June 24, 2026 — Analysis from NCC Group’s latest Threat Intelligence Report has revealed ransomware activity remained high throughout May 2026, with 749 incidents recorded globally.
While overall ransomware activity plateaued month-on-month, the data reinforces the raised baseline observed so far throughout 2026. Industrials remained the most targeted sector, accounting for 29% of recorded attacks, while North America continued to be the most affected region globally.
Qilin retained its position as the most prolific ransomware operation in May, responsible for 15% of all observed attacks. Meanwhile, The Gentlemen ranked as the second most active threat actor for the second consecutive month, suggesting the relatively new group is continuing to establish itself within the ransomware ecosystem.
Nation-state actors increasingly adopting cybercriminal tactics
This month’s Threat Intelligence Report highlights growing evidence that nation-state actors are increasingly leveraging tools, infrastructure and operational models traditionally associated with financially motivated cybercrime to disguise espionage and intelligence-gathering operations.
NCC Group’s analysis follows reports linking an Iranian state-backed MuddyWater campaign to activity disguised as Chaos ransomware. Researchers found the operation incorporated ransomware branding, extortion notes and victim negotiation channels in an apparent effort to mask its true objectives and complicate attribution.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “Historically, organizations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make.
“What we're seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.
“This creates a more complex threat environment. Organizations can no longer assume a ransomware incident is purely financially motivated. Understanding an adversary’s behavior, objectives and operational context is becoming just as important as identifying the malware or ransomware group involved.”
Rising geopolitical tensions expected to drive cyber activity
The report suggests that growing strategic competition between China and the United States, alongside increasing geopolitical tensions across the Indo-Pacific region, may drive further cyber espionage activity from state-aligned threat actors. Organizations operating within critical infrastructure, supply chains and strategically significant sectors are likely to remain attractive targets for intelligence gathering and long-term network access operations.
The research also highlights evolving AI-assisted cybercrime capabilities. This month’s analysis examined Kitana, an adversary-in-the-middle fraud platform identified by NCC Group, which demonstrates how AI-assisted development is accelerating cybercriminal tooling while lowering barriers to entry for less sophisticated actors.
