Why Are Leading Ransomware Groups Claiming the Same Victims?

This edition of the Bitdefender Threat Debrief covers the latest developments in the ransomware threat landscape, including a new pattern in which leading ransomware groups are increasingly reclaiming common victims. We're also covering additional developments, including an update on KryBit's activity, ShadowByt3$’s announcement on a new domain, Silent Ransom Group’s shift to physical infiltration, and more.

As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time.

For this month's report, we analyzed data from May 1 to May 31 and recorded a total of 714 claimed ransomware victims.

Featured Story: Why Are Leading Ransomware Groups Repeatedly Claiming the Same Victims?

What Happened?

A curious pattern has emerged among some of the most active ransomware groups operating today. Over the past several quarters, Bitdefender researchers observed multiple instances where leading ransomware groups—including Qilin, The Gentlemen, DragonForce, and Coinbase Cartel—claimed victims who had already been publicly named by another major ransomware group weeks or even months earlier. 

Victim overlap is not unheard of in cybercrime. Organizations that fail to fully remediate a compromise can find themselves targeted again. What makes these cases noteworthy is the caliber of the threat actors involved. Rather than opportunistic or emerging groups recycling old targets, some of the ransomware ecosystem's most established operators appear to be drawing from the same pool of victims. 

This raises an important question: Are these groups competing against one another—or increasingly relying on the same criminal supply chain?

Why Has This Pattern Emerged?

Several explanations could account for the growing overlap. 

One possibility is affiliate crossover. Many ransomware operations function as ransomware-as-a-service (RaaS) businesses, where affiliates move between programs or maintain relationships across multiple groups. In these cases, access to a compromised environment may effectively follow the affiliate rather than remain exclusive to a single ransomware brand.  

The Gentlemen was a former affiliate of Qilin. DragonForce also previously announced its partnership with Qilin. And, a collective like Coinbose Cartel (focused more so on data exfiltration and expanding a marketplace to access tools) would offer their support and network to receive greater profits. It’s no wonder why some affiliate overlap may be a driving factor in the sharing of resources and tactics across these groups.

However, affiliate overlap is only part of the story.

A broader explanation that accounts for this pattern is the increasing commoditization of tools and credentials. Access brokers, credential marketplaces, and stolen data repositories have created a thriving underground economy where multiple threat actors can purchase the same information, credentials, and attack infrastructure.

The widespread use of infostealers further amplifies this trend. These malware families harvest valuable assets such as session tokens, account credentials, browser-stored passwords, and other sensitive information. Once stolen, that data often finds its way into criminal marketplaces where it can be acquired by multiple buyers.

As a result, different ransomware groups are more likely to work with the same datasets, purchasing access from the same brokers, or leveraging identical logs and toolsets to compromise the same organizations.

In some cases, the second attack may not even require a new intrusion as initial access to an environment was purchased far in advance from multiple parties.

What Do Ransomware Groups Stand to Gain?

For ransomware operators, this model offers clear advantages. 

By purchasing access, credentials, and intelligence from third-party criminal suppliers, groups can reduce the resources required to conduct operations. Instead of investing heavily in exploit development, penetration testing capabilities, or custom intrusion tooling, they can focus on what generates revenue: extortion and data theft. 

The approach lowers operational costs, accelerates attacks, and allows ransomware groups to scale more efficiently. It can also muddy attribution processes as tools and infrastructure are sourced from different groups. However, the model also introduces new risks for threat actors. 

As more groups rely on the same criminal supply chains, they become increasingly dependent on external providers for access and intelligence. This creates a form of ecosystem concentration where disruption to key suppliers—or competition for the same victim data—could limit long-term effectiveness.

What Does This Mean for Organizations?

Taking both shifts in the prevalence of revictimization and the increased use of infostealers into account, organizations should not view ransomware incidents as isolated events. A compromise today may continue generating value for cybercriminals long after the initial attack, creating opportunities for multiple threat actors to exploit the same organization over time. 

It’s advised that organizations remain cognizant of not only affiliate connections and group partnerships, but also the tools that are employed in the cybercriminal ecosystem, especially infostealers and the customized versions that may be derived from prominent tools like Lumma and Redline.

In addition, stealing authenticated sessions typically requires far less time and effort in comparison to stealing passwords, making it an effective way to combat MFA and evade detection solutions by capturing legitimate sign-on activity. Threat actors are increasingly targeting browser data to bypass multifactor authentication and maintain access. Platforms such as GitHub are also lucrative targets for these threat actors, who aim to steal projects that house intellectual property and data relevant to securing software and other infrastructure. 

Security platforms designed to defend endpoint devices fail to address this issue. Capabilities must be comprehensive to address multiple layers of credential usage monitoring and compromise, including behavioral analysis, network traffic monitoring, cloud resource hardening, API tracking, and the use of threat intelligence on stealers, other malware, and active marketplaces. The overall lesson is becoming increasingly clear: paying a ransom or recovering systems does not necessarily end the threat. In many cases, it may simply mark the beginning of a longer exposure cycle.

