What is a ransomware attack?

A ransomware attack is a type of cyberattack where malicious software encrypts a victim's data, and the attacker demands a ransom payment to restore access. Ransomware can target individuals, businesses, and critical infrastructure, often causing significant financial and operational damage.

Which industries are most targeted by ransomware?

Healthcare, financial services, manufacturing, government, and education sectors are among the most frequently targeted by ransomware attacks due to their reliance on critical data and often legacy IT infrastructure.

How does Rankiteo track ransomware incidents?

Rankiteo continuously monitors public threat intelligence feeds, breach disclosure databases, dark web activity, and security advisories to track ransomware incidents globally. Each incident is categorized by strain, severity, affected industry, and threat actor.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model where ransomware developers lease their malware to affiliate operators in exchange for a percentage of collected ransoms. This model has dramatically lowered the barrier to entry for cybercriminals and driven the proliferation of strains like LockBit, ALPHV/BlackCat, and Cl0p.

What is double extortion in ransomware?

Double extortion is a tactic where ransomware operators not only encrypt a victim's data but also exfiltrate it before encryption. They then threaten to publish the stolen data on leak sites unless the ransom is paid, adding reputational and regulatory pressure to the financial demand.

How are ransomware severity scores calculated?

Rankiteo assigns each ransomware incident a severity score from 1 to 10 based on factors including the scope of impact (number of affected entities), the industry involved, data exfiltration status, the ransomware strain's known capabilities, and any confirmed ransom demands or payments.

Ransomware Tracker & Statistics

Real-time analytics on 15,890 ransomware incidents tracked by Rankiteo. Explore ransomware strains, affected industries, threat actors, and severity trends shaping the global threat landscape.

