MOXFIVE Monthly Insights - May 2026
MOXFIVE's May 2026 threat intelligence report covers the most active ransomware groups, top exploited vulnerabilities (CVEs), and defensive guidance for security teams. Subscribe to receive it monthly.

Ransomware Highlights for May 2026

Ransomware showed no signs of letting up in May, continuing a pace that has made 2026 one of the most active years on record. Qilin drove a high percentage of that activity and has been the most widely deployed ransomware MOXFIVE has tracked all year. MOXFIVE published a full breakdown of Qilin's operations, attack chain, and growth this month, available here.

A separate trend that stood out in May was a sharp increase in targeting against law firms. The activity even warranted a FLASH alert from the FBI warning that Silent Ransom Group has escalated its campaign against US law firms to include physical intrusion into offices.

This month's Case Study examines how infostealer malware harvests credentials from employee devices and feeds them into underground markets where ransomware affiliates purchase verified access. Credential theft through infostealers has become a common precursor to ransomware deployment, giving affiliates a reliable path into target environments. By the time an attack executes, the credentials used to gain access may have been circulating on criminal infrastructure for weeks. The Resilience Spotlight helps defenders get ahead of this tactic.

Top Ransomware Threats & Exploited Vulnerabilities: May 2026

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• ‍Cisco Catalyst SD-WAN Controller (CVE-2026-20182, Critical, CVSS 10.0): Disclosed on May 14, 2026, this vulnerability allows unauthenticated remote attackers to bypass authentication and gain administrative privileges on affected Cisco Catalyst SD-WAN Controller and SD-WAN Manager instances via crafted requests. The flaw affects both on-premises and cloud deployments and was exploited as a zero-day prior to public disclosure.
• Microsoft Exchange Server Outlook Web Access (CVE-2026-42897, High, CVSS 8.1): Disclosed on May 14, 2026, this vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in an authenticated user's browser session via a specially crafted email that executes when the recipient opens it in Outlook Web Access. The flaw affects on-premises Exchange Server 2016, 2019, and Subscription Edition. Exchange Online is not affected.
• Palo Alto Networks PAN-OS GlobalProtect (CVE-2026-0257, High, CVSS 7.8): Disclosed on May 13, 2026, this vulnerability allows unauthenticated attackers to forge authentication override cookies and establish unauthorized VPN connections through affected GlobalProtect portal and gateway configurations. The flaw affects PAN-OS and Prisma Access deployments where authentication override cookies are enabled and the override certificate is shared with another feature.

Most Active Ransomware Groups in May 2026

Ransomware activity in May stayed high, keeping pace with a 2026 that has been among the most active years on record. The ransomware operation to keep an eye on this year has been Qilin, which is currently the most actively deployed ransomware-as-a-service (RaaS) operation on the market. MOXFIVE published a detailed analysis of Qilin's RaaS model, attack chain, and affiliate-driven growth this month. DragonForce, Inc, Genesis, and Akira made up the remainder of the top five active ransomware operations for the month.

• Qilin has been the leading ransomware operation in 2026 by victim count. The group's commission-based RaaS model, which offers affiliates up to 80-85% of ransom payments, has driven its adoption across the affiliate ecosystem. Qilin deployments include payloads for Windows, Linux, and VMware ESXi environments and rely on double extortion tactics.
  
• DragonForce shifted from a RaaS model to a cartel structure in 2025, allowing affiliates to operate under their own brands while using shared infrastructure and tooling.
• Inc operates under a RaaS model with a codebase that shares significant overlap with Lynx, widely assessed as its successor, and affiliates deploying Inc rely on double extortion tactics.
• Genesis emerged in October 2025 and operates primarily as a data extortion group, relying on data theft and the threat of public exposure rather than encryption.
• Akira has maintained a high volume of victim claims through 2025 and into 2026, with affiliates relying on credential-based access and VPN exploitation for initial access.

Figure 1: Top ransomware variants in May 2026 based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, DragonForce, Inc, and Akira.
‍

Top Industries Impacted by Ransomware: May 2026

Professional Services faced more ransomware and extortion pressure in May than any other industry MOXFIVE tracked, with law firms accounting for the largest share of victims within the sector. The data threat actors can extract from a legal practice, privileged client communications, active litigation strategies, merger documentation, and confidential case materials, creates extortion leverage that few other sectors can match.

Based on MOXFIVE's tracking, Silent Ransom Group, Qilin, DragonForce, and Genesis drove the most activity against Professional Services in May, with law firms representing the largest share of victims within the sector. On May 26, the FBI issued a FLASH alert confirming that Silent Ransom Group has escalated its campaign against US law firms, adding physical intrusion to its existing social engineering playbook. As of Spring 2026, the group has dispatched operatives into law firm offices posing as IT support, connecting USB drives directly to workstations to exfiltrate data without deploying malware.

Figure 2: Top industries impacted by ransomware in May 2026.

