May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The Gentlemen (71), DragonForce (51) lead
Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across report.
At a glance
- 661 leak-site incidents in May 2026, +3% over April's 640; nearly 115 TB of data claimed stolen (Comparitech via Industrial Cyber)
- Qilin 97 claimed attacks (down ~10% from April's 108); The Gentlemen 71 (up ~1% m/m); DragonForce 51 with 20.8+ TB exfiltrated
- US most-targeted with 272 attacks (+6% from April); Canada 31, UK 28, Germany 26
- Education attacks +54% month-over-month; manufacturing most-hit among confirmed business victims; healthcare +~10% YTD but 21% below 2025 levels
- Breachsense counted 646 victims across 61 groups for May; BlackFog published State of Ransomware: May 2026
VERDICT — CONFIRMED
Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across reported attacks. Qilin remained the most active operation with 97 claimed attacks, though down about 10% from April's 108; The Gentlemen ranked second with 71 (up ~1% month-over-month) and continues to scale unusually fast for a young group; DragonForce logged 51 attacks with more than 20.8 TB exfiltrated.
The United States was by far the most-targeted country with 272 attacks (up 6% from April), followed by Canada (31), the United Kingdom (28) and Germany (26). By sector, education saw the sharpest jump (a 54% month-over-month increase in attacks), while manufacturing remained the most frequently hit among confirmed business victims, with food and beverage, retail, transportation and technology all growing; healthcare rose about 10% year-to-date but sat 21% below 2025 levels.
Corroborating monthly trackers diverge slightly on methodology, Breachsense counted 646 victims across 61 groups for May, and BlackFog published its own State of Ransomware: May 2026, but agree Qilin held the No. 1 slot for a fifth consecutive month (about 101 leak-site victims, 546 YTD). The data underscores ransomware's 'elevated new normal': despite 2024-2026 takedowns (RansomHub's collapse, Black Basta raids), total volumes are flat-to-rising as fragmented mid-tier groups like The Gentlemen and DragonForce absorb displaced affiliates.
Key facts on file
- 661 leak-site incidents in May 2026, +3% over April's 640; nearly 115 TB of data claimed stolen (Comparitech via Industrial Cyber)
- Qilin 97 claimed attacks (down ~10% from April's 108); The Gentlemen 71 (up ~1% m/m); DragonForce 51 with 20.8+ TB exfiltrated
- US most-targeted with 272 attacks (+6% from April); Canada 31, UK 28, Germany 26
- Education attacks +54% month-over-month; manufacturing most-hit among confirmed business victims; healthcare +~10% YTD but 21% below 2025 levels
- Breachsense counted 646 victims across 61 groups for May; BlackFog published State of Ransomware: May 2026
- Qilin No. 1 for fifth consecutive month (~101 leak-site victims, 546 YTD per Breachsense)
- Context: RansomHub collapse and Black Basta raids in 2024-2026 takedowns