15,890

Ransomware Incidents

Known Strains

17.3K

Companies Affected

78.1

Avg Severity

Ransomware Strains

Unknown

High

14681 incidents92.4%Avg sev: 76.7

Cl0p

Critical

97 incidents0.6%Avg sev: 93.1

LockBit

Critical

95 incidents0.6%Avg sev: 96.5

Qilin

Critical

93 incidents0.6%Avg sev: 98.7

ALPHV/BlackCat

Critical

57 incidents0.4%Avg sev: 96.3

Akira

Critical

53 incidents0.3%Avg sev: 97.1

Medusa

Critical

42 incidents0.3%Avg sev: 96.7

Everest

Critical

37 incidents0.2%Avg sev: 98.1

Rhysida

Critical

37 incidents0.2%Avg sev: 95.1

Conti

Critical

35 incidents0.2%Avg sev: 97.3

REvil/Sodinokibi

Critical

26 incidents0.2%Avg sev: 93.7

Hive

Critical

24 incidents0.2%Avg sev: 93.1

Ransomware Incidents Over Time

Most Targeted Industries

Hospitals and Health Care

1597

Financial Services

910

Software Development

768

Government Administration

747

IT Services and IT Consulting

524

Insurance

465

Higher Education

432

Retail

372

Banking

340

Education Administration Programs

303

Non-profit Organizations

258

Law Practice

247

Threat Actors

Insider141

Cl0p111

Qilin104

Hacker100

LockBit88

ShinyHunters59

Cybercriminal56

ALPHV/BlackCat53

Akira50

Everest39

Rhysida37

Scattered Spider36

Anonymous35

Medusa31

Conti29

RansomHub28

Recent Ransomware Incidents

Incident	Severity	Strain	Industry	Date
Hong Kong precision components supplier and Italian maritime port authority: Ransomware Groups Surge In Q4 2025 – Cyble Insights	100 (Critical)	Qilin	['International Trade and Development', 'Computer and Network Security']	2026-01-01 00:00:00
npm, Inc.: Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets	100 (Critical)	Unknown	Software Development	2025-12-01 00:00:00
Tencent, MySpace, Twitter, Weibo, Canva, Adobe, Deezer, AdultFriendFinder, U.S. Government and Brazil Government: The 12-Terabyte Ghost: How a Record-Shattering Data Leak Is Arming a New Generation of Cyberattacks	100 (Critical)	Unknown	['Software Development', 'Technology, Information and Internet', 'Government Administration', 'Entertainment Providers', 'Musicians']	2025-01-01 00:00:00
SolarWinds, Kaseya, MoveIt Transfer, PowerSchool, DaVita, NASCAR, Marks & Spencer, Caesars Entertainment and Change Healthcare: Ransomware trends, statistics and facts in 2026	100 (Critical)	Cl0p	['Hospitality', 'Consumer Services', 'Spectator Sports', 'E-Learning Providers', 'Retail', 'Software Development', 'Information Technology & Services', 'Hospitals and Health Care']	2024-12-25 00:00:00
Co-operative Group, Ingram Micro, Salesforce, Jaguar Land Rover, Oracle, Synnovis and DaVita: Top 10 Ransomware Attacks Over The Past Year	100 (Critical)	Unknown	['Retail', 'Software Development', 'Information Technology & Services', 'IT Services and IT Consulting', 'Hospitals and Health Care', 'Motor Vehicle Manufacturing', 'Medical and Diagnostic Laboratories']	2025-01-01 00:00:00
Lamborghini, Volkswagen Group, Porsche, Bentley, Škoda, SEAT and Audi: Volkswagen Allegedly Hit by Ransomware Attack as 8Base Claims Sensitive Data Theft	100 (Critical)	Phobos variant	['Motor Vehicle Manufacturing']	2025-10-19 00:00:00
FBI, Verizon, AT&T, U.S. Treasury, Lumen and Windstream: FBI investigating hack on its wiretap and surveillance systems: Report	100 (Critical)	Unknown	['IT Services and IT Consulting', 'Government Administration', 'Telecommunications', 'Law Enforcement', 'Design Services']	2026-03-05 00:00:00
Brussels Airport	100 (Critical)	Unknown	Airlines and Aviation	2025-09-20 00:00:00
Salesforce	100 (Critical)	Unknown	Software Development	2025-10-03 00:00:00
T-Mobile	100 (Critical)	Unknown	Unknown	2021-08-01 00:00:00
BadeSaba: Hackers hit Iranian apps, websites after US-Israeli strikes	100 (Critical)	Unknown	['IT Services and IT Consulting']	2026-03-01 00:00:00
Alibaba Cloud, Tencent Cloud, AWS, Microsoft Azure, LangFlow and NVIDIA: VoidLink Malware Framework Targets Kubernetes and AI Workloads in New Cyber Attack Wave	100 (Critical)	Unknown	['Computer Hardware Manufacturing', 'Software Development', 'Information Technology & Services', 'IT Services and IT Consulting']	2025-12-01 00:00:00
Collins Aerospace (RTX Corp)	100 (Critical)	Unknown	Aviation and Aerospace Component Manufacturing	2025-09-21 00:00:00
Collins Aerospace	100 (Critical)	Unknown	Aviation and Aerospace Component Manufacturing	2025-06-16 00:00:00
Oracle	100 (Critical)	Cl0p	IT Services and IT Consulting	2025-08-01 00:00:00
Oracle	100 (Critical)	Cl0p	IT Services and IT Consulting	2025-07-10 00:00:00
Ryuk, TrickBot and Conti: Conti, Trickbot cybercrime group leader unmasked	100 (Critical)	Conti	['Blockchain Services', 'Computer and Network Security', 'Motor Vehicle Manufacturing']	2025-06-02 00:00:00
Qilin, Akira, LockBit, DragonForce and Safepay: Ransomware activity never dies, it multiplies	100 (Critical)	RansomHub	['Software Development', 'Financial Services', 'Computer and Network Security', 'Public Safety', 'Information Technology & Services']	2024-06-16 00:00:00
McDonald’s India, ASUS, Connaught Plaza Restaurants, Hardcastle Restaurants and Nissan Motor Corporation: Everest Ransomware Group Allegedly Claims to Have Breached McDonald’s India	100 (Critical)	Everest	['Computer Hardware Manufacturing', 'Motor Vehicle Manufacturing', 'Food and Beverage Services', 'Restaurants']	2017-06-16 00:00:00
Qilin, CL0P, Salesforce, Sinobi and Play: Ransomware and Supply Chain Attacks Set Records in 2025	100 (Critical)	Qilin	['Computer and Network Security', 'Software Development', 'Recreational Facilities']	2024-06-16 00:00:00

