What is a ransomware attack?

A ransomware attack is a type of cyberattack where malicious software encrypts a victim's data, and the attacker demands a ransom payment to restore access. Ransomware can target individuals, businesses, and critical infrastructure, often causing significant financial and operational damage.

Which industries are most targeted by ransomware?

Healthcare, financial services, manufacturing, government, and education sectors are among the most frequently targeted by ransomware attacks due to their reliance on critical data and often legacy IT infrastructure.

How does Rankiteo track ransomware incidents?

Rankiteo continuously monitors public threat intelligence feeds, breach disclosure databases, dark web activity, and security advisories to track ransomware incidents globally. Each incident is categorized by strain, severity, affected industry, and threat actor.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model where ransomware developers lease their malware to affiliate operators in exchange for a percentage of collected ransoms. This model has dramatically lowered the barrier to entry for cybercriminals and driven the proliferation of strains like LockBit, ALPHV/BlackCat, and Cl0p.

What is double extortion in ransomware?

Double extortion is a tactic where ransomware operators not only encrypt a victim's data but also exfiltrate it before encryption. They then threaten to publish the stolen data on leak sites unless the ransom is paid, adding reputational and regulatory pressure to the financial demand.

How are ransomware severity scores calculated?

Rankiteo assigns each ransomware incident a severity score from 1 to 10 based on factors including the scope of impact (number of affected entities), the industry involved, data exfiltration status, the ransomware strain's known capabilities, and any confirmed ransom demands or payments.

Ransomware Tracker & Statistics

Real-time analytics on 18,020 ransomware incidents tracked by Rankiteo. Explore ransomware strains, affected industries, threat actors, and severity trends shaping the global threat landscape.

18,020

Ransomware Incidents

Known Strains

20.8K

Companies Affected

79.2

Avg Severity

Ransomware Strains

Unknown

High

16522 incidents91.7%Avg sev: 77.7

Qilin

Critical

132 incidents0.7%Avg sev: 98.3

Cl0p

Critical

109 incidents0.6%Avg sev: 93.8

LockBit

Critical

106 incidents0.6%Avg sev: 96.7

ALPHV/BlackCat

Critical

76 incidents0.4%Avg sev: 97

Akira

Critical

75 incidents0.4%Avg sev: 97.5

Medusa

Critical

49 incidents0.3%Avg sev: 97.1

Rhysida

Critical

46 incidents0.3%Avg sev: 95.4

Everest

Critical

42 incidents0.2%Avg sev: 98

Conti

Critical

37 incidents0.2%Avg sev: 97.4

INC Ransom

Critical

28 incidents0.2%Avg sev: 97.9

REvil/Sodinokibi

Critical

26 incidents0.1%Avg sev: 93.7

Ransomware Incidents Over Time

Most Targeted Industries

Hospitals and Health Care

1597

Financial Services

910

Software Development

768

Government Administration

747

IT Services and IT Consulting

524

Insurance

465

['Software Development']

