What is a ransomware attack?

A ransomware attack is a type of cyberattack where malicious software encrypts a victim's data, and the attacker demands a ransom payment to restore access. Ransomware can target individuals, businesses, and critical infrastructure, often causing significant financial and operational damage.

Which industries are most targeted by ransomware?

Healthcare, financial services, manufacturing, government, and education sectors are among the most frequently targeted by ransomware attacks due to their reliance on critical data and often legacy IT infrastructure.

How does Rankiteo track ransomware incidents?

Rankiteo continuously monitors public threat intelligence feeds, breach disclosure databases, dark web activity, and security advisories to track ransomware incidents globally. Each incident is categorized by strain, severity, affected industry, and threat actor.

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model where ransomware developers lease their malware to affiliate operators in exchange for a percentage of collected ransoms. This model has dramatically lowered the barrier to entry for cybercriminals and driven the proliferation of strains like LockBit, ALPHV/BlackCat, and Cl0p.

What is double extortion in ransomware?

Double extortion is a tactic where ransomware operators not only encrypt a victim's data but also exfiltrate it before encryption. They then threaten to publish the stolen data on leak sites unless the ransom is paid, adding reputational and regulatory pressure to the financial demand.

How are ransomware severity scores calculated?

Rankiteo assigns each ransomware incident a severity score from 1 to 10 based on factors including the scope of impact (number of affected entities), the industry involved, data exfiltration status, the ransomware strain's known capabilities, and any confirmed ransom demands or payments.

Ransomware Tracker & Statistics

Real-time analytics on 16,747 ransomware incidents tracked by Rankiteo. Explore ransomware strains, affected industries, threat actors, and severity trends shaping the global threat landscape.

16,747

Ransomware Incidents

Known Strains

18.7K

Companies Affected

78.6

Avg Severity

Ransomware Strains

Unknown

High

15418 incidents92.1%Avg sev: 77.1

Qilin

Critical

107 incidents0.6%Avg sev: 98.6

Cl0p

Critical

102 incidents0.6%Avg sev: 93.3

LockBit

Critical

97 incidents0.6%Avg sev: 96.6

ALPHV/BlackCat

Critical

63 incidents0.4%Avg sev: 96.7

Akira

Critical

61 incidents0.4%Avg sev: 97.5

Medusa

Critical

49 incidents0.3%Avg sev: 97.1

Rhysida

Critical

42 incidents0.3%Avg sev: 95.7

Everest

Critical

38 incidents0.2%Avg sev: 98.2

Conti

Critical

35 incidents0.2%Avg sev: 97.3

REvil/Sodinokibi

Critical

26 incidents0.2%Avg sev: 93.7

RansomHub

Critical

24 incidents0.1%Avg sev: 97.5

Ransomware Incidents Over Time

Most Targeted Industries

Hospitals and Health Care

1597

Financial Services

910

Software Development

768

Government Administration

747

IT Services and IT Consulting

524

Insurance

465

Higher Education

432

Retail

372

Banking

340

Education Administration Programs

303

['Software Development']

