Executive Summary
The week of May 22–29, 2026 reinforced a pattern that has defined the first half of the year: volume is up, attribution is more fractured than ever, and no sector or geography is reliably safe. Across confirmed and reported incidents, at least fifteen named organisations were compromised, with DragonForce alone claiming nineteen additional unnamed victims in real estate and healthcare on a single day. The dominant story of the week was the continued ascent of The Gentlemen ransomware-as-a-service operation, which added victims in Japan, Italy, Mexico, and the US within a 48-hour window at the end of the week, consolidating its position as the second most productive RaaS programme globally in 2026 with roughly 332 published victims in its first five months of existence. Healthcare and manufacturing again bore the heaviest load, while Indonesia, Malaysia, and the United Arab Emirates signalled a widening geographic reach that was also visible in the newly documented Aur0ra group, whose victim list spans fourteen countries.
Key Statistics: - Global: 15+ named victims confirmed; 40+ additional unnamed victims claimed by DragonForce and CMD across the week; healthcare, manufacturing, real estate, and retail the most targeted sectors - Europe: 2 named victims (Italy, Netherlands-linked); DragonForce claimed multiple financial and insurance targets in Germany; The Gentlemen and INC Ransom both active in the region - Asia: 5 named victims across Malaysia, Japan (3), and Indonesia; Qilin, The Gentlemen, Payload, and World Leaks all active - US: 5+ named or confirmed incidents; CMD, DragonForce, and The Gentlemen all claimed US victims; Carnival Corporation began notifying 6 million customers of a breach attributed to ShinyHunters - Other: 3 named incidents across UAE, Mexico, and Kuwait; Middle East and Latin America showing rising exposure
1. EUROPE
1.1 Government
No ransomware incidents targeting European government agencies were confirmed during this reporting window. A broader research release on May 22 from Check Point Software Technologies documented a 124 percent surge in cyberattacks across Germany, Austria, and Switzerland in 2025, with ransomware accounting for nearly 30 percent of that volume. Germany’s economic prominence and its visible support for Ukraine have made it the single largest target in the DACH region, representing more than 80 percent of recorded incidents. The trend continued into week 22, with DragonForce claiming multiple financial and insurance sector victims in Germany on May 25, though no government entities were specifically named.
1.2 Health, Municipalities & Non-commercial
No confirmed healthcare or municipal ransomware incidents in Europe were reported during May 22–29. The aftermath of the ChipSoft attack from April 2026 – which had disrupted patient records systems at dozens of Dutch hospitals – continued to ripple through the Dutch healthcare system as the company worked through staged restoration of its HiX platform. The Dutch data protection authority was still processing the 66 data breach notifications linked to that incident.
1.3 Business
The Gentlemen ransomware group claimed one of the more geographically distinctive European victims of the week on May 28, listing Fonderia Corrà of Italy on its dark-web leak site alongside two other simultaneous victims. Fonderia Corrà, founded in 1946 and operating two plants in Thiene and Montebelluna, specialises in high-precision cast iron components for the railway, energy, and industrial machinery sectors – the kind of niche precision manufacturer that underpins critical supply chains without often drawing public attention. No ransom amount or data volume was specified in the group’s posting.
DragonForce claimed a cluster of twelve victims in financial services and insurance sectors, primarily in the US and Germany, on May 25. While the German-named victims have not been individually confirmed by the organisations themselves, the pattern is consistent with DragonForce’s observed targeting of financially sensitive verticals in Western Europe throughout 2026.
A Dutch company identified as Techmar was listed as a victim by a ransomware group around May 26, though the specific group responsible and the scope of any data loss had not been publicly confirmed by the end of the reporting window.
2. ASIA
2.1 Government
No ransomware attacks on Asian government agencies were confirmed as originating during the May 22–29 window. However, CYFIRMA’s weekly intelligence report published on May 22 flagged activity on a dark-web forum where a threat actor claimed to have exfiltrated employee records from the Ministry of Electricity of Kuwait – discussed further in the Rest of World section.
2.2 Health, Municipalities & Non-commercial
No incidents in this category were confirmed in Asia during the reporting week.
2.3 Business
Asia saw a notable concentration of ransomware activity during the week, with at least five named victims spanning Malaysia, Japan, and Indonesia.
In Malaysia, Qilin claimed PNSB Insurance Brokers Sdn Bhd as a victim in the first half of the week. The group stated it had exfiltrated financial spreadsheets, invoices, insurance documents, payment details, and customer records from the financial services company. Qilin has consistently listed the US, Canada, France, the UK, and Italy as its most targeted geographies, but has increasingly expanded into Southeast Asia.
