Executive Summary
The week of May 30 through June 5, 2026 was defined by two converging pressures: the unrelenting concentration of ransomware and data-extortion attacks on US healthcare, and the geographic spread of Qilin across Europe, the Americas, and the Asia-Pacific. At least 33 named organisations confirmed or appeared on leak sites during the seven-day window, drawn from healthcare, aviation, manufacturing, public health, legal services, and retail logistics. The most consequential single incident was the ShinyHunters breach of DentaQuest, a US dental benefits administrator serving roughly 35 million customers, from which 234 gigabytes of data covering 2.6 million accounts was published online. The Gentlemen ransomware-as-a-service operation, which ended week 22 as the second most active RaaS programme globally, carried that momentum into week 23 by posting three Michigan-area medical centres in a single batch alongside other US healthcare targets. In Europe, Qilin hit Austrian business aviation firm Avcon Jet and exfiltrated the company’s own cyber incident response plan alongside employee travel documents and airworthiness certificates, an unusually candid illustration of how operationally damaging a breach can be. INC Ransom claimed the Champaign-Urbana Public Health District in Illinois, a public agency that survived a NetWalker attack in 2020 only to face renewed pressure six years later. Most strikingly, the law firm Weil Gotshal and Manges disclosed that it had paid Luna Moth an estimated 18 to 20 million dollars in a suppression payment – no encryption, no network intrusion, purely the threat of releasing stolen client documents from cloud storage – prompting an FBI advisory and marking one of the largest pure-extortion settlements on record.
Key Statistics: - Global: 33+ named victims; healthcare dominant at roughly 40 percent of confirmed incidents; data-extortion without encryption emerging as a distinct and growing threat model - Europe: 3 incidents across Germany and Austria; Qilin and DragonForce both active; aviation and medical supply sectors targeted - Asia: 4 incidents across India, South Korea, and Singapore; two Indian hospitals hit within three days by different groups - US: 18 incidents; healthcare and dental practices account for the majority; INC Ransom, Qilin, The Gentlemen, and Anubis all active simultaneously - Other: 8 incidents across Australia, Canada, Chile, South Africa, and Zimbabwe; Qilin and DragonForce both operating in the Asia-Pacific corridor; Black X claimed the African National Congress in South Africa
1. EUROPE
1.1 Government
No ransomware incidents targeting European government agencies were confirmed during May 30 through June 5, 2026.
1.2 Health, Municipalities & Non-commercial
DragonForce claimed REHA-ACTIV, a German medical supply firm that has served people with disabilities for more than 30 years, on June 5. The group asserted data exfiltration, though the precise scope of patient or client records involved had not been independently confirmed by the end of the week.
1.3 Business
European business incidents this week centred on Austria. Qilin added Avcon Jet, a business aviation company with annual revenues exceeding 250 million euros, to its leak site on June 4 and 5. The exfiltrated files reportedly included employee passports and CVs, aircraft maintenance work orders, export airworthiness certificates, crew training records, and – in a detail that illustrates the operational depth Qilin can reach – the company’s own cyber incident response plan. On June 5, Qilin separately claimed Interspa Betriebsverwaltungsgesellschaft, an Austrian hospitality sector firm.
2. ASIA
2.1 Government
No ransomware incidents targeting Asian government agencies were confirmed during this reporting window.
2.2 Health, Municipalities & Non-commercial
India faced two separate hospital ransomware incidents within three days from different threat actors. On June 5, the Nova ransomware group claimed Aspire Hospital in Bhubaneswar, Odisha, asserting that servers had been encrypted and patient data exfiltrated, with a sample offered as proof. Two days earlier, on June 3, KillSec posted ACE Hospital, also based in India, to its leak site. The two incidents together underscore the exposure of mid-tier Indian healthcare infrastructure to opportunistic ransomware campaigns.
South Korea’s Wonjin Plastic Surgery, one of the country’s better-known cosmetic surgery clinics, appeared on the Black X leak site on June 2. The group claimed the attack itself was carried out as far back as April 7 and threatened to release sensitive patient data if no payment was made. The two-month gap between alleged compromise and public disclosure raises questions about internal detection capabilities.
2.3 Business
Baiapai, a financial services firm in Singapore, appeared on the Medusa Locker leak site on June 4. No data volumes or ransom demands were publicly confirmed.
3. UNITED STATES
3.1 Government
The Krum Public Library in Texas was claimed by the NightSpire group on June 5. Public libraries are among the lower-resourced institutions in the ransomware target landscape, making the attack emblematic of how broadly opportunistic these campaigns have become.
3.2 Health, Municipalities & Non-commercial
The week’s most consequential US breach by scale was the publication of data stolen from DentaQuest, a dental benefits administrator serving approximately 35 million Americans. ShinyHunters posted 234 gigabytes of data on May 30, with DentaQuest confirming on June 2 that roughly 2.6 million accounts had been exposed. The compromised records include names, postal addresses, dates of birth, health insurance data, and Medicaid identifiers – a combination that creates significant risk of identity fraud and insurance fraud for millions of low-income beneficiaries who rely on the Medicaid dental programme.
