Close Menu
Ransomware

2026 ransomware victim toll: countries, sectors, operators

Ransomnews Research TeamBy No Comments7 Mins Read56 Views
Stylised dashboard with bar charts and world-map silhouette, dark editorial illustration
  • Tier 1, three operators currently running roughly 500+ victims year-to-date: Qilin, The Gentlemen, and Akira. Combined, they account for a little over a third of all named listings on the tracker. Each is a Russian-language-speaking RaaS operation with a stable affiliate roster.
  • Tier 2, five mid-volume operators running between 100 and 300 victims year-to-date: Inc Ransom, NightSpire, DragonForce, Cl0p, LockBit 5. Mixed playbooks, Inc and NightSpire are conventional double-extortion, Cl0p continues its mass-exploitation pattern when a perimeter CVE drops, LockBit 5 is the post-Cronos reboot, DragonForce reuses leaked builders from older families.
  • Tier 3, a long tail of dozens of operators each running fewer than 80 victims YTD: Play, Coinbase Cartel, and twenty-odd smaller crews. Many appear, post a handful of victims, then go dormant for weeks before resurfacing under the same banner.

Published May 2026, by the Ransomnews Research Team. Based on the listings tracked on our Ransomtracker dashboard through 5 May 2026.

The headline number you’ll see quoted from most monitoring shops this year is “claimed ransomware victims”, usually presented without scale, sector breakdown, or operator attribution. That figure on its own is half a story. Below the topline, the 2026 ransomware economy is splitting into three distinct tiers that look nothing like the unified “ransomware threat” the marketing decks describe, and the practical conclusions for defenders look different by tier.

This is a structured read of the 2026 victim toll through 5 May. All numbers come from the leak-site listings our Ransomtracker aggregates, they undercount the broader incident space (not every victim is named publicly, and not every named victim refused to pay) but they’re the cleanest comparable signal across operators.

The topline shape of 2026 so far

Through the first four months of 2026, the named victim count tracked on our public dashboard is running roughly 22% behind the same period of 2025. That’s not because attacks are down. It reflects two structural shifts: more incidents are resolved before leak-site publication (paid quietly, especially in the energy and finance verticals); and the share of attacks running pure data-extortion playbooks, no encryption, no public deadline, has grown again year-on-year, displacing some volume from the publicly-tracked tally into private negotiations.

For the analyst tracking long-term trends, that means the leak-site count is becoming a less complete proxy for total ransomware activity than it was even two years ago. Treat it as a useful but partial signal, strong on which operators are running campaigns publicly, weaker on the underlying incident volume.

The operator distribution: three tiers, not one ecosystem

The 2026 leak-site economy splits cleanly into three tiers by claimed-victim count:

  • Tier 1, three operators currently running roughly 500+ victims year-to-date: Qilin, The Gentlemen, and Akira. Combined, they account for a little over a third of all named listings on the tracker. Each is a Russian-language-speaking RaaS operation with a stable affiliate roster.
  • Tier 2, five mid-volume operators running between 100 and 300 victims year-to-date: Inc Ransom, NightSpire, DragonForce, Cl0p, LockBit 5. Mixed playbooks, Inc and NightSpire are conventional double-extortion, Cl0p continues its mass-exploitation pattern when a perimeter CVE drops, LockBit 5 is the post-Cronos reboot, DragonForce reuses leaked builders from older families.
  • Tier 3, a long tail of dozens of operators each running fewer than 80 victims YTD: Play, Coinbase Cartel, and twenty-odd smaller crews. Many appear, post a handful of victims, then go dormant for weeks before resurfacing under the same banner.

The Tier 1 concentration is the most policy-relevant signal. Cl0p’s dominance in 2023 (peaking with the MOVEit campaign) and LockBit’s dominance in 2024 both produced consequential law-enforcement responses. Qilin’s current scale, particularly after the 2024 attack on London-based pathology provider Synnovis that disrupted NHS hospitals, is the natural candidate for a similar coordinated take-down, and is what defenders should plan around.

Country-level signals from victim-domain TLDs

The upstream leak-site data doesn’t expose a country field per victim, but the public victim TLDs give a usable proxy. Through 5 May 2026, the distribution on our tracker breaks down approximately as:

  • .com dominates as usual (~65% of all listings), reflecting the prevalence of US-headquartered organisations and international companies that use .com as a primary domain.
  • .org sits in second (~5%), heavily weighted toward US non-profits, charities, and healthcare networks.
  • .it, .com.au, .de, .ca, and .co.uk each contribute 2–4%, suggesting consistent attention to Italian, Australian, German, Canadian, and UK targets respectively.
  • .com.br, .fr, and .at appear in the next band, Brazil, France, and Austria seeing material campaign activity.