Japan contributed three victims across the week’s two CYFIRMA reports. Nostrum Corporation, a Japanese information technology firm focused on application and web development, appeared in the May 22 report as a victim of The Gentlemen. A second Japanese company in the construction and utility systems sector was listed by the Payload ransomware group in the May 29 report, with roughly 11 GB of data claimed. Oriental Diamond Inc., a pioneering Japanese diamond jewellery enterprise established in 1966, was listed as a Gentlemen victim in the May 29 report. The concentration of three Japanese victims across a single week is notable and reflects a broader trend: Japanese firms have faced an average of more than 1,200 cyberattacks per week in 2025, a figure that has continued climbing into 2026 as Russian and Chinese-affiliated actors increase activity in the APAC region.
Indonesia saw a significant data exfiltration event when World Leaks claimed BMJ Paperpack, a specialty paper and packaging manufacturer, on May 22. World Leaks – operating since January 2025 as a rebrand of the Hunters International ransomware operation – focused on pure data theft rather than encryption, exfiltrating 266.2 GB across 190,483 files. The shift away from file encryption toward data-only extortion is a tactical evolution that reduces the operational footprint of an attack while maintaining leverage over the victim.
3. UNITED STATES
3.1 Government
No US federal, state, or local government entities were named as ransomware victims during May 22–29, 2026.
3.2 Health, Municipalities & Non-commercial
US healthcare and non-commercial organisations remained squarely in the crosshairs. On May 22, CMD – the most active group that day – targeted five healthcare and non-profit organisations across the country, including a faith-based institution identified as Holy Name of Jesus. The group had been steadily escalating its healthcare targeting for several weeks; its activity concentrated in the non-profit and healthcare verticals, with the United States as its primary geography throughout May.
In a separate development that intersected the reporting window, Carnival Corporation – the world’s largest cruise operator – began notifying approximately six million individuals on May 27 that their personal information had been stolen. The breach, attributed to the ShinyHunters extortion group, originated on April 14 when attackers compromised an employee account through social engineering, then moved laterally to exfiltrate files containing names, addresses, dates of birth, email addresses, phone numbers, and government-issued identification numbers. While the breach itself predates the May 22–29 window, the public notification, scale, and ongoing impact place it squarely in this week’s risk landscape for affected individuals. Carnival is offering two years of complimentary credit monitoring to eligible US residents.
3.3 Business
DragonForce was the most consequential US-targeting group by claimed volume during the week. On May 27 alone the group posted nineteen victims in the real estate and healthcare sectors. DragonForce had claimed a separate batch of twelve victims in financial services and insurance – with US and German targets mixed – on May 25. The pace reflects the cartel’s structure: DragonForce rebranded as a “ransomware cartel” in 2025 and now operates an affiliate programme offering an 80 percent revenue share, enabling it to sustain a high tempo of simultaneous campaigns across sectors.
The Gentlemen claimed Heartland Growers, a family-owned wholesale greenhouse operating in Indiana since 1984, on May 28. Heartland Growers supplies spring annuals, holiday plants, and hydroponic produce to garden centres, florists, and retailers across the Midwest. The targeting of a regional agricultural supplier underlines how The Gentlemen’s affiliate-driven model casts a wide net across small and mid-sized businesses that often lack mature incident response capabilities.
4. REST OF WORLD
4.1 Government
The Kuwait Ministry of Electricity appeared in dark-web forum activity documented in CYFIRMA’s May 22 weekly report. A threat actor claimed to have posted exfiltrated employee records from the ministry, though whether the incident involved ransomware or pure data theft, and how much data was involved, had not been publicly confirmed. The incident adds to a pattern of Middle Eastern government entities being targeted by financially and politically motivated threat actors in 2026.
4.2 Health, Municipalities & Non-commercial
No incidents confirmed in this category for the rest-of-world region during the reporting week.
4.3 Business
INC Ransom published approximately 400 GB of data stolen from Lals Group, a UAE-based retail conglomerate managing brands including Homes r Us, Daiso Japan, Carter’s, and Mom Store across the GCC region – UAE, Qatar, Bahrain, Oman, Kuwait, and Saudi Arabia. The estimated attack date of May 10 places it just outside the May 22–29 window, but INC Ransom published the victim listing during the reporting week, making the incident newly public. The exfiltrated data includes financial records, human resources files, operational reports, and inventory information.
