emerged.

The Gentlemen launched concentrated attacks targeting victims across multiple regions and were identified as a key group within the RaaS (Ransomware as a Service) ecosystem, based on Black Basta tactics. A multi-stage attack chain distributing ransomware following a Malware infection with EtherRAT and TukTuk malware was identified, and some attack methods and infrastructure were exposed through internal leaks.

Nova claimed responsibility for attacks targeting the Department of AI at Daegu University in South Korea and URG Co., Ltd., and evidence was found that AI agent capabilities had been added to DLS. Coinbase Cartel claimed responsibility for attacks in multiple regions, including companies based in South Korea, the US, and Slovenia. DragonForce announced a RaaS partnership with BreachForums. SafePay and Akira also continued their attacks across Asia, Europe, and North America.

Analysis revealed that Qilin had encrypted a logistics company in the East African Region following a prolonged infiltration, and reconnaissance through RDP (Remote Desktop Protocol) authentication history queries was confirmed. Nitrogen targeted Hon Hai Precision Industry Co., Ltd. (Foxconn); Everest targeted Sidra Kuwait Hospital and Liberty Mutual Insurance; RansomHouse targeted Trellix; INC Ransom targeted Silergy Corp.; and Space Bears targeted Johnson & Johnson Innovative Medicine.

Among new threats, instances of Gunra posting “phantom victims” were identified, and evidence was observed of the Sorry ransomware exploiting the cPanel authentication bypass vulnerability CVE-2026-41940. The public distribution of the BLACKNET-00 ransomware builder was also confirmed.

Conclusion


Ransomware threats in May 2026 can be summarized as follows: persistent attacks by established major groups, the continuous emergence of new groups, and the expansion of DLS-based extortion and data exfiltration attacks. The manufacturing and information and communication sectors, major countries in North America and Europe, and the Asia region—including South Korea and Japan—were the primary targets. Organizations need to prioritize prompt Vulnerability Patches, network segmentation, strengthening backup systems, and enhancing threat intelligence-based response systems.