Close Menu
Cybercrime and Ransomware

Global Ransomware Attacks Rise in May as Qilin, The Gentlemen, and DragonForce Lead

Staff WriterBy No Comments4 Mins Read1 Views

Essential Insights

  1. Ransomware activity increased slightly in May 2026 with 661 global attacks, a 3% rise from April, mainly affecting the education and business sectors, while healthcare and utilities saw declines.
  2. The U.S. remained the top target, accounting for 272 attacks, with nearly 115TB of data stolen, predominantly by group Qilin, which claimed 97 attacks and targeted various international organizations.
  3. Ransomware groups like The Gentlemen and DragonForce also saw activity, with the latter claiming over 20.8 TB of stolen data across 51 attacks, although few incidents were confirmed.
  4. Despite a slight decrease in some sectors, overall ransomware threats are high compared to previous years, with attacks on businesses up 13% year-over-year and specific groups showing sharp surges.

The Issue

In May 2026, ransomware activity edged higher globally, with researchers at Comparitech recording 661 attacks—marking a 3% increase from April. While the total remained below the first-quarter peak, certain sectors faced sharper rises, especially education, which experienced a 54% surge. The United States remained the most targeted country, suffering 272 attacks, predominantly against businesses, which accounted for the majority of incidents. Notably, ransomware groups like Qilin, The Gentlemen, and DragonForce dominated the scene, claiming responsibility for most attacks. For instance, DragonForce reported over 20.8 TB of data stolen across 51 attacks, though without victim confirmation. Meanwhile, some attacks resulted in no ransom payment, as in France and Spain, where municipalities refused to pay. Experts believe that these patterns show hackers are often targeting specific sectors at strategic times, such as schools preparing for holidays. Overall, the report, compiled by Comparitech, highlights that although attack numbers slightly rose, the persistent threat remains significant, especially for businesses and government agencies worldwide.

Furthermore, the data reveals that ransomware groups have increased their total stolen data, with nearly 115 TB reported stolen in May, emphasizing the ongoing threat to sensitive information. The U.S. experienced a 6% rise in attacks from April, while other countries like Canada, the U.K., and Germany saw varying declines. The activity of certain groups, such as SafePay and Nova/RALord, surged dramatically—up to 1,600%. This surge underscores the evolving tactics and persistence of cybercriminals, even as some sectors, like healthcare and government, saw declines in attack frequency. Consequently, cybersecurity experts caution that, despite some short-term reductions, the overall landscape of ransomware remains dangerous, requiring ongoing vigilance from organizations worldwide.

Risk Summary

Rising global ransomware activity means that your business is increasingly at risk of costly cyberattacks. As groups like Qilin, The Gentlemen, and DragonForce launch targeted campaigns, sensitive data and essential operations face imminent threats. Such attacks can lock your systems, halt production, and weaken customer trust, leading to significant financial losses. Moreover, recovery costs, legal liabilities, and damage to reputation often outweigh the initial breach. Therefore, if your defenses are not strong, your business could suffer serious, material consequences—underscoring the urgent need for robust cybersecurity measures in today’s threatening landscape.

Possible Next Steps

In an era where cyber threats rapidly evolve, timely remediation is crucial to minimizing damage and maintaining organizational resilience—especially amid a modest rise in global ransomware activity involving prominent threat groups like Qilin, The Gentlemen, and DragonForce. Swift actions ensure that vulnerabilities are addressed before attackers can capitalize on them, preserving critical assets and reducing recovery costs.

Containment Measures

  • Isolate affected systems immediately
  • Disconnect network access for compromised devices

Detection & Analysis

  • Conduct thorough malware and forensic analysis
  • Monitor network traffic for unusual activity

Eradication Strategies

  • Remove ransomware and related malicious files
  • Patch security vulnerabilities exploited in the attack

Recovery Procedures

  • Restore data from secure backups
  • Verify system integrity before bringing systems back online

Preventive Actions

  • Update and patch all software regularly
  • Enforce multi-factor authentication
  • Educate staff on phishing and social engineering risks

Policy & Planning

  • Develop and rehearse incident response plans
  • Establish clear communication channels for threat reporting

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.