The Gentlemen’s May 28 simultaneous tri-victim posting included Grupo Premier, a leading Mexican automotive retail and dealership group. No ransom figure or data volume was confirmed in the group’s posting. The targeting of a large auto retailer in Mexico aligns with The Gentlemen’s observed pattern of opportunistic, cross-sector targeting wherever affiliates can achieve initial access.
5. THREAT ACTOR ACTIVITY
The dominant narrative in threat actor activity this week was the continued acceleration of The Gentlemen ransomware-as-a-service operation. Having claimed approximately 332 published victims in the first five months of 2026, the group now accounts for roughly 10 percent of all observed ransomware attacks globally and holds the position of second most active RaaS programme, behind only Qilin. Its Go-based locker targets Windows, Linux, NAS, and BSD environments, and the affiliate programme – offering a 90 percent revenue share – has attracted a large and diverse set of operators. Security researchers at Halcyon, Group-IB, and Check Point have all published detailed analyses of the group’s tactics in May 2026, and analysts note that some of The Gentlemen’s leak-site listings include unverified or potentially fabricated victim claims, a tactic used to amplify reputational pressure on actual victims and to generate uncertainty among potential targets.
DragonForce, which formed or formalised a cartel arrangement with Qilin and LockBit in early 2026, continued its high-volume cadence, claiming more than thirty victims during the May 22–29 period across real estate, healthcare, and financial services. Its affiliate structure and willingness to accept a broad range of targets – from regional US healthcare networks to European insurers – makes it one of the most difficult groups to model from a sector-specific risk perspective.
CMD maintained its focus on US healthcare and non-profit organisations, logging five confirmed victims on a single day. The group’s consistent geographic and sector targeting suggests a deliberate strategy to exploit the high operational pressure and sometimes weaker security posture found in smaller healthcare and faith-based organisations.
CYFIRMA’s May 22 report formally documented Aur0ra as a newly active ransomware strain, having accumulated ten victims since its first observed attack on April 29, 2026. Aur0ra uses a dual-extortion model – encrypting files without changing their names (unusual, and likely intended to delay detection) while simultaneously exfiltrating data. Its target list already spans fourteen countries including the United States, Canada, Australia, Belgium, France, the UAE, and Pakistan, and covers industries as varied as manufacturing, energy, hospitality, and legal services. The breadth of geographic and sector targeting this early in a group’s life suggests either a technically capable RaaS operation drawing on experienced affiliates or a group that has purchased or inherited tooling from an established operation.
World Leaks, the January 2025 rebrand of the Hunters International ransomware operation, demonstrated its data-theft-only model on BMJ Paperpack in Indonesia. The operational shift – dropping file encryption in favour of pure exfiltration and extortion – reduces the legal and technical risk for operators while maintaining the leverage that makes victims pay. CYFIRMA’s May 29 report also flagged GINES ransomware, a newly identified variant associated with the Makop family, appending the “.gines” extension and directing victims to a Tor-based contact channel. No decryptor is publicly available.
6. KEY TAKEAWAYS
The week of May 22–29 illustrates a ransomware ecosystem in which volume, velocity, and geographic reach are all expanding simultaneously. Three structural patterns stand out.
First, The Gentlemen’s rapid rise to the second position globally – with a 90 percent affiliate revenue share and a Go-based cross-platform locker – signals that the economics of RaaS continue to attract new entrants willing to invest in infrastructure and recruitment. Defenders should treat The Gentlemen as a persistent, well-resourced threat rather than a novelty group to monitor at a distance.
Second, the concentration of Asian victims across the week – Japan, Malaysia, Indonesia – reflects an ongoing shift in the ransomware landscape. Japanese organisations in particular face a structural challenge: a legacy of under-investment in incident response capacity, combined with geopolitical pressure from state-adjacent actors, means the long tail of ransomware damage in Japan tends to run significantly longer than comparable events in Western markets.
Third, the data-theft-only model demonstrated by World Leaks is likely to spread. By removing the encryption step, operators avoid some of the operational complexity that has historically provided defenders with detection opportunities, and they sidestep legal ambiguity in jurisdictions that treat encryption-based ransomware differently from extortion. Organisations that rely on “no encryption, no problem” logic in their incident response playbooks should revisit that assumption.
Defensive priorities for the coming weeks should include verifying backup integrity against groups like CMD and DragonForce that specifically target backup infrastructure before deploying encryptors, reviewing third-party vendor access controls in light of the ongoing healthcare supply-chain exposure, and monitoring The Gentlemen’s leak site for any indication that claimed-but-unverified victims include organisations in your supply chain.