Every month the ransomware reports look roughly the same, and every month there’s something underneath the averages worth pausing on. May 2026 is no exception. ThreatMon counted 747 victims across the month, nine groups did the heavy lifting in the ten headline cases, and depending on how you read one odd statistic at the very end either the leak sites went quiet or everybody just got better at hiding the receipts.
Let me walk through what actually stood out.
If you’ve read one of these before, the geography won’t surprise you. The United States took 308 of the 747 hits, which is 41 percent of everything, all by itself. Britain was a very distant second at 49, then Germany at 40, Canada at 32, Spain at 23. The pattern is the same one we’ve been staring at for years: wherever there’s money, dense digital infrastructure, and a regulatory regime that makes a breach expensive, the attackers follow. Nobody’s reinventing target selection here. They’re going where the wallets are.
What’s more interesting for readers in this part of the world is that Turkey shows up twice in the month’s significant attacks and one of them is about as serious as a national-level incident gets.
Business Services (160 victims) and Manufacturing (102) together accounted for more than a third of the month’s incidents. Technology, Healthcare, and Consumer Services rounded out the top five. None of this is glamorous, and that’s exactly the point. These sectors run on uptime and they sit on top of long supply chains, so when something seizes up the pressure to pay arrives fast. A manufacturer that can’t ship is bleeding money by the hour, and the attackers know it. They’re not picking targets for the thrill; they’re picking the ones most likely to wire the ransom by Friday.
A few of the ten featured victims stand out from the rest of the list.
Arçelik is the big one for a Turkish audience. The appliance giant $11.8 billion in revenue, 55,000 employees, brands like Beko and Grundig got hit on May 1st by a group calling itself The Gentlemen, and didn’t notice for five days. The damage isn’t measured in encrypted files; it’s measured in intellectual property. The attackers claim they pulled content from more than 7,700 Confluence spaces, 16,000-plus pages, and over 10,000 attachments: engineering specs, R&D results, quality manuals, marketing strategy. Plus a Jira instance with 10,000-plus projects. For a company that competes on product engineering, that’s not an IT incident, it’s a competitive bleed. The report also notes an access broker in the chain, which is the usual modern story somebody sells the front door, somebody else walks through it.
TKGM (Turkey’s Land Registry and Cadastre agency) is the one that should make people genuinely uneasy. This is the body that holds the country’s property and land records citizen PII, financial data, national land registry information. It was hit on May 22nd by a group branding itself APT73. When a registry of who-owns-what gets compromised, the fallout isn’t a quarterly earnings dent; it’s privacy and, arguably, national-security territory.
Starbucks is the strange entry. The group ShadowByt3$ posted a victim card and a story about a $500,000 demand that allegedly went ignored and they framed publishing the data as a “warning to others.” The attack itself was dated April 1st, which is worth raising an eyebrow at in a May report. Read the threat actor’s own note and it sounds less like a clean enterprise compromise and more like a messy cloud-bucket grab. Take it with salt; extortion crews are not exactly known for accurate self-reporting.
Circle U Foods and MyPillow are the more conventional double-extortion plays. Akira claimed 13GB out of the Fort Worth seasonings maker employee SSNs, passport numbers, financials, NDAs, the works. Play sat inside MyPillow for eight days before anyone noticed, which is plenty of time to map a network and decide what’s worth taking. Then there’s North Dallas Shared Ministries and the YMCA of Columbia, two non-profits, which is the part that always leaves a bad taste. These are organizations running on thin margins to help people who don’t have much, and they get hit anyway because to an affiliate they’re just another soft, internet-facing target.
Here’s something a careful reader will catch. The report lists “data size: N/A” for nearly every victim and then the leak-site screenshots cheerfully show actual numbers. MyPillow’s card says 15GB. Circle U says 13GB. Avnet’s leak page advertises a ~220GB archive with Azure storage accounts, Delta Lake tables, and full Active Directory PII. So the “N/A” isn’t really “nothing was taken” it’s “nobody filled in the field.” Worth keeping in mind whenever you see a clean-looking zero in a report like this. Absence of a number is not absence of a problem.
The roster is a good cross-section of where the ecosystem is in 2026. DragonForce (579 lifetime victims) and Play (1,265) are the establishment large, financially motivated operations that have been running for years. Akira, with over 1,500 victims and rumored Conti lineage, is arguably the heaviest hitter on the list. Then you’ve got the newcomers: ShadowByt3$, barely eleven confirmed victims and clearly still finding its feet, and FulcrumSec, which doesn’t even bother with encryption it just exploits unrotated API keys and misconfigured cloud permissions to vacuum up databases at speed. That last one is a sign of where things are drifting. Encryption is loud and recoverable from backups. Quiet exfiltration from a misconfigured cloud bucket is neither.
The pattern across almost all of them is the same: financial motivation, ransomware-as-a-service economics, affiliates doing the break-ins. The Gentlemen reportedly offers affiliates a 90 percent cut. When the split is that generous, you don’t have a shortage of people willing to try the doors.
The report’s conclusion flags something genuinely odd: zero dark web matches for the leaked data across the period. On its face that sounds like good news. It almost certainly isn’t. We’ve just watched multiple groups publicly claim exfiltration, post sample data, and advertise download archives. So “zero matches” doesn’t mean nothing leaked it more likely means the leak channels are shifting (private Telegram and Tox chats instead of indexable forums) or that publication is being deliberately delayed to extend the pressure. Either way, treating that zero as comfort would be a mistake. It’s a blind spot, not an all-clear.
None of the defensive advice here is exotic, and that’s frustrating in its own way, because the boring stuff is what keeps working. Multi-factor authentication everywhere it’ll fit. Offline, immutable backups you’ve actually tested by restoring from them, not backups you assume work. A patch cadence that doesn’t let known holes sit open for weeks. Phishing-aware staff, because the front door is still very often a person clicking something. And an incident response plan you’ve rehearsed, so that when the eight-day MyPillow scenario lands on you, the first hour isn’t spent figuring out who to call.
The attackers in this report didn’t use anything you couldn’t have anticipated. They used unpatched systems, stolen credentials, and the time we hand them by not watching closely enough. May 2026 isn’t a story about clever new malware. It’s a story about the same open doors, walked through again.
More posts
Share this article
Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
Subscribe to our blog newsletter to follow the latest posts
