May 2026 Ransomware: 646 Leak-Site Victims Across 61 Groups; Qilin Leads for Fifth Straight Month
Breachsense tracked 646 organizations listed on ransomware leak sites in May 2026, posted by 61 distinct groups across 73 countries and 59 industries.
VERDICT — CONFIRMED
Breachsense tracked 646 organizations listed on ransomware leak sites in May 2026, posted by 61 distinct groups across 73 countries and 59 industries. Qilin topped the rankings with 101 claimed victims, holding the number-one spot for the fifth consecutive month, followed by TheGentlemen (70), Akira (52), DragonForce (41) and INC_RANSOM (30). The United States was by far the most-targeted country with 254 listed victims (39.3%), ahead of the United Kingdom (36), Canada (31), Germany (29) and Spain (21).
By sector, manufacturing led with 58 victims, followed by healthcare (54), construction (42), consumer goods (38), and finance and technology (31 each). Breachsense characterized May as the lowest month of 2026, a 16% decline from April's 772 victims and a reversal of a four-month uptrend, though 2026 year-to-date still tracked roughly 18% above 2025's pace. Vendor counts vary by methodology—different trackers attributed slightly different monthly totals to Qilin (for example ~97 by one count)—but all major sources agreed Qilin remained the most active operation and that activity rose only modestly or dipped versus April.
The data reflect the continued dominance of data-theft-and-extortion models and sustained pressure on North American and Western European targets, with healthcare again among the most-hit sectors.


