Analysis from NCC Group’s latest Threat Intelligence Report shows ransomware activity remained high throughout May 2026 with 749 incidents recorded globally.

While overall activity plateaued month on month, the data indicates a sustained elevated baseline that has persisted across 2026. Industrials were the most targeted sector, accounting for 29% of recorded attacks, while North America remained the most affected region globally.

Among threat actors, Qilin retained its position as the most prolific ransomware operation in May, responsible for 15% of all observed attacks. The Gentlemen ranked as the second most active threat actor for the second consecutive month, suggesting the relatively new group is continuing to establish itself within the ransomware ecosystem.

The report also highlights an evolving threat landscape where nation-state actors are increasingly adopting techniques associated with financially motivated cybercrime.

NCC Group’s analysis follows reports linking an Iranian state-backed MuddyWater campaign to activity disguised as Chaos ransomware. Researchers found the operation used ransomware branding, extortion notes and victim negotiation channels in an apparent effort to conceal its objectives and complicate attribution.

Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “Historically, organisations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make.”

He added: “What we're seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.”

“This creates a more complex threat environment. Organisations can no longer assume a ransomware incident is purely financially motivated. Understanding an adversary’s behaviour, objectives and operational context is becoming just as important as identifying the malware or ransomware group involved.”

The report also warns that rising geopolitical tensions, including competition between China and the United States and growing friction across the Indo-Pacific region, may contribute to increased cyber espionage activity by state-aligned actors. It notes that organisations in critical infrastructure, supply chains and strategically significant sectors are likely to remain key targets for long-term access and intelligence gathering operations.

In addition, the research highlights the growing role of AI-assisted cybercrime. It examines Kitana, an adversary-in-the-middle fraud platform identified by NCC Group, showing how AI-assisted development is accelerating cybercriminal tooling and lowering barriers to entry for less sophisticated actors.