The Champaign-Urbana Public Health District in Illinois, which had previously survived a NetWalker attack in 2020, was claimed by INC Ransom on June 1. Public health agencies – already under-resourced relative to private healthcare organisations – represent a sector where ransomware disruption carries direct consequences for communicable disease monitoring and outbreak response.
Singing River Health System, a community hospital network operating three facilities in Pascagoula, Mississippi, was targeted by the Anubis group on June 4. The system had already notified approximately 895,000 patients of a breach stemming from an August 2023 ransomware incident by Rhysida, making this a second major ransomware event for the same institution within three years.
The Gentlemen ransomware operation posted three Michigan-area medical organisations in a single batch on June 4: Edgewood Surgical Hospital, Michigan Surgical Center, and Downriver Medical Associates. The coordinated batch posting is consistent with The Gentlemen’s established pattern of grouping victims by region or sector before releasing them simultaneously to maximise negotiating pressure. Family Medical Associates of Raleigh in North Carolina was claimed by the Genesis group on June 3.
Additional US healthcare victims claimed during the week included Sierra Vista Hospital, a private behavioural health facility claimed by LockBit on June 5; Nova Medical Products, a medical equipment manufacturer claimed by Qilin on June 2; Central Florida Cosmetic and Family Dentistry, posted by Qilin on June 5; and Access Dental, claimed by World_Leaks – the rebranded successor to Hunters International – also on June 5. AcademyHealth, a health policy research organisation, appeared on the Bravox leak site on May 29.
3.3 Business
The disclosure with the greatest financial and legal industry implications this week came from Weil, Gotshal and Manges, one of the United States’ largest corporate law firms. The firm disclosed that it had paid Luna Moth – also known as Silent Ransom Group – an estimated 18 to 20 million dollars in a suppression payment after the group stole client documents from cloud storage. Luna Moth did not deploy encryption and did not intrude on the firm’s internal network; the entire leverage consisted of threatening to release sensitive client files. The FBI issued an advisory following the disclosure. The size of the payment and the absence of any technical compromise signal that pure data extortion has now reached a scale and sophistication that rivals traditional ransomware in financial impact.
In manufacturing, Akira claimed National Standard Parts Associates on June 4 alongside Northern Ohio Regional Multiple Listing Service, a real estate industry organisation, and Kennon Worldwide, a business services firm. INC Ransom posted O’Brien Engineering on June 5. The CoinbaseCartel group, a newer actor, claimed Cambridge Mobile Telematics, a telematics and transportation technology company, on June 4, and separately claimed Panasonic Aero on June 2.
4. REST OF WORLD
4.1 Government
Black X claimed the African National Congress, South Africa’s governing political party, on June 2, threatening to release what it described as a full dump of sensitive ANC data. The targeting of a ruling political party represents an escalation from the primarily commercial and healthcare targeting that characterises most ransomware campaigns and may reflect extortion leverage through reputational rather than operational disruption.
4.2 Health, Municipalities & Non-commercial
Clinica Maitenes, a healthcare clinic in Chile, was claimed by Qilin on June 2, extending the group’s Latin American footprint. No specific data volumes were disclosed.
4.3 Business
Australia saw a cluster of three incidents in the reporting window. DragonForce claimed QLS Group, a Victorian retail logistics firm that distributes approximately 65 percent of the Australian television market by volume, alleging exfiltration of 554 gigabytes of data. QLS stated internally that the incident had been resolved, though no independent confirmation was available. Stormous claimed VSP Solutions, an Australian IT and business services company, on June 1, asserting more than 40 gigabytes exfiltrated including financial records. Akira posted Oaks Park, a hospitality venue, on June 5.
In Canada, Qilin claimed the Ontario Home Builders’ Association on June 5, adding a construction industry trade body to what has become a broad cross-sector victim list for the group this week.
First Mutual Holdings, an insurance and financial services company in Zimbabwe, appeared on the NightSpire leak site on June 5. NightSpire posted both First Mutual Holdings and the Krum Public Library in Texas on the same day, establishing that the group operates across substantially different geographies and sectors simultaneously.
5. THREAT ACTOR ACTIVITY
Qilin continued its position as the most active ransomware group globally through the first days of June, with confirmed or claimed victims across the United States, Austria, Canada, Chile, and South Korea during the week. The group’s May 2026 total reached approximately 101 claimed victims according to ransomware tracking services, representing a sustained operational tempo that has placed Qilin at the centre of virtually every geographic region’s ransomware threat landscape.
The Gentlemen maintained the momentum it established through May, adding a coordinated batch of US healthcare victims that demonstrated both geographic precision and operational discipline. With roughly 332 published victims in its first five months, the group has established itself as a major RaaS programme and shows no sign of pausing between operational cycles.