450

Higher Education

432

Retail

372

Banking

340

Education Administration Programs

303

Non-profit Organizations

258

Threat Actors

Insider147

Qilin144

ShinyHunters134

Cl0p122

Hacker104

LockBit97

Cybercriminal72

Akira68

ALPHV/BlackCat65

Everest44

Rhysida44

Scattered Spider41

INC Ransom38

Play38

Anonymous38

Medusa34

Recent Ransomware Incidents

Incident	Severity	Strain	Industry	Date
UnitedHealth, Ticketmaster, MGM Resorts, Ripple, Snowflake, Google, Allianz, Equifax, Maersk, Toyota, Merck and Oracle: 2025 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics	100 (Critical)	Akira	['Hospitality', 'Pharmaceutical Manufacturing', 'Technology, Information and Internet', 'Financial Services', 'Software Development', 'Entertainment Providers', 'IT Services and IT Consulting', 'Motor Vehicle Manufacturing', 'Hospitals and Health Care', 'Transportation, Logistics, Supply Chain and Storage']	2025-12-11 00:00:00
Hong Kong precision components supplier and Italian maritime port authority: Ransomware Groups Surge In Q4 2025 – Cyble Insights	100 (Critical)	Qilin	['International Trade and Development', 'Computer and Network Security']	2026-01-01 00:00:00
Tencent, MySpace, Twitter, Weibo, Canva, Adobe, Deezer, AdultFriendFinder, U.S. Government and Brazil Government: The 12-Terabyte Ghost: How a Record-Shattering Data Leak Is Arming a New Generation of Cyberattacks	100 (Critical)	Unknown	['Software Development', 'Technology, Information and Internet', 'Government Administration', 'Entertainment Providers', 'Musicians']	2025-01-01 00:00:00
SolarWinds, Kaseya, MoveIt Transfer, PowerSchool, DaVita, NASCAR, Marks & Spencer, Caesars Entertainment and Change Healthcare: Ransomware trends, statistics and facts in 2026	100 (Critical)	Cl0p	['Hospitality', 'Consumer Services', 'Spectator Sports', 'E-Learning Providers', 'Retail', 'Software Development', 'Information Technology & Services', 'Hospitals and Health Care']	2024-12-25 00:00:00
Udemy, McGraw-Hill, Vercel and Harvard University: Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records	100 (Critical)	Unknown	['Higher Education', 'E-Learning Providers', 'Software Development', 'Education Administration Programs']	2026-04-24 00:00:00
Broadcom	100 (Critical)	Cl0p	Semiconductor Manufacturing	2025-06-16 00:00:00
Shoppers Drug Mart, President’s Choice, Loblaw, No Frills and PC Optimum: “Threat Actor” on the dark web claims Loblaw’s “low-level” data breach is a much larger threat	100 (Critical)	Unknown	['Financial Services', 'Retail', 'Retail Groceries']	2026-03-13 00:00:00
Heathrow Airport, Copenhagen Airport and Charles de Gaulle Airport: Major cyberattack on aviation IT systems snarls flights across Europe and hits Prague connections	100 (Critical)	Unknown	['Airlines and Aviation']	2026-04-07 00:00:00
openSUSE, CentOS, AlmaLinux, Ubuntu and Fedora: Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released	100 (Critical)	Unknown	['Software Development', 'IT Services and IT Consulting']	2026-05-07 00:00:00
Capcom, Coinbase, Hertz, Conduent, Insight Partners, Pinellas County, Arapahoe County and Lincoln Parish: U.S. Government & Enterprise	100 (Critical)	LockBit	['Market Research', 'Computer Games', 'Travel Arrangements', 'Financial Services', 'Business Consulting and Services', 'Investment Banking', 'Government Administration']	2024-01-01 00:00:00
Linksys, Hikvision, Cisco, Ubiquiti, Draytek, Fortinet, Araknis and Mimosa Networks: China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation	100 (Critical)	Unknown	['Software Development', 'Computer Networking Products', 'Telecommunications', 'Engineering Services', 'Technology, Information and Internet', 'IT Services and IT Consulting', 'Computer and Network Security']	2024-01-01 00:00:00
Co-operative Group, Ingram Micro, Salesforce, Jaguar Land Rover, Oracle, Synnovis and DaVita: Top 10 Ransomware Attacks Over The Past Year	100 (Critical)	Unknown	['Retail', 'Software Development', 'Information Technology & Services', 'IT Services and IT Consulting', 'Hospitals and Health Care', 'Motor Vehicle Manufacturing', 'Medical and Diagnostic Laboratories']	2025-01-01 00:00:00
Lamborghini, Volkswagen Group, Porsche, Bentley, Škoda, SEAT and Audi: Volkswagen Allegedly Hit by Ransomware Attack as 8Base Claims Sensitive Data Theft	100 (Critical)	Phobos variant	['Motor Vehicle Manufacturing']	2025-10-19 00:00:00
Social Security Administration: The Social Security data breach is a national-security disaster that could hurt Americans for the rest of their lives: whistleblower	100 (Critical)	Unknown	['Insurance']	2026-02-04 17:42:00
Oracle Cloud, Azure and AWS: TeamPCP Turns Cloud Infrastructure into Crime Bots	100 (Critical)	Unknown	['IT Services and IT Consulting', 'Technology, Information and Internet']	2025-12-26 00:00:00
FBI, Verizon, AT&T, U.S. Treasury, Lumen and Windstream: FBI investigating hack on its wiretap and surveillance systems: Report	100 (Critical)	Unknown	['IT Services and IT Consulting', 'Government Administration', 'Telecommunications', 'Law Enforcement', 'Design Services']	2026-03-05 00:00:00
DragonForce and Play: Ransomware Attacks Against the US: 2026 Insights	100 (Critical)	Qilin	['Computer Games', 'Musicians']	2026-01-01 00:00:00
Kawasaki Motors Europe, Volkswagen, Toyota, Avis Rent a Car, Jaguar Land Rover, Nissan and Scania: Major Cyber Attacks Targeting the Automotive Industry 2025	100 (Critical)	RansomHub	['Industrial Machinery Manufacturing', 'Financial Services', 'Motor Vehicle Manufacturing']	2025-11-07 00:00:00
Instructure Inc., Yale University, Princeton University, Stanford University, Harvard University, Rutgers University and Adelaide University: Multiple Colleges Hit by Disruptions After Canvas Service Hack	100 (Critical)	Unknown	['E-Learning Providers', 'Higher Education']	2026-05-01 00:00:00
Snowflake	100 (Critical)	Unknown	Software Development	2024-11-06 00:00:13.988000

