A cybersecurity analyst monitors ransomware activity trends as new research shows attacks against educational institutions surged in May 2026 despite relatively stable overall attack volumes.
Ransomware attacks increased modestly in May 2026, rising just over 3 percent from April, according to new research from Comparitech. While overall attack volumes remained relatively low compared to earlier months this year, the data revealed significant shifts in targeting across industry sectors.
The study tracked 661 ransomware attacks during May, including 48 incidents that were confirmed by the affected organizations. Researchers found that nearly 115 terabytes of data were stolen across all attacks recorded during the month.
Among ransomware groups, Qilin emerged as the most active operation, accounting for 97 attacks. The Gentlemen followed with 71 attacks, while DragonForce was linked to 51 incidents. Qilin also led in confirmed attacks with nine, followed by The Gentlemen with four and INC with three.
The United States remained the most frequently targeted country, recording 272 attacks during May. Canada ranked second with 31 attacks, followed by the United Kingdom with 28 and Germany with 26.
Sector-specific trends highlighted notable changes in attacker activity. The education sector experienced the largest increase in attacks, rising 54 percent from April. In contrast, healthcare providers and utilities companies saw significant declines, with attacks dropping 21 percent and 29 percent respectively.
According to the report, the increase in attacks against educational institutions stood out as one of the month's most significant developments.
Rebecca Moody, Head of Data Research at Comparitech, noted that while attack numbers remained lower than in previous months, the overall volume of ransomware activity remains concerning.
"While we should take some comfort in the fact that attack figures remained low(er) again in May, it's important to remember that these figures are still incredibly high, particularly when compared to previous years."
Moody said the data demonstrates how ransomware operators often concentrate their efforts on particular industries at specific times. She pointed to the surge in attacks against schools and educational organizations as a possible example of this trend.
"For example, May saw a spike in the number of attacks being carried out in the education sector. This may not be a coincidence. As schools and teachers look forward to the holidays, hackers likely see this as a great opportunity to worm their way in while everyone's starting to unwind and maybe isn't as focused as usual."
The full report includes additional details on the most active ransomware groups, the countries most affected by attacks and notable ransomware incidents recorded throughout May 2026.