287

Non-profit Organizations

258

Threat Actors

Insider145

Qilin117

Cl0p115

Hacker102

LockBit90

ShinyHunters80

Cybercriminal61

ALPHV/BlackCat58

Akira57

Rhysida42

Everest40

Scattered Spider37

Anonymous35

Medusa34

INC Ransom32

Play31

Recent Ransomware Incidents

Incident	Severity	Strain	Industry	Date
UnitedHealth, Ticketmaster, MGM Resorts, Ripple, Snowflake, Google, Allianz, Equifax, Maersk, Toyota, Merck and Oracle: 2025 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics	100 (Critical)	Akira	['Hospitality', 'Pharmaceutical Manufacturing', 'Technology, Information and Internet', 'Financial Services', 'Software Development', 'Entertainment Providers', 'IT Services and IT Consulting', 'Motor Vehicle Manufacturing', 'Hospitals and Health Care', 'Transportation, Logistics, Supply Chain and Storage']	2025-12-11 00:00:00
Hong Kong precision components supplier and Italian maritime port authority: Ransomware Groups Surge In Q4 2025 – Cyble Insights	100 (Critical)	Qilin	['International Trade and Development', 'Computer and Network Security']	2026-01-01 00:00:00
Tencent, MySpace, Twitter, Weibo, Canva, Adobe, Deezer, AdultFriendFinder, U.S. Government and Brazil Government: The 12-Terabyte Ghost: How a Record-Shattering Data Leak Is Arming a New Generation of Cyberattacks	100 (Critical)	Unknown	['Software Development', 'Technology, Information and Internet', 'Government Administration', 'Entertainment Providers', 'Musicians']	2025-01-01 00:00:00
SolarWinds, Kaseya, MoveIt Transfer, PowerSchool, DaVita, NASCAR, Marks & Spencer, Caesars Entertainment and Change Healthcare: Ransomware trends, statistics and facts in 2026	100 (Critical)	Cl0p	['Hospitality', 'Consumer Services', 'Spectator Sports', 'E-Learning Providers', 'Retail', 'Software Development', 'Information Technology & Services', 'Hospitals and Health Care']	2024-12-25 00:00:00
Broadcom	100 (Critical)	Cl0p	Semiconductor Manufacturing	2025-06-16 00:00:00
Shoppers Drug Mart, President’s Choice, Loblaw, No Frills and PC Optimum: “Threat Actor” on the dark web claims Loblaw’s “low-level” data breach is a much larger threat	100 (Critical)	Unknown	['Financial Services', 'Retail', 'Retail Groceries']	2026-03-13 00:00:00
Co-operative Group, Ingram Micro, Salesforce, Jaguar Land Rover, Oracle, Synnovis and DaVita: Top 10 Ransomware Attacks Over The Past Year	100 (Critical)	Unknown	['Retail', 'Software Development', 'Information Technology & Services', 'IT Services and IT Consulting', 'Hospitals and Health Care', 'Motor Vehicle Manufacturing', 'Medical and Diagnostic Laboratories']	2025-01-01 00:00:00
Lamborghini, Volkswagen Group, Porsche, Bentley, Škoda, SEAT and Audi: Volkswagen Allegedly Hit by Ransomware Attack as 8Base Claims Sensitive Data Theft	100 (Critical)	Phobos variant	['Motor Vehicle Manufacturing']	2025-10-19 00:00:00
FBI, Verizon, AT&T, U.S. Treasury, Lumen and Windstream: FBI investigating hack on its wiretap and surveillance systems: Report	100 (Critical)	Unknown	['IT Services and IT Consulting', 'Government Administration', 'Telecommunications', 'Law Enforcement', 'Design Services']	2026-03-05 00:00:00
Kawasaki Motors Europe, Volkswagen, Toyota, Avis Rent a Car, Jaguar Land Rover, Nissan and Scania: Major Cyber Attacks Targeting the Automotive Industry 2025	100 (Critical)	RansomHub	['Industrial Machinery Manufacturing', 'Financial Services', 'Motor Vehicle Manufacturing']	2025-11-07 00:00:00
Snowflake	100 (Critical)	Unknown	Software Development	2024-11-06 00:00:13.988000
Brussels Airport	100 (Critical)	Unknown	Airlines and Aviation	2025-09-20 00:00:00
Salesforce	100 (Critical)	Unknown	Software Development	2025-10-03 00:00:00
T-Mobile	100 (Critical)	Unknown	Unknown	2021-08-01 00:00:00
BadeSaba: Hackers hit Iranian apps, websites after US-Israeli strikes	100 (Critical)	Unknown	['IT Services and IT Consulting']	2026-03-01 00:00:00
Alibaba Cloud, Tencent Cloud, AWS, Microsoft Azure, LangFlow and NVIDIA: VoidLink Malware Framework Targets Kubernetes and AI Workloads in New Cyber Attack Wave	100 (Critical)	Unknown	['Computer Hardware Manufacturing', 'Software Development', 'Information Technology & Services', 'IT Services and IT Consulting']	2025-12-01 00:00:00
HSBC, Nationwide, Barclays, Lloyds, Marks & Spencer and Co-op: Cyber-attack threat keeps me awake at night, bank boss says	100 (Critical)	Unknown	['Insurance', 'Banking', 'Retail', 'Financial Services']	2023-01-01 00:00:00
Collins Aerospace (RTX Corp)	100 (Critical)	Unknown	Aviation and Aerospace Component Manufacturing	2025-09-21 00:00:00
Kettering Health	100 (Critical)	Interlock (Linked to ClickFix)	Hospitals and Health Care	2025-10-20 00:00:00
Collins Aerospace	100 (Critical)	Unknown	Aviation and Aerospace Component Manufacturing	2025-06-16 00:00:00