Ransomware Statistics & Attack Trends — 2026 Overview

Ransomware continues to be the most financially devastating form of cybercrime, with threat actors encrypting critical data and demanding multi-million-dollar payments from organizations of every size. Rankiteo tracks ransomware incidents globally in real time, cataloguing strains, targeted industries, responsible threat actors, severity scores, and data exfiltration status to give security professionals and decision-makers a comprehensive, always-current picture of the ransomware landscape.

This tracker aggregates intelligence from 15,890 monitored ransomware incidents affecting 17,297 companies worldwide. Each incident is enriched with contextual data — including the ransomware strain, industry classification, and the threat group responsible — enabling pattern analysis that goes far beyond simple incident counts.

Why Track Ransomware Statistics?

Granular ransomware data serves multiple stakeholders across the cybersecurity and risk ecosystem:

CISOs & Security Teams: Identify emerging strains and which industries are under active attack to fine-tune detection rules, endpoint defenses, and backup strategies.
Third-Party Risk Managers: Assess whether vendors and suppliers operate in industries or geographies with elevated ransomware exposure to strengthen supply chain due diligence.
Cyber Insurers & Underwriters: Use strain-level frequency, severity distributions, and industry concentration data to model ransomware loss scenarios and calibrate premiums and coverage limits.
Incident Response Teams: Study threat actor TTPs and strain behaviours documented in historical incidents to accelerate containment and recovery during an active attack.
Executives & Boards: Communicate the scale and velocity of the ransomware threat with concrete, real-world statistics to justify investments in resilience and response capabilities.

Understanding Ransomware Strains

Modern ransomware operates through a Ransomware-as-a-Service (RaaS) model, where the developers of a strain lease their malware to affiliate operators in exchange for a share of the ransom. This model has driven explosive growth in the number of active strains: groups like LockBit, ALPHV/BlackCat, Cl0p, Black Basta, and REvil/Sodinokibi have each claimed hundreds of victims. Rankiteo maps every tracked incident to its strain, normalising name variants (e.g., "LockBit 3.0", "Lock Bit" → "LockBit") so that analysts can accurately compare strain prevalence and lethality.

Threat Actors & Attribution

Attribution is challenging but essential. Where threat intelligence allows, each incident is linked to the responsible threat actor or affiliate group. Rankiteo consolidates aliases and variants — merging labels like "Hackers" and "Hacker", or "Insider" and "Former Employee" — into canonical categories for cleaner analysis. For a deeper ranking of the most prolific groups, see the Threat Actor Leaderboard.

Methodology & Related Resources

Rankiteo identifies ransomware incidents by continuously monitoring dark web leak sites, government CERT advisories, vendor security bulletins, breach notification filings, and curated open-source threat intelligence feeds. Each incident is automatically classified, scored for severity on a 1–10 scale, and enriched with strain, industry, and entity metadata before appearing in this tracker.

Dive deeper into the threat landscape with related Rankiteo resources:

Data Breach Statistics: Records exposed, exfiltration rates, and industry breakdowns for all data breach incidents.
Threat Actor Leaderboard: Ranked profiles of the most active threat groups by incident volume and severity.
Cyber Incident Trends: Year-over-year and monthly trend analysis across all attack types.
Top Exploited Vulnerabilities: CVEs most actively leveraged by attackers in the wild.
Rating Methodology: How Rankiteo scores organisations and incidents using its Cyber Resilience framework.