The TLD-as-proxy reading has obvious limits, a UK company on a .com domain shows as .com, but the relative shifts year-over-year are still informative. The notable 2025-to-2026 change is the rise of .com.au, which has roughly doubled in share, consistent with the credible reporting on Australian retail and healthcare being unusually heavily targeted in the past nine months.

Sector concentration: where the victims are

Sector data isn’t surfaced cleanly by upstream listings either, so the analysis depends on per-victim research. From the manual classification our editorial team maintains on the listings we cover, the 2026 sector breakdown looks like:

  • Manufacturing remains the single most-targeted sector at roughly 18% of listings, continuing its 2023–2025 lead. The structural reasons haven’t changed, operational pressure to pay, mixed IT/OT environments, complex supply-chain dependencies.
  • Professional services (law firms, accountancy, consulting) has climbed to roughly 13% in 2026, up from ~9% in 2024. The driver is the value of the data, privileged client material, M&A documents, regulator correspondence, rather than operational disruption.
  • Healthcare holds at around 12% despite international pressure on operators to leave hospitals alone. The bigger story is that several operators publicly state a “no hospitals” rule and then breach it through their affiliates anyway. Qilin’s 2024 Synnovis attack is the canonical example.
  • Construction and real estate together account for about 11%, historically under-covered sector, increasingly attractive because of large invoicing flows and limited mature IT spend.
  • Retail and consumer goods at around 9%, weighted heavily toward the second half of the year (operators time campaigns to maximise pressure during peak retail periods).
  • Education at around 7%, biased toward US K-12 districts and mid-sized UK universities.
  • Public sector at around 6%, including US municipalities, European regional councils, and a steady drip of agency-level breaches.

The 2024-to-2026 mover is professional services. The MSP-as-target trend (see our forthcoming piece on this) is part of the same broader pattern, attackers are increasingly targeting the firms that hold data on many downstream customers, because one successful intrusion yields leverage over a portfolio.

The payment signal

Public payment-rate estimates published by Chainalysis, Coveware, and the FBI consistently show payment rates declining year-over-year through 2024 and 2025. Coveware’s most recent quarterly reports indicate that the share of victims that ultimately pay has fallen below 30%, down from over 70% in 2019.

That number understates the practical pressure on enterprise victims because it doesn’t distinguish between encryption-only attacks (where backups frequently get an organisation back without paying) and data-extortion-driven attacks (where backups don’t help). For the data-extortion subset, the payment rate remains materially higher, because the value at stake is regulatory and reputational rather than operational.

The strategic implication: as payment rates fall, operators rationally invest more in the data-extortion playbook (where they retain leverage) and less in the encryption-deployment phase (which backups now defeat). This is exactly what we observe across the operator landscape on the leak-site tracker, encryption-only listings are vanishing as a category; data-extortion-only listings are growing.

What this means for defenders in May 2026

  • Treat the leak-site count as a partial signal, not ground truth. Pair it with insurer-side incident reporting (S-RM, Coveware) and national-CERT advisories for a fuller picture.
  • Plan around Tier 1 first. Three operators are doing the bulk of the visible volume; your detection and IR runbook should specifically address their TTPs. See our Threat Groups archive for the named profiles.
  • Sector-realistic spending. If you’re in manufacturing, professional services, healthcare, or mid-tier construction/real estate, you’re in the top quartile of attacker focus. Budget accordingly.
  • Data-extortion-first incident response. Backups have largely solved the encryption problem; they don’t solve data publication. Update your runbook (see our IR runbook walkthrough) so the data-extortion path is the primary, not the exception.
  • Geographic awareness. If you operate in Italy, Australia, Germany, Canada, the UK, or Brazil, the data shows non-trivial attention from English-speaking operators. The mistaken assumption that “we’re not in the US so we’re not a target” no longer holds.

Methodology notes

The Ransomtracker dataset reflects leak-site listings only, not all incidents, not all paid ransoms, not all stolen-data publications. We treat duplicate listings (a victim showing up on two operators’ leak sites, which happens occasionally) as separate entries. Sector classification is editorial and based on public information about each named victim; we don’t enrich from third-party data sources. Country-level inference from TLDs is approximate and noted as such throughout. Numbers in this article reflect data through 5 May 2026; the dashboard itself updates every ten minutes from upstream.

For real-time numbers, the Ransomtracker dashboard is the live equivalent of this snapshot. For editorial coverage of any named operator referenced above, see the Threat Groups archive.

Share.

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

Comments are closed.