Ransomware Statistics & Attack Trends - 2026 Overview

Ransomware continues to be the most financially devastating form of cybercrime, with threat actors encrypting critical data and demanding multi-million-dollar payments from organizations of every size. Rankiteo tracks ransomware incidents globally in real time, cataloguing strains, targeted industries, responsible threat actors, severity scores, and data exfiltration status to give security professionals and decision-makers a comprehensive, always-current picture of the ransomware landscape.

This tracker aggregates intelligence from 16,747 monitored ransomware incidents affecting 18,729 companies worldwide. Each incident is enriched with contextual data, including the ransomware strain, industry classification, and the threat group responsible, enabling pattern analysis that goes far beyond simple incident counts.

Why Track Ransomware Statistics?

Granular ransomware data serves multiple stakeholders across the cybersecurity and risk ecosystem:

CISOs & Security Teams: Identify emerging strains and which industries are under active attack to fine-tune detection rules, endpoint defenses, and backup strategies.
Third-Party Risk Managers: Assess whether vendors and suppliers operate in industries or geographies with elevated ransomware exposure to strengthen supply chain due diligence.
Cyber Insurers & Underwriters: Use strain-level frequency, severity distributions, and industry concentration data to model ransomware loss scenarios and calibrate premiums and coverage limits.
Incident Response Teams: Study threat actor TTPs and strain behaviours documented in historical incidents to accelerate containment and recovery during an active attack.
Executives & Boards: Communicate the scale and velocity of the ransomware threat with concrete, real-world statistics to justify investments in resilience and response capabilities.

Understanding Ransomware Strains

Modern ransomware operates through a Ransomware-as-a-Service (RaaS) model, where the developers of a strain lease their malware to affiliate operators in exchange for a share of the ransom. This model has driven explosive growth in the number of active strains: groups like LockBit, ALPHV/BlackCat, Cl0p, Black Basta, and REvil/Sodinokibi have each claimed hundreds of victims. Rankiteo maps every tracked incident to its strain, normalising name variants (e.g., "LockBit 3.0", "Lock Bit" → "LockBit") so that analysts can accurately compare strain prevalence and lethality.

Threat Actors & Attribution

Attribution is challenging but essential. Where threat intelligence allows, each incident is linked to the responsible threat actor or affiliate group. Rankiteo consolidates aliases and variants, merging labels like "Hackers" and "Hacker", or "Insider" and "Former Employee" - into canonical categories for cleaner analysis. For a deeper ranking of the most prolific groups, see the Threat Actor Leaderboard.

Methodology & Related Resources

Rankiteo identifies ransomware incidents by continuously monitoring dark web leak sites, government CERT advisories, vendor security bulletins, breach notification filings, and curated open-source threat intelligence feeds. Each incident is automatically classified, scored for severity on a 1–10 scale, and enriched with strain, industry, and entity metadata before appearing in this tracker.

Dive deeper into the threat landscape with related Rankiteo resources:

Data Breach Statistics: Records exposed, exfiltration rates, and industry breakdowns for all data breach incidents.
Threat Actor Leaderboard: Ranked profiles of the most active threat groups by incident volume and severity.
Cyber Incident Trends: Year-over-year and monthly trend analysis across all attack types.
Top Exploited Vulnerabilities: CVEs most actively leveraged by attackers in the wild.
Rating Methodology: How Rankiteo scores organisations and incidents using its Cyber Resilience framework.