State-backed cyber actors increasingly hiding behind ransomware operations, NCC Group warns
- 749 ransomware attacks were recorded globally in May 2026
- Industrials remained the most targeted sector, accounting for 29% of attacks
- Qilin was responsible for 15% of ransomware activity in May
- New threat group The Gentlemen ranked as the second most active for the second consecutive month
- NCC Group warns the line between nation-state and criminal cyber activity is becoming increasingly blurred
Manchester, June 2026 - Analysis from NCC Group’s latest Threat Intelligence Report has revealed ransomware activity remained high throughout May 2026, with 749 incidents recorded globally.
While overall ransomware activity plateaued month-on-month, the data reinforces the raised baseline observed so far throughout 2026. Industrials remained the most targeted sector, accounting for 29% of recorded attacks, while North America continued to be the most affected region globally.
Qilin retained its position as the most prolific ransomware operation in May, responsible for 15% of all observed attacks. Meanwhile, The Gentlemen ranked as the second most active threat actor for the second consecutive month, suggesting the relatively new group is continuing to establish itself within the ransomware ecosystem.
Nation-state actors increasingly adopting cybercriminal tactics
This month’s Threat Intelligence Report highlights growing evidence that nation-state actors are increasingly leveraging tools, infrastructure and operational models traditionally associated with financially motivated cybercrime to disguise espionage and intelligence-gathering operations.
NCC Group’s analysis follows reports linking an Iranian state-backed MuddyWater campaign to activity disguised as Chaos ransomware. Researchers found the operation incorporated ransomware branding, extortion notes and victim negotiation channels in an apparent effort to mask its true objectives and complicate attribution.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “Historically, organisations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make.
“What we're seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.
“This creates a more complex threat environment. Organisations can no longer assume a ransomware incident is purely financially motivated. Understanding an adversary’s behaviour, objectives and operational context is becoming just as important as identifying the malware or ransomware group involved.”
Rising geopolitical tensions expected to drive cyber activity
The report suggests that growing strategic competition between China and the United States, alongside increasing geopolitical tensions across the Indo-Pacific region, may drive further cyber espionage activity from state-aligned threat actors. Organisations operating within critical infrastructure, supply chains and strategically significant sectors are likely to remain attractive targets for intelligence gathering and long-term network access operations.
The research also highlights evolving AI-assisted cybercrime capabilities. This month’s analysis examined Kitana, an adversary-in-the-middle fraud platform identified by NCC Group, which demonstrates how AI-assisted development is accelerating cybercriminal tooling while lowering barriers to entry for less sophisticated actors.
Click here to read the report in full: Cyber Threat Intelligence Reports | NCC Group
About NCC Group
NCC Group is a people-powered, tech-enabled global cyber resilience and software escrow business.
Driven by a collective purpose to create a more secure digital future, c.1800 colleagues across Europe, North America, and Asia Pacific harness their collective insight, intelligence, and innovation to deliver cyber resilience to clients across the public and private sector.
With decades of experience and a rich heritage, NCC Group is committed to developing sustainable solutions that continue to meet clients’ current and future cyber security challenges.
Follow NCC Group on LinkedIn and at https://www.nccgroup.com/