646 Ransomware Victims in May. The Survivors Had One Thing in Common.
The May ransomware tallies are in: 646 posted victims, with the Qilin operation leading the leaderboard for a fifth consecutive month. It was actually the quietest month of 2026 so far — which tells you something about the year.
Beneath the big-company headlines, the same pattern repeated at small-business scale, where roughly 49% of SMBs report being attacked annually, average losses run around $254,000, and an estimated 60% of victims close within six months.
What separates a bad week from a shutdown
Talk to incident responders and they'll tell you the outcome of a ransomware event is usually decided before the attack — by one question: can you restore?
Not "do you have backups." Nearly everyone has backups. The decisive questions are sharper:
- Are they isolated? Modern ransomware hunts backup systems first. Backups on the same network, reachable with the same credentials, get encrypted alongside production. Off-site, separately authenticated copies survive.
- Are they complete? The database, the uploads, the configs, the certificates — discovering a gap during restoration is discovering it too late.
- Have you ever actually restored? Restore time is the whole ballgame. If the honest answer is "we've never tried," your recovery plan is a guess.
Paying is not a plan
Decryptors delivered after payment routinely run slowly, corrupt data, or never arrive. Payment also marks you as a payer — re-targeting is common. The only leverage that consistently works is being able to say, credibly: we don't need your decryptor.
That sentence is built months in advance. It's why our backup service ships with verification and scheduled test restores instead of just a checkbox that says "enabled" — because in this particular lottery, the ticket has to work the first time.