Healthcare organizations face targeting pressure from multiple directions: patient data carries regulatory weight under HIPAA that makes any unauthorized disclosure a reportable event, and system downtime in clinical environments creates urgency to restore access that ransomware groups have used to pressure victims into paying.

‍Manufacturing and Production organizations face a related dynamic, where stopping a production line can break supply chain commitments, spoil perishable goods, and void contracts, raising the cost of every hour systems remain offline.

‍Retail and Hospitality organizations maintain large volumes of payment card data and customer records across distributed locations, making them attractive targets for groups focused on data theft and extortion.

‍Construction and Engineering firms hold project files, bid documents, and design data tied to active contracts, and threat actors have used the threat of exposing that material to pressure firms into paying even when encryption is the primary attack method.

Case Study - How Infostealer Malware Leads to Ransomware Attacks

When ransomware hits, a common entry point is a set of credentials stolen from an infected device, rather than a freshly exploited vulnerability or a complex intrusion. Infostealer malware harvests credentials, session cookies, and authentication tokens from infected devices. That stolen data can be packaged into logs and sold through underground markets, where initial access brokers identify enterprise credentials and resell verified network access to ransomware affiliates. The victim organization often has no indication their credentials are circulating on criminal infrastructure until an attack is already underway. The Verizon 2026 Data Breach Investigations Report, published May 19, quantifies the pattern: half of ransomware victims had a credential or infostealer event in the period before the attack.

How the Attack Chain Works‍

• Infection: Infostealer malware can reach any device where corporate credentials are stored, including managed corporate endpoints, through malicious advertisements, trojanized software, fake browser updates, and phishing. Personal and BYOD     devices add to that risk because enterprise endpoint controls do not extend to unmanaged hardware, leaving credentials stored in personal browsers outside corporate visibility in most cases.
• Harvesting: The malware collects saved passwords, session cookies, and authentication tokens and compiles them into a stealer log. Session cookies represent already-authenticated browser sessions, meaning a threat actor who replays one can bypass MFA without needing the user's password or triggering an authentication prompt.
• Sale and Brokering: These stealer logs are sold on underground markets and Telegram channels. Ransomware affiliates acquire enterprise credentials from them directly or through initial access brokers who verify and resell network access.
  
• Ransomware Deployment: Affiliates use purchased access to move through lateral movement, privilege escalation, and payload delivery. By the time ransomware executes, the original infostealer infection may be weeks or months old.
  

This attack chain can be difficult to detect because credential theft and ransomware deployment are carried out by different threat actors, often with weeks or months between the initial infostealer infection and the eventual intrusion.

Resilience Spotlight - How to Defend Against Infostealer-Driven Ransomware Intrusions

Infostealer malware can reach both managed and unmanaged devices, and the credentials it harvests can be used to access corporate environments weeks or months after the infection occurred. Personal and BYOD devices extend that exposure further because they fall outside enterprise endpoint visibility in most cases. Defending against this requires controls that address the parts of the attack chain that endpoint protection alone does not reach.

• Treat infostealer detections as ransomware precursors: Infostealer infections on managed corporate devices are not uncommon, and a detection on any device with access to corporate systems should trigger immediate credential rotation and active session invalidation, not just malware remediation. Password resets alone are insufficient if active sessions remain valid.
  
• Enforce phishing-resistant MFA: Standard push notification, SMS, and TOTP-based MFA remain vulnerable to session hijacking via stolen cookies. FIDO2 and passkey implementations bind authentication to the legitimate login origin and cannot be replayed from a stolen session cookie. 
• Extend endpoint visibility to BYOD and personal devices or restrict access from them: Corporate credentials stored in personal browsers sit outside enterprise endpoint controls in most cases. Organizations should either extend visibility to devices accessing corporate systems or enforce policies that prevent corporate credential access from unmanaged hardware.
• Limit credential storage in browsers: Browser-saved passwords and session tokens are a primary target of infostealer malware. Policies that restrict credential storage in browsers on devices accessing corporate VPNs, cloud platforms, and administrative systems reduce what an infostealer can harvest even when a device is compromised.

Responding to an infostealer detection as a potential ransomware precursor, rather than an isolated endpoint event, can reduce the time between credential exposure and a full intrusion.

How MOXFIVE Can Help
‍
‍MOXGUARD: Strategic advisory including AD/identity assessments, CVE alerting prioritized to active ransomware exploitation, guidance on segmentation and backup hardening, tabletop exercises with response playbooks, and pre-positioned incident response.

Professional Services: Control validation through EDR coverage assessments, purple team exercises, network segmentation reviews, backup immutability and restoration testing, external attack surface reduction, and SIEM/XDR detection engineering.

Our team has handled hundreds of ransomware cases against the most advanced and active operations, aligning preventive, detective, and recovery controls to current threat actor TTPs. Contact us at 833-568-6695 or incident@moxfive.com.