Join the Live Discussion 

We'll discuss more about this emerging situation and other notable ransomware developments during our monthly Ctrl-Alt-Decode debrief.

Other Notable Ransomware News

Now, let’s explore the notable news and findings since last month’s Threat Debrief.

• ShinyHunters and KryBit fall from the Top 10 Groups: The Threat Debrief coverage from April included the featured story: KryBit v. 0APT, also covered in Ctrl-Alt-DECODE Episode 8. Since both groups were exposed, KryBit has fallen out of the Top 10. However, KryBit did continue their operations in May, claiming a total of 15 victims. The groups Nova and Bavacai, formerly known as MedusaLocker, joined the Top 10.
• ShadowByt3$ announces BreachForums promotion: The group posted encouraging visitors to join the community on their BreachForums-affiliated domain. Since late 2025, multiple domains tied to BreachForums have been taken down by law enforcement; as of May 2026, several BreachForums domains have also been reported to law enforcement by a former ShinyHunters staff member. While ShadowByt3$ is not the first ransomware group to offer access to sites managed via BreachForums infrastructure, they have advised visitors to trust in their process.
• First VPN takedown puts a stop to service used by ransomware groups: Operation Saffron resulted in the seizure of a platform more than ten years old that has been leveraged by ransomware groups and other criminals in order to maintain anonymity. The operation resulted in the seizure of more than 33 servers in addition to the extraction of user identities and IP addresses.
• CISA reports a critical flaw involving the exploit of a SolarWinds Serv-U vulnerability: Threat actors are exploiting CVE-2026-28318, an authentication flaw, to gain access to the server environment and disrupt the Serv-U service. The flaw affects versions 15.5.4 and earlier of SolarWinds Serv-U. Organizations using the affected service are advised to apply the latest SolarWinds hotfix to mitigate the flaw. While the current volume of compromises associated with the exploitation of this flaw is unknown, ransomware groups like Clop have historically leveraged similar flaws in their campaigns.
• Silent Ransomware Group infiltrates organizations on-site: Silent Ransomware or SRG, a group known for establishing initial access via vishing tactics and deploying custom ransomware, has incorporated physical access into recent campaigns. SRG has gradually claimed victims in multiple industries, including the offices of lawyers and financial services. After a staff member is sent to a target’s office, often under the guise of an IT staff member, they communicate with employees, encouraging them to allow access (which then results in data exfiltration). Organizations are advised to enforce controls that address physical security risks, and stay informed about the tactics cyber threat actors use to conduct espionage.

Top 10 Ransomware Families

Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method captures the number of victims claimed, not the actual financial impact of these attacks. Here’s the Top 10 ransomware groups.

Top 10 Most Attacked Regions

Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.

The Netherlands joins the Top 10 Regions: In May, Thailand fell from the Top 10 Regions ranks and the Netherlands claimed the 10th position. This is a significant change for the region, which had averaged fewer than 4 victims per month prior to May 2026. The ransomware groups The Gentlemen and DragonForce claimed responsibility for more than half of the victims based in the Netherlands in May.

Top 10 Most Attacked Industries

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications associated with specific industries, and how specialized services and clientele are impacted is crucial for assessing risk. Here are the Top 10 industries affected by ransomware attacks.

In May, the construction industry surpassed both the manufacturing and technology industries as the industry most affected by ransomware. In addition, the wholesale industry joined the Top 10 Industries.

MDR Insights

Bitdefender MDR Insights consolidates key findings each month captured from real-world incidents. In May 2026, our MDR teams found that hallmarks of threat actor activity included:

• Compromised credentials via /VPN

• Credential dumping through mechanisms like LSASS, NTDS, and LSA secrets

• Remote Registry abuse and SMB-based credential harvesting’

• Persistence established through scheduled tasks, COM hijacking, and unauthorized services

• Browser credential theft and inforstealer activity 

The MDR team shared several key observations after analyzing patterns across multiple incidents: 

“Credential theft is in many cases a precursor to ransomware and domain compromise.. Attackers aren’t exploiting zero-days—they’re logging in with stoeln credentials to infiltrate environments. MDR detects and blocks anomalous credential access activity before the attacker can get to the final stage”. 

• Detects unauthorized access using valid credentials
• Detects NTDS dumping, mimikatz, and privilege escalation attempts
• Blocks SMB propagation and staging activity
• Blocks attacker infrastructure and tooling
• Identifies and removes persistence mechanisms
• Guides credential set and remediation efforts 

Visit MDR and read the Bitdefender Ransomware white paper for more information on how to protect against ransomware.  

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 1000+ new threats each minute and validates 50 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.

We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Nikki Salas for their help with putting this report together. 

Join the live discussion: