Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Ransomware

Ransomware statistics 2026: confirmed attacks by month

Ransomnews Research TeamBy Ransomnews Research TeamJuly 8, 2026Updated:July 8, 2026No Comments6 Mins Read7 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Ransomware statistics 2026: confirmed attacks by month, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Ransomnews has independently confirmed 9,291 ransomware attacks worldwide between January 2018 and July 2026. So far in 2026, 504 attacks have been confirmed, including 3 in July 2026. The dataset covers 149 countries, is verified by humans rather than scraped from leak sites, and every figure on this page is recalculated from the live database, refreshed weekly.

Data last updated: 8 July 2026

This page is the monthly statistics report for the Ransomnews Confirmed Ransomware Attacks Dataset. Unlike most ransomware statistics circulating online, which count unverified leak-site listings, every incident counted here has been independently confirmed through breach disclosures, regulatory filings, official statements, or credible press reporting. The tables below are generated directly from the live database, so they always reflect the current state of the dataset.

How many ransomware attacks are confirmed each year?

Confirmed ransomware attacks have run at roughly 1,400 to 1,550 per year since 2023, after a visible dip in 2022. The 2020 to 2021 surge, the 2022 trough (which coincided with the Conti shutdown and the Russia-Ukraine war reshuffling the ecosystem), and the post-2023 plateau are all visible in the yearly series. The current year always shows a partial count.

Source: ransomnews.com
YearConfirmed attacks
2018168
2019459
20201,226
20211,436
2022960
20231,549
20241,546
20251,443
2026 (year to date)504
ransomnews.comCONFIRMED RANSOMWARE ATTACKS / YEAR168201845920191,22620201,436202196020221,54920231,54620241,44320255042026
Confirmed ransomware attacks per year, 2018 to present. Source: Ransomnews Confirmed Ransomware Attacks Dataset.

How many ransomware attacks were confirmed each month?

The monthly series below covers the trailing thirteen months. Read the most recent two to three months as provisional: confirmation lags the attack itself, sometimes by weeks, so recent months fill in as disclosures, filings and reporting catch up. A low figure for last month usually means confirmations are still arriving, not that attacks stopped.

Source: ransomnews.com
MonthConfirmed attacks
July 202589
August 2025132
September 2025145
October 2025116
November 2025108
December 2025116
January 202691
February 202686
March 2026113
April 202687
May 202669
June 202655
July 20263

Which ransomware groups have the most confirmed victims?

LockBit remains the all-time leader by confirmed victims, with more than 500 verified attacks attributed to the operation since 2019, ahead of Qilin, Akira and the now-defunct Conti. The first table shows the current year, which is where leadership changes show up first; the second shows the all-time ranking. Note that these are confirmed victims, so the numbers are lower, and more defensible, than the claim counts the groups themselves publish. Profiles of the major operators are in our threat group catalogue.

Source: ransomnews.com
#Ransomware groupConfirmed victims, 2026
1Qilin53
2The Gentlemen51
3INC35
4LockBit26
5Akira23
6DragonForce18
7SafePay17
8Interlock10
9Play9
10Kairos8
Source: ransomnews.com
#Ransomware groupConfirmed victims, all time
1LockBit535
2Qilin300
3Akira284
4Conti270
5ALPHV/BlackCat217
6Play216
7INC202
8Black Basta173
9Maze170
10RansomHub164

Which countries have the most confirmed ransomware attacks?

The United States accounts for roughly half of all confirmed ransomware attacks in the dataset, followed at a distance by France, Germany, Japan, Canada and the United Kingdom. Part of that gap is real exposure and part is reporting bias: US breach-notification and SEC disclosure rules force more incidents onto the public record than most jurisdictions, which makes American attacks easier to confirm.

Source: ransomnews.com
#CountryConfirmed, 2026
1United States170
2Japan63
3Germany41
4Australia25
5India14
6Spain13
7Taiwan12
8Switzerland11
9France10
10Turkey9
Source: ransomnews.com
#CountryConfirmed, all time
1United States5,004
2France496
3Germany396
4Japan353
5Canada346
6United Kingdom313
7Australia215
8Italy207
9Brazil152
10Spain140

Which industries does ransomware hit hardest?

Business is the largest umbrella category at around three fifths of confirmed attacks, but the standout concentrations are in the public-facing sectors: government, healthcare and education together account for well over a third of all confirmed incidents. These are the sectors where operational disruption is most visible, which drives both the targeting and the confirmation rate.

Source: ransomnews.com
IndustryConfirmed attacksShare
Business5,63560.7%
Government1,43415.4%
Healthcare1,29714%
Education92510%
Source: ransomnews.com
Sub-industryConfirmed attacks
Healthcare1,595
Government1,434
Manufacturing1,037
Education976
Service633
Other621
Finance615
Technology552

What are the most recent confirmed attacks?

