
























Global ransomware attacks reached a new high in H1 of 2026 with an average of 23 attacks per day.
During the first six months of 2026, we logged 4,217 ransomware attacks. This is an 11 percent increase on the second half of 2025 (3,809).
| Date | Total Attacks | # of Days | Attacks per Day |
|---|---|---|---|
| H1 2024 | 2,456 | 182 | 13 |
| H2 2024 | 3,179 | 184 | 17 |
| H1 2025 | 3,706 | 181 | 20 |
| H2 2025 | 3,809 | 184 | 21 |
| H1 2026 | 4,217 | 181 | 23 |
Of these 4,217 attacks, 484 were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites but have not been publicly acknowledged by the targets.
Attacks on governments and businesses rose by 12 percent, while the healthcare sector saw a four percent increase. Attacks on education dropped by 13 percent.
Within the business sector, the manufacturing industry remains the most targeted, accounting for just over 22 percent of attacks across all businesses (822 in total). Here, attacks increased by 10 percent when compared to H2 of 2025 (750).
This increase wasn’t the largest, though. Transportation companies saw the biggest uptick in attacks (up 52%). Healthcare businesses–those operating within the sector but not providing direct care, e.g. pharmaceutical companies and billing providers–also saw a large increase in attacks (up 35%), as did retailers (up 28%) and tech companies (up 23%).
Also of note in H1 2026 was a decline in the number of attacks carried out in the US. Here, attacks dropped by eight percent when compared to H2 2025. This is likely due to the large number of claims made by The Gentlemen. Unlike many of its counterparts, The Gentlemen’s attacks aren’t heavily concentrated in the US. Just over 17 percent of its attacks were carried out on US organizations, compared to 47 percent of Qilin’s attacks.
The Gentlemen also rose to become the most prolific ransomware strain in June 2026, knocking Qilin off the top spot for the first time in many months. It claimed 115 victims in June alone, compared to 78 from Qilin.
*6 attacks were on unknown companies that couldn’t be attributed to a specific sector.
We categorize attacks into four sectors: business, education, government, and healthcare. All sectors bar education saw an increase in attacks from H2 2025 to H1 2026.
As we have already noted, some business sectors were more heavily targeted than others, including:
According to our data, the following organizations saw the biggest ransom demands (across confirmed attacks) in the first half of 2026. Note that most companies and ransomware groups do not disclose their ransom demands, so data is limited.
All five of the biggest reported data breaches from 2026 so far occurred in Japan. It’s important to note here that this doesn’t necessarily point toward Japan being subject to bigger breaches, but is more likely to be a result of a prompt and efficient data breach reporting system.
Also in the top 10 are F-One Co., Ltd., Japan (170,000), Köfteci Yusuf, Turkey (163,000), Beacon Mutual Insurance Company, US (162,439), the City of Suffolk, US (157,725), and Plaza Home Mortgage, US (137,976).
Qilin takes the top spot overall with 641 attack claims, but in June it was overtaken for the first time in many, many months. In June 2026, Qilin added 78 victims to its data leak site. The Gentlemen added 115.
The Gentlemen has gained notoriety in recent months, with a large number of its attack claims confirmed. In June alone, it was confirmed as the gang behind seven attacks, including the one on Australia’s Mackay Sugar, which caused huge disruptions to its operations.
Looking at The Gentlemen’s confirmed attacks throughout the first half of 2026 (50 in total), governments were a key target (10 attacks confirmed) as were manufacturers (10 attacks confirmed).
Across Qilin’s confirmed attacks (54 in total), governments were also a focus (9), as was healthcare (8).
The US was the most heavily targeted country in the first half of 2026 with 1,832 attacks recorded here in total. This was an eight percent decrease on H2 of 2025’s figure, though (1,985).
Out of all the countries that saw the highest number of attacks in H1 of 2026, the US was the only one to see a decline. As mentioned, this could be due to the high number of claims from The Gentlemen, which aren’t concentrated within the US, unlike other groups.
Canada had the second-highest figure (200), a four percent increase from H2 of 2025 (192). Germany, the United Kingdom, Italy, France, and Spain made up the rest of the top most targeted countries, with Italy seeing the biggest increase in attack levels (up 66%).
China saw one of the biggest influxes in attacks, rising by 540 percent from 5 in H2 of 2025 to 30 in H1 of 2026. Chile also saw a big increase (up 200%), as did Hong Kong (up 167%), Taiwan (up 161%), Czechia (up 150%), and South Africa (up 140%).
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attack claims. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here .
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。