INC Ransom was active on two US fronts – public health and engineering – while DragonForce claimed victims in Germany and Australia within the same week, consistent with the cartel model the group has been operating since its restructure earlier in 2026.
Luna Moth’s 18 to 20 million dollar extraction from Weil Gotshal without any ransomware deployment marks the clearest evidence yet that a subset of threat actors have abandoned encryption entirely in favour of pure credential theft and data leverage. The FBI’s advisory following the disclosure is likely to prompt renewed focus on cloud storage access controls and credential hygiene at law firms and other professional services organisations that hold large volumes of sensitive client material.
Black X emerged as a cross-regional actor this week, claiming both the African National Congress in South Africa and Wonjin Plastic Surgery in South Korea. The group’s willingness to target both politically sensitive organisations and patient-data-rich healthcare providers in the same week reflects an opportunistic rather than sector-specific targeting strategy.
New and emerging groups continued to proliferate. CoinbaseCartel claimed two US technology companies; NightSpire claimed victims on three continents in a single day; and Bravox, Genesis, Securotrop, and Krybit each appeared with individual claims, collectively illustrating the continued fragmentation of the ransomware ecosystem following the law enforcement operations against LockBit and ALPHV in 2024 and 2025.
6. KEY TAKEAWAYS
US healthcare remains the single most systematically targeted sector in the global ransomware landscape. The concentration of incidents this week – DentaQuest’s 2.6 million-patient breach, The Gentlemen’s Michigan hospital cluster, Singing River’s second major ransomware event in three years, and the Champaign-Urbana Public Health District’s repeat victimisation – points to a sector that is both perceived as willing to pay and structurally unable to build the defences that commercial organisations can deploy. Healthcare organisations with prior ransomware history should treat repeat targeting as a near-certainty and invest in network segmentation, offline backup verification, and incident response rehearsals.
The Weil Gotshal settlement demonstrates that pure data extortion is now a financially viable alternative to ransomware for well-resourced threat actors. Luna Moth required no malware, no encryption, and no lateral movement – only stolen credentials and access to cloud-hosted document repositories. Any organisation that stores sensitive third-party data in cloud platforms should audit access controls, enable anomalous-download alerting, and ensure that its incident response plan explicitly addresses the extortion-without-encryption scenario, which traditional ransomware defences are not designed to address.
The geographic spread visible this week – Qilin claiming victims across five continents, NightSpire posting in the US and Zimbabwe on the same day, DragonForce operating in Germany and Australia simultaneously – confirms that ransomware groups no longer have meaningful regional specialisations. Threat intelligence programmes that focus narrowly on groups with historical regional preferences will miss an increasing share of relevant activity. Broad monitoring of leak sites and cross-regional threat actor tracking has become a baseline requirement rather than an advanced capability.
Sources
Primary Sources
DentaQuest / ShinyHunters - BleepingComputer: DentaQuest data breach exposed info of 2.6 million accounts - SecurityWeek: Hackers leak DentaQuest information impacting 2.6 million
Avcon Jet / Qilin - CyberNews: Avcon Jet targeted by Qilin ransomware, aviation data leaked
Weil Gotshal / Luna Moth - The Insurer: Weil Gotshal paid double-digit millions in suppression payment to Luna Moth, 2026-05-27 - Legal Cheek: Weil reportedly pays up to 20 million after hackers steal client data
Champaign-Urbana Public Health District / INC Ransom - TechTarget: Ransomware attack hits Champaign-Urbana Public Health District
Singing River Health System / Anubis - HookPhish: Ransomware group Anubis hits Singing River Health System - Comparitech: Cybercriminals take credit for Singing River Health System data breach
QLS Group / DragonForce - Cyber Daily AU: Exclusive – Victorian retail logistics firm allegedly breached by DragonForce - DeXpose: DragonForce targets QLS Group in ransomware attack
African National Congress / Black X - DeXpose: Black X ransomware targets African National Congress
Wonjin Plastic Surgery / Black X - DeXpose: Black X targets Wonjin Plastic Surgery in South Korea
REHA-ACTIV / DragonForce - RedPacket Security: DragonForce ransomware victim REHA-ACTIV
Ontario Home Builders’ Association / Qilin - RedPacket Security: Qilin ransomware victim Ontario Home Builders’ Association
Ransomware Tracking and Aggregation
- ransomware.live: global victim tracking and leak site monitoring
- ransomware.live Healthcare Tracker
- Comparitech: Ransomware roundup May 2026
- BlackFog: The state of ransomware May 2026
- Industrial Cyber: Global ransomware activity rises modestly in May as Qilin, The Gentlemen, and DragonForce lead attacks
- BreachSense: May 2026 ransomware report
- PurpleOps: Ransomware activity tracker 2026