Ransomware Attacks Surge in May 2026, Targeting Education and Business Sectors
Ransomware activity rose in May 2026, with researchers at Comparitech recording 661 attacks worldwide a 3% increase from April’s 640 incidents. While attack volumes remained below the 700–800 monthly range seen in early 2026, certain sectors experienced sharp spikes. Education organizations faced the steepest rise, with attacks jumping 54% month over month, while food and beverage, retail, transportation, and technology firms also saw notable increases. In contrast, attacks on healthcare providers and utility companies declined by 21% and 29%, respectively.
Key ransomware groups dominated activity in May, with Qilin, The Gentlemen, and DragonForce leading the surge. Collectively, these groups were linked to the theft of nearly 115 TB of data. The U.S. remained the most targeted country, accounting for 272 attacks a 6% increase from April. Businesses bore the brunt of the attacks, representing 581 of the 661 incidents, including 35 confirmed cases.
Of the 661 reported attacks, 48 were confirmed by affected organizations, including 35 businesses, seven government entities, one healthcare provider, and five educational institutions. The remaining 613 incidents were unconfirmed claims, primarily targeting businesses (546), followed by healthcare (37), education (15), and government (15).
Government entities saw no change in attack volume, with 22 incidents recorded in both April and May. Among confirmed cases, Qilin ransomware targeted two French municipalities Ville de Quiberon and Ville d’Eyguières though officials confirmed no ransom was paid. In Spain, the Ayuntamiento de Valdemoro also refused to pay after a Kairos ransomware attack, despite the group claiming to have stolen 1.8 TB of data.
The healthcare sector has seen a 10% increase in attacks year-to-date, even as government-targeted incidents dropped 21% compared to the first five months of 2025. Manufacturing firms were the most frequently hit among confirmed business victims, with attacks reported across the U.S., Japan, India, Germany, Taiwan, Thailand, Malaysia, and Italy.
The only confirmed healthcare attack in May targeted Central Medical Services of Westrock (CMSW) in the U.S. on May 3, with the INC ransomware group later claiming it would sell the stolen data in seven batches of 200–300 GB each. Comparitech recorded 208 healthcare attacks in the first five months of 2026, up from 189 in the same period of 2025, with 38 confirmed by victims.
Qilin remained the most active group, claiming 97 attacks a 10% decline from April but recorded the highest number of confirmed incidents (9). Notable victims included Australian firms Menzies Group Pty Ltd and Kennedy McLaughlin & Associates, as well as German transport company Schulte-Lindhorst GmbH & Co. and U.S.-based Cushman & Wakefield.
The Gentlemen ranked second, with 71 claimed attacks, four of which were confirmed, including hits on Oriental Diamond, Koa Glass, and the University of Finance and Administration. Other groups saw dramatic increases: SafePay (160%), Nova/RALord (213%), Play (325%), and Genesis (1,600%).
Among groups disclosing stolen data, DragonForce reported the largest haul over 20.8 TB across 51 attacks, though none were confirmed by victims. The U.S. led in attacks (272), followed by Canada (31), the U.K. (28), and Germany (26). Spain saw a 28% month-over-month increase, while the U.K. and Germany experienced declines of 7% and 19%, respectively.
In Australia, attack volumes remained stable, with five confirmed incidents, including breaches at Bluize, the Australian College of Business Intelligence, and VSP Security Wholesale. The U.S. also confirmed eight attacks, including a May 4 breach at West Pharmaceutical Services, which took two weeks to fully restore operations.
Australian Council for Educational Research cybersecurity rating report: https://www.rankiteo.com/company/australian-council-for-educational-research
Cushman & Wakefield cybersecurity rating report: https://www.rankiteo.com/company/cushman-&-wakefield
"id": "AUSCUS1780648477",
"linkid": "australian-council-for-educational-research, cushman-&-wakefield",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Transport',
'location': 'Australia',
'name': 'Menzies Group Pty Ltd',
'type': 'Business'},
{'location': 'Australia',
'name': 'Kennedy McLaughlin & Associates',
'type': 'Business'},
{'industry': 'Transport',
'location': 'Germany',
'name': 'Schulte-Lindhorst GmbH & Co.',
'type': 'Business'},
{'location': 'U.S.',
'name': 'Cushman & Wakefield',
'type': 'Business'},
{'name': 'Oriental Diamond', 'type': 'Business'},
{'name': 'Koa Glass', 'type': 'Business'},
{'industry': 'Education',
'name': 'University of Finance and Administration',
'type': 'Education'},
{'industry': 'Municipality',
'location': 'France',
'name': 'Ville de Quiberon',
'type': 'Government'},
{'industry': 'Municipality',
'location': 'France',
'name': 'Ville d’Eyguières',
'type': 'Government'},
{'industry': 'Municipality',
'location': 'Spain',
'name': 'Ayuntamiento de Valdemoro',
'type': 'Government'},
{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Central Medical Services of Westrock (CMSW)',
'type': 'Healthcare'},
{'industry': 'Manufacturing',
'location': 'U.S.',
'name': 'West Pharmaceutical Services',
'type': 'Business'},
{'location': 'Australia',
'name': 'Bluize',
'type': 'Business'},
{'industry': 'Education',
'location': 'Australia',
'name': 'Australian College of Business Intelligence',
'type': 'Education'},
{'industry': 'Security',
'location': 'Australia',
'name': 'VSP Security Wholesale',
'type': 'Business'}],
'data_breach': {'data_encryption': 'Yes (ransomware strains)',
'data_exfiltration': 'Yes (115 TB total)',
'personally_identifiable_information': 'Likely (healthcare '
'and government '
'targets)',
'sensitivity_of_data': 'High (1.8 TB claimed by Kairos, '
'200–300 GB batches by INC)',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Corporate data']},
'date_detected': '2026-05-01',
'date_publicly_disclosed': '2026-05-31',
'description': 'Ransomware activity rose in May 2026, with researchers at '
'Comparitech recording 661 attacks worldwide, a 3% increase '
'from April’s 640 incidents. Education organizations faced the '
'steepest rise (54% month-over-month), while healthcare and '
'utility attacks declined. Key ransomware groups (Qilin, The '
'Gentlemen, DragonForce) stole nearly 115 TB of data. The U.S. '
'remained the most targeted country (272 attacks). Confirmed '
'cases included 35 businesses, seven government entities, one '
'healthcare provider, and five educational institutions.',
'impact': {'data_compromised': '115 TB',
'downtime': 'Two weeks (West Pharmaceutical Services)',
'operational_impact': 'Full restoration required for some victims'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (INC ransomware '
'group)'},
'investigation_status': 'Ongoing',
'motivation': ['Financial gain', 'Data exfiltration'],
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (115 TB total)',
'ransom_paid': 'No (Ville de Quiberon, Ville d’Eyguières, '
'Ayuntamiento de Valdemoro)',
'ransomware_strain': ['Qilin',
'Kairos',
'INC',
'The Gentlemen',
'DragonForce',
'SafePay',
'Nova/RALord',
'Play',
'Genesis']},
'references': [{'date_accessed': '2026-05-31', 'source': 'Comparitech'}],
'response': {'recovery_measures': 'Full restoration of operations (West '
'Pharmaceutical Services)'},
'threat_actor': ['Qilin',
'The Gentlemen',
'DragonForce',
'SafePay',
'Nova/RALord',
'Play',
'Genesis',
'Kairos',
'INC'],
'title': 'Ransomware Attacks Surge in May 2026, Targeting Education and '
'Business Sectors',
'type': 'Ransomware'}