Ransomnews has independently confirmed 9,291 ransomware attacks worldwide between January 2018 and July 2026. So far in 2026, 504 attacks have been confirmed, including 3 in July 2026. The dataset covers 149 countries, is verified by humans rather than scraped from leak sites, and every figure on this page is recalculated from the live database, refreshed weekly.
Data last updated: 8 July 2026
This page is the monthly statistics report for the Ransomnews Confirmed Ransomware Attacks Dataset. Unlike most ransomware statistics circulating online, which count unverified leak-site listings, every incident counted here has been independently confirmed through breach disclosures, regulatory filings, official statements, or credible press reporting. The tables below are generated directly from the live database, so they always reflect the current state of the dataset.
How many ransomware attacks are confirmed each year?
Confirmed ransomware attacks have run at roughly 1,400 to 1,550 per year since 2023, after a visible dip in 2022. The 2020 to 2021 surge, the 2022 trough (which coincided with the Conti shutdown and the Russia-Ukraine war reshuffling the ecosystem), and the post-2023 plateau are all visible in the yearly series. The current year always shows a partial count.
| Year | Confirmed attacks |
|---|---|
| 2018 | 168 |
| 2019 | 459 |
| 2020 | 1,226 |
| 2021 | 1,436 |
| 2022 | 960 |
| 2023 | 1,549 |
| 2024 | 1,546 |
| 2025 | 1,443 |
| 2026 (year to date) | 504 |
How many ransomware attacks were confirmed each month?
The monthly series below covers the trailing thirteen months. Read the most recent two to three months as provisional: confirmation lags the attack itself, sometimes by weeks, so recent months fill in as disclosures, filings and reporting catch up. A low figure for last month usually means confirmations are still arriving, not that attacks stopped.
| Month | Confirmed attacks |
|---|---|
| July 2025 | 89 |
| August 2025 | 132 |
| September 2025 | 145 |
| October 2025 | 116 |
| November 2025 | 108 |
| December 2025 | 116 |
| January 2026 | 91 |
| February 2026 | 86 |
| March 2026 | 113 |
| April 2026 | 87 |
| May 2026 | 69 |
| June 2026 | 55 |
| July 2026 | 3 |
Which ransomware groups have the most confirmed victims?
LockBit remains the all-time leader by confirmed victims, with more than 500 verified attacks attributed to the operation since 2019, ahead of Qilin, Akira and the now-defunct Conti. The first table shows the current year, which is where leadership changes show up first; the second shows the all-time ranking. Note that these are confirmed victims, so the numbers are lower, and more defensible, than the claim counts the groups themselves publish. Profiles of the major operators are in our threat group catalogue.
| # | Ransomware group | Confirmed victims, 2026 |
|---|---|---|
| 1 | Qilin | 53 |
| 2 | The Gentlemen | 51 |
| 3 | INC | 35 |
| 4 | LockBit | 26 |
| 5 | Akira | 23 |
| 6 | DragonForce | 18 |
| 7 | SafePay | 17 |
| 8 | Interlock | 10 |
| 9 | Play | 9 |
| 10 | Kairos | 8 |
| # | Ransomware group | Confirmed victims, all time |
|---|---|---|
| 1 | LockBit | 535 |
| 2 | Qilin | 300 |
| 3 | Akira | 284 |
| 4 | Conti | 270 |
| 5 | ALPHV/BlackCat | 217 |
| 6 | Play | 216 |
| 7 | INC | 202 |
| 8 | Black Basta | 173 |
| 9 | Maze | 170 |
| 10 | RansomHub | 164 |
Which countries have the most confirmed ransomware attacks?
The United States accounts for roughly half of all confirmed ransomware attacks in the dataset, followed at a distance by France, Germany, Japan, Canada and the United Kingdom. Part of that gap is real exposure and part is reporting bias: US breach-notification and SEC disclosure rules force more incidents onto the public record than most jurisdictions, which makes American attacks easier to confirm.
| # | Country | Confirmed, 2026 |
|---|---|---|
| 1 | United States | 170 |
| 2 | Japan | 63 |
| 3 | Germany | 41 |
| 4 | Australia | 25 |
| 5 | India | 14 |
| 6 | Spain | 13 |
| 7 | Taiwan | 12 |
| 8 | Switzerland | 11 |
| 9 | France | 10 |
| 10 | Turkey | 9 |
| # | Country | Confirmed, all time |
|---|---|---|
| 1 | United States | 5,004 |
| 2 | France | 496 |
| 3 | Germany | 396 |
| 4 | Japan | 353 |
| 5 | Canada | 346 |
| 6 | United Kingdom | 313 |
| 7 | Australia | 215 |
| 8 | Italy | 207 |
| 9 | Brazil | 152 |
| 10 | Spain | 140 |
Which industries does ransomware hit hardest?
