Ransomware Trends in May 2026 — What the Incident Data Is Showing
Ransomware activity through the first four months of 2026 has continued the pattern that was visible in late 2025 — fewer broad-scope encryption campaigns, more targeted data exfiltration with extortion-only attacks, and a more difficult negotiation environment for victims and incident response teams alike. The May 2026 read on the threat landscape is worth writing down for security and IT leaders.
What the May 2026 incident data is showing:
Pure data extortion (exfiltration with the threat of publication, but no file encryption) is now the dominant variant for several active criminal groups. The reasoning is operational. An encryption attack triggers obvious system failure, immediate incident response, and law enforcement attention. A quiet exfiltration of sensitive data, followed by a private extortion contact to leadership, is harder to detect, less likely to be publicly reported, and carries less law enforcement attention in the first 30 days.
The dwell time before the extortion contact has lengthened. The exfiltration is happening days or weeks before the extortion email. The criminal teams are using the dwell time to study the victim, identify the pressure points, and tune the demand.
The targeting has tightened. Broad opportunistic attacks against any vulnerable system are still happening but the more sophisticated actors are running selected campaigns against specific industries, specific regions, and specific company sizes. The Australian mid-market is in the targeting profile for several active groups in 2026.
The negotiation environment is harder for victims. The criminal teams have professionalised the negotiation process. The early-2020s pattern of large discounts off the initial demand is less reliable. The teams that came to the table well-prepared — clean inventory of what was taken, clean understanding of the regulatory and contractual notification obligations, professional negotiator engaged early — are getting better outcomes than the teams that came in panicked.
What is changing on the defensive side:
The detection of exfiltration in progress has improved at the better-resourced organisations through the deployment of network behaviour analytics, identity-based access monitoring, and data loss prevention tooling. The mid-market organisations are still catching up.
The backup and restore discipline that emerged from the encryption-centric attack pattern is less effective against exfiltration-only attacks. The organisation with the perfect backup is still in the position of having sensitive data in the criminal’s possession. The defence focus has shifted toward exfiltration prevention rather than recovery preparation.
The cyber insurance market has continued its adjustment to the threat landscape. The policy terms are tighter on exclusions, the underwriting questions are more detailed, and the renewal premium expectations have stabilised after the 2024 reset. The organisations with mature security programmes and documented incident response capability are getting better terms than the organisations without.
The regulatory and legal landscape is firmer. The Australian notification obligations under the Privacy Act amendments, the critical infrastructure obligations under SOCI, and the sector-specific regulator expectations have all matured through 2024 and 2025. The 2026 incident response runs against a clearer set of obligations than the 2022 incident response did.
The notification and reporting landscape is also more public-facing. The trend of organisations refusing to comment on whether they paid a ransom is harder to sustain in 2026 because the criminal teams are publishing more aggressively when payment is not made, and the regulators and trading partners are asking more pointed questions.
For Australian organisations operating in May 2026:
The exfiltration risk should now be the centre of the ransomware preparation rather than the encryption risk. The investment in exfiltration detection, data movement controls, and identity-based access monitoring is the work that pays back against the current threat pattern.
The incident response playbook needs to assume a data extortion scenario as the primary case, not the exception. The legal, regulatory, communications, and customer-notification workflows should be drilled.
The third-party and supply chain exposure is the most common path of entry in 2026 incidents. The vendor security review programme is more important than the firewall posture.
The 2026 ransomware environment is not better than the 2024 environment. It is differently bad. The organisations that have updated their defensive posture to match the current threat are managing the risk. The organisations that are still running a 2022 ransomware playbook against a 2026 threat are exposed.