The ten most recently confirmed incidents are listed below. For the live view, including unverified leak-site claims as they appear and the interactive map of all confirmed attacks, see the Ransomtracker.

Source: ransomnews.com
DateOrganisationCountrySectorStrain
July 2026Hahn AirportGermanyBusiness / TransportationSafePay
July 2026Universidad de AlicanteSpainEducationUnknown
July 2026SpedidamFranceBusiness / OtherThe Gentlemen
June 2026Meitetsu Kyosho Co., Ltd.JapanBusiness / OtherUnknown
June 2026Mount Royal UniversityCanadaEducationCMD Organization
June 2026Caritasverband Koblenz e.V.GermanyHealthcareSafePay
June 2026Ferrum AGSwitzerlandBusiness / ManufacturingAnubis
June 2026River Financial Corporation (River Bank & Trust)United StatesBusiness / FinanceUnknown
June 2026GSP Crop Science LtdIndiaBusiness / ManufacturingINC
June 2026City of AcworthUnited StatesGovernmentINC

Where these numbers come from

The dataset behind this page is compiled and verified by Ransomnews. An incident is counted only when it is confirmed by at least one independent source: a disclosure by the victim, a regulatory or court filing, an official statement, or credible press reporting. Leak-site listings alone do not qualify, because operators inflate, duplicate and occasionally fabricate claims. Each confirmed record carries the attack month, the victim organisation, city and country, industry and sub-industry classification, and the ransomware strain where attribution is solid. Ransom amounts and records-affected counts are recorded only where they are on the public record, which is the minority of cases.

Coverage runs from January 2018 to the present across 149 countries. The database refreshes weekly; this report page recalculates from it on every load, and we review the editorial commentary monthly.

How to cite these statistics

Cite as: Ransomnews Confirmed Ransomware Attacks Dataset, Ransomnews.com, with a link to this page or to the Ransomtracker. Journalists and researchers can request bulk access, methodology details, or comment at [email protected]. We answer quickly and we correct the record when someone shows us we are wrong.

Frequently asked questions

How many ransomware attacks happen per year?

Independent verification puts the floor at roughly 1,400 to 1,550 confirmed ransomware attacks per year worldwide since 2023, based on the Ransomnews Confirmed Ransomware Attacks Dataset. The true total is higher, because many victims never disclose and many incidents are never independently verified, so confirmed counts should be read as a defensible minimum rather than the full picture.

How many ransomware attacks have there been in 2026?

The opening paragraph of this page shows the live 2026 count, recalculated from the database on every load. For orientation, more than 500 attacks had been confirmed by early July 2026, and the most recent months always fill in further as disclosures, filings and reporting catch up with the attacks themselves.

Which country has the most ransomware attacks?

The United States, by a wide margin: it accounts for roughly half of all ransomware attacks confirmed worldwide since 2018, with more than 5,000 verified incidents. France, Germany, Japan, Canada and the United Kingdom form the next tier, each in the hundreds. Strong US breach-notification and SEC disclosure rules also make American incidents easier to confirm, which inflates the US share somewhat.

What is the most active ransomware group right now?

By confirmed victims across the whole dataset, LockBit leads with more than 500 verified attacks since 2019. Leadership rotates as groups are disrupted and rebrand, and the current-year table on this page shows who leads right now; in 2026 the front of the field has been contested by Qilin, The Gentlemen and INC.

Are ransomware leak-site victim counts accurate?

Not on their own. Leak-site tallies measure what criminal operators claim, and those claims include duplicates, recycled data and outright fabrications, while some real attacks never appear on any leak site. This page counts only incidents verified through independent sources, which is why its totals sit below raw leak-site numbers and why the two should never be compared directly.

Do ransomware victims say whether they paid the ransom?

Rarely. Around nine in ten confirmed attacks in this dataset have no ransom figure on the public record, and most victims never state whether they paid at all. Any statistic about average ransom payments is therefore built on a small, self-selected sample and should be treated with caution.

Can I cite or republish these statistics?

Yes. Cite the figures as the Ransomnews Confirmed Ransomware Attacks Dataset, with a link to this page, which is the canonical and continuously updated source. Charts carry the ransomnews.com mark and may be reused with attribution; for bulk data access or methodology questions, contact [email protected].

Sources & further reading

  • Ransomtracker: the live tracker, with the interactive map and the full confirmed dataset behind this page
  • Threat group profiles: editorial coverage of the major ransomware operations
  • Double extortion explained: how the dominant ransomware playbook actually works
  • CISA StopRansomware: US government guidance and advisories
  • FBI IC3: official US cybercrime complaint statistics, a useful comparison series
Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleXSS forum: from DaMaGeLaB to the 2025 takedown
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

ESXi ransomware in 2026: one host, the whole datacenter

June 24, 2026

MSPs: ransomware’s #1 target of 2026 [Field Report]

May 11, 2026

LockBit, 2 years after Operation Cronos: where are they now?

May 11, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.