Business is the largest umbrella category at around three fifths of confirmed attacks, but the standout concentrations are in the public-facing sectors: government, healthcare and education together account for well over a third of all confirmed incidents. These are the sectors where operational disruption is most visible, which drives both the targeting and the confirmation rate.
| Industry | Confirmed attacks | Share |
|---|---|---|
| Business | 5,635 | 60.7% |
| Government | 1,434 | 15.4% |
| Healthcare | 1,297 | 14% |
| Education | 925 | 10% |
| Sub-industry | Confirmed attacks |
|---|---|
| Healthcare | 1,595 |
| Government | 1,434 |
| Manufacturing | 1,037 |
| Education | 976 |
| Service | 633 |
| Other | 621 |
| Finance | 615 |
| Technology | 552 |
What are the most recent confirmed attacks?
The ten most recently confirmed incidents are listed below. For the live view, including unverified leak-site claims as they appear and the interactive map of all confirmed attacks, see the Ransomtracker.
| Date | Organisation | Country | Sector | Strain |
|---|---|---|---|---|
| July 2026 | Hahn Airport | Germany | Business / Transportation | SafePay |
| July 2026 | Universidad de Alicante | Spain | Education | Unknown |
| July 2026 | Spedidam | France | Business / Other | The Gentlemen |
| June 2026 | Meitetsu Kyosho Co., Ltd. | Japan | Business / Other | Unknown |
| June 2026 | Mount Royal University | Canada | Education | CMD Organization |
| June 2026 | Caritasverband Koblenz e.V. | Germany | Healthcare | SafePay |
| June 2026 | Ferrum AG | Switzerland | Business / Manufacturing | Anubis |
| June 2026 | River Financial Corporation (River Bank & Trust) | United States | Business / Finance | Unknown |
| June 2026 | GSP Crop Science Ltd | India | Business / Manufacturing | INC |
| June 2026 | City of Acworth | United States | Government | INC |
Where these numbers come from
The dataset behind this page is compiled and verified by Ransomnews. An incident is counted only when it is confirmed by at least one independent source: a disclosure by the victim, a regulatory or court filing, an official statement, or credible press reporting. Leak-site listings alone do not qualify, because operators inflate, duplicate and occasionally fabricate claims. Each confirmed record carries the attack month, the victim organisation, city and country, industry and sub-industry classification, and the ransomware strain where attribution is solid. Ransom amounts and records-affected counts are recorded only where they are on the public record, which is the minority of cases.
Coverage runs from January 2018 to the present across 149 countries. The database refreshes weekly; this report page recalculates from it on every load, and we review the editorial commentary monthly.
How to cite these statistics
Cite as: Ransomnews Confirmed Ransomware Attacks Dataset, Ransomnews.com, with a link to this page or to the Ransomtracker. Journalists and researchers can request bulk access, methodology details, or comment at [email protected]. We answer quickly and we correct the record when someone shows us we are wrong.
Frequently asked questions
How many ransomware attacks happen per year?
Independent verification puts the floor at roughly 1,400 to 1,550 confirmed ransomware attacks per year worldwide since 2023, based on the Ransomnews Confirmed Ransomware Attacks Dataset. The true total is higher, because many victims never disclose and many incidents are never independently verified, so confirmed counts should be read as a defensible minimum rather than the full picture.
How many ransomware attacks have there been in 2026?
The opening paragraph of this page shows the live 2026 count, recalculated from the database on every load. For orientation, more than 500 attacks had been confirmed by early July 2026, and the most recent months always fill in further as disclosures, filings and reporting catch up with the attacks themselves.
Which country has the most ransomware attacks?
The United States, by a wide margin: it accounts for roughly half of all ransomware attacks confirmed worldwide since 2018, with more than 5,000 verified incidents. France, Germany, Japan, Canada and the United Kingdom form the next tier, each in the hundreds. Strong US breach-notification and SEC disclosure rules also make American incidents easier to confirm, which inflates the US share somewhat.
What is the most active ransomware group right now?
By confirmed victims across the whole dataset, LockBit leads with more than 500 verified attacks since 2019. Leadership rotates as groups are disrupted and rebrand, and the current-year table on this page shows who leads right now; in 2026 the front of the field has been contested by Qilin, The Gentlemen and INC.
Are ransomware leak-site victim counts accurate?
Not on their own. Leak-site tallies measure what criminal operators claim, and those claims include duplicates, recycled data and outright fabrications, while some real attacks never appear on any leak site. This page counts only incidents verified through independent sources, which is why its totals sit below raw leak-site numbers and why the two should never be compared directly.
Do ransomware victims say whether they paid the ransom?
Rarely. Around nine in ten confirmed attacks in this dataset have no ransom figure on the public record, and most victims never state whether they paid at all. Any statistic about average ransom payments is therefore built on a small, self-selected sample and should be treated with caution.
Can I cite or republish these statistics?
Yes. Cite the figures as the Ransomnews Confirmed Ransomware Attacks Dataset, with a link to this page, which is the canonical and continuously updated source. Charts carry the ransomnews.com mark and may be reused with attribution; for bulk data access or methodology questions, contact [email protected].
Sources & further reading
- Ransomtracker: the live tracker, with the interactive map and the full confirmed dataset behind this page
- Threat group profiles: editorial coverage of the major ransomware operations
- Double extortion explained: how the dominant ransomware playbook actually works
- CISA StopRansomware: US government guidance and advisories
- FBI IC3: official US cybercrime complaint statistics, a useful comparison series
