THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-008
CYBER · ransomware threat groups · 2026-06-05SCOOP 68

May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The Gentlemen (71), DragonForce (51) lead

Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across report.

·FILED ISSUE 2026-06-05·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • 661 leak-site incidents in May 2026, +3% over April's 640; nearly 115 TB of data claimed stolen (Comparitech via Industrial Cyber)
  • Qilin 97 claimed attacks (down ~10% from April's 108); The Gentlemen 71 (up ~1% m/m); DragonForce 51 with 20.8+ TB exfiltrated
  • US most-targeted with 272 attacks (+6% from April); Canada 31, UK 28, Germany 26
  • Education attacks +54% month-over-month; manufacturing most-hit among confirmed business victims; healthcare +~10% YTD but 21% below 2025 levels
  • Breachsense counted 646 victims across 61 groups for May; BlackFog published State of Ransomware: May 2026

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The Gentlemen
Image via primary source

Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across reported attacks. Qilin remained the most active operation with 97 claimed attacks, though down about 10% from April's 108; The Gentlemen ranked second with 71 (up ~1% month-over-month) and continues to scale unusually fast for a young group; DragonForce logged 51 attacks with more than 20.8 TB exfiltrated.

The United States was by far the most-targeted country with 272 attacks (up 6% from April), followed by Canada (31), the United Kingdom (28) and Germany (26). By sector, education saw the sharpest jump (a 54% month-over-month increase in attacks), while manufacturing remained the most frequently hit among confirmed business victims, with food and beverage, retail, transportation and technology all growing; healthcare rose about 10% year-to-date but sat 21% below 2025 levels.

Corroborating monthly trackers diverge slightly on methodology, Breachsense counted 646 victims across 61 groups for May, and BlackFog published its own State of Ransomware: May 2026, but agree Qilin held the No. 1 slot for a fifth consecutive month (about 101 leak-site victims, 546 YTD). The data underscores ransomware's 'elevated new normal': despite 2024-2026 takedowns (RansomHub's collapse, Black Basta raids), total volumes are flat-to-rising as fragmented mid-tier groups like The Gentlemen and DragonForce absorb displaced affiliates.

Key facts on file

  • 661 leak-site incidents in May 2026, +3% over April's 640; nearly 115 TB of data claimed stolen (Comparitech via Industrial Cyber)
  • Qilin 97 claimed attacks (down ~10% from April's 108); The Gentlemen 71 (up ~1% m/m); DragonForce 51 with 20.8+ TB exfiltrated
  • US most-targeted with 272 attacks (+6% from April); Canada 31, UK 28, Germany 26
  • Education attacks +54% month-over-month; manufacturing most-hit among confirmed business victims; healthcare +~10% YTD but 21% below 2025 levels
  • Breachsense counted 646 victims across 61 groups for May; BlackFog published State of Ransomware: May 2026
  • Qilin No. 1 for fifth consecutive month (~101 leak-site victims, 546 YTD per Breachsense)
  • Context: RansomHub collapse and Black Basta raids in 2024-2026 takedowns

PRIMARY SOURCE

Industrial Cyber — Anna Ribeiro (2026-06-05)
· fetched at filing · archived at publication
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-008 · filed 2026-06-05 · https://thedwire.com/wire/cyb-2026-06-008-may-2026-ransomware-leak-site-data-661-attacks-115tb-stolen.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center
Meta
CYBER · SCOOP 71

Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center infrastructure; 63 arrested

Meta, Microsoft, Coinbase, SpaceX and other technology companies announced a joint disruption of criminal scam networks in Southeast Asia alongside the U.S. Department of Justice, the FBI and the Royal Thai Police, in coordinated operations spanning Washington, D.C. and Bangkok. The action, unveiled overnight into June 4, followed the fir

✓ verifiednewSOURCE ↗
READ THE FILE ›
Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within da
CYBER · SCOOP 74

Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within days; CISA adds to KEV June 3

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 (Adobe Commerce). Unauthenticated attackers can achieve remote code execution by supplying a crafted se

✓ verifiedSOURCE ↗
READ THE FILE ›
CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fre
CYBER · SCOOP 70

CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fresh in-the-wild exploitation

CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8. The bug is an improper-authentication/missing-authorization defect (CWE-287, CWE-862) in the cgroup_release_agent_write() function of the cgroups

✓ verifiedSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.