Ransomware Statistics & Attack Trends - 2026 Overview

Ransomware continues to be the most financially devastating form of cybercrime, with threat actors encrypting critical data and demanding multi-million-dollar payments from organizations of every size. Rankiteo tracks ransomware incidents globally in real time, cataloguing strains, targeted industries, responsible threat actors, severity scores, and data exfiltration status to give security professionals and decision-makers a comprehensive, always-current picture of the ransomware landscape.

This tracker aggregates intelligence from 18,020 monitored ransomware incidents affecting 20,842 companies worldwide. Each incident is enriched with contextual data, including the ransomware strain, industry classification, and the threat group responsible, enabling pattern analysis that goes far beyond simple incident counts.

Why Track Ransomware Statistics?

Granular ransomware data serves multiple stakeholders across the cybersecurity and risk ecosystem:

CISOs & Security Teams: Identify emerging strains and which industries are under active attack to fine-tune detection rules, endpoint defenses, and backup strategies.
Third-Party Risk Managers: Assess whether vendors and suppliers operate in industries or geographies with elevated ransomware exposure to strengthen supply chain due diligence.
Cyber Insurers & Underwriters: Use strain-level frequency, severity distributions, and industry concentration data to model ransomware loss scenarios and calibrate premiums and coverage limits.
Incident Response Teams: Study threat actor TTPs and strain behaviours documented in historical incidents to accelerate containment and recovery during an active attack.
Executives & Boards: Communicate the scale and velocity of the ransomware threat with concrete, real-world statistics to justify investments in resilience and response capabilities.

Understanding Ransomware Strains

Modern ransomware operates through a Ransomware-as-a-Service (RaaS) model, where the developers of a strain lease their malware to affiliate operators in exchange for a share of the ransom. This model has driven explosive growth in the number of active strains: groups like LockBit, ALPHV/BlackCat, Cl0p, Black Basta, and REvil/Sodinokibi have each claimed hundreds of victims. Rankiteo maps every tracked incident to its strain, normalising name variants (e.g., "LockBit 3.0", "Lock Bit" → "LockBit") so that analysts can accurately compare strain prevalence and lethality.

Threat Actors & Attribution

Attribution is challenging but essential. Where threat intelligence allows, each incident is linked to the responsible threat actor or affiliate group. Rankiteo consolidates aliases and variants, merging labels like "Hackers" and "Hacker", or "Insider" and "Former Employee" - into canonical categories for cleaner analysis. For a deeper ranking of the most prolific groups, see the Threat Actor Leaderboard.

Methodology & Related Resources

Rankiteo identifies ransomware incidents by continuously monitoring dark web leak sites, government CERT advisories, vendor security bulletins, breach notification filings, and curated open-source threat intelligence feeds. Each incident is automatically classified, scored for severity on a 1–10 scale, and enriched with strain, industry, and entity metadata before appearing in this tracker.

Dive deeper into the threat landscape with related Rankiteo resources:

Data Breach Statistics: Records exposed, exfiltration rates, and industry breakdowns for all data breach incidents.
Threat Actor Leaderboard: Ranked profiles of the most active threat groups by incident volume and severity.
Cyber Incident Trends: Year-over-year and monthly trend analysis across all attack types.
Top Exploited Vulnerabilities: CVEs most actively leveraged by attackers in the wild.
Rating Methodology: How Rankiteo scores organisations and incidents using its Cyber Resilience framework.