7,655 Ransomware Claims in One Year: Group, Sector, and Country Breakdown

7,655 Ransomware victim claims from 129 groups across 141 countries, March 2025 to March 2026

From March 2025 to March 2026, ransomware groups posted 7,655 victim claims to public leak sites over 376 days. That is roughly 20 per day, or one new organisation named every 71 minutes.

This article breaks down which groups are most active, what sectors they target, where the victims are located, and how claim volume has changed over the observation period. All figures are based on leak site postings ingested by CipherCue via the ransomware.live API. Claim counts are not confirmed breaches. They represent what threat actors have publicly stated.

One group posted 1,179 claims. Five groups account for 40%.

Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). After them, the field fragments quickly.

Group

Claims

Share

Countries

Qilin

1,179

15.4%

74

Akira

706

9.2%

42

INC Ransom

415

5.4%

60

Play

386

5.0%

21

Safepay

341

4.5%

31

Sinobi

261

3.4%

21

DragonForce

251

3.3%

36

Clop

248

3.2%

36

TheGentlemen

192

2.5%

55

Lynx

191

2.5%

28

Qilin alone posted 1,179 claims, roughly 3.1 per day. Its geographic footprint spans 74 countries, the widest of any group. Top Qilin targets by country: US (438), France (55), Canada (48), Spain (41), Great Britain (36). This is not a group that picks one geography and stays there.

Akira is second at 706 claims across 42 countries, but with a heavier US concentration: 403 of its 706 claims (57%) targeted American organisations. Germany (34), Canada (31), and Italy (20) follow.

Play is the most US-concentrated of the top five. 249 of its 386 claims (64%) targeted the US, followed by Canada (27). Only 21 countries appear in its claim list, compared to Qilin's 74.

The long tail matters as much as the leaders: the remaining 124 groups collectively posted 4,628 claims. This suggests that disrupting any single group is unlikely to reduce the overall total significantly.

Manufacturing has been claimed 890 times. Technology is close behind at 843.

Of the 7,655 claims, 4,970 had a recognisable sector attributed by ransomware.live metadata. The remaining 2,685 (35%) had no sector data or were marked "Not Found".

Sector

Claims

Top groups in this sector

Manufacturing

890

Qilin (150), Akira (144), Play (81), Sinobi (36), SafePay (34)

Technology

843

Qilin (107), Clop (60), INC Ransom (52), Akira (47), Play (42)

Healthcare

537

Qilin (85), INC Ransom (39), Sinobi (34), WorldLeaks (21), SafePay (21)

Construction

375

Akira (61), Qilin (57), Play (50), DragonForce (24), Sinobi (23)

Financial Services

362

Qilin (67), Akira (35)

Business Services

339

Akira (50), Qilin (47), SilentRansomGroup (21), INC Ransom (20)

Education

260

Qilin (50), INC Ransom (28), SafePay (20), Interlock (20)

Consumer Services

260

Qilin (33), Akira (22), Play (21), INC Ransom (20)

Public Sector

256

Qilin (41), Babuk2 (35), INC Ransom (22)

Transportation/Logistics

237

Qilin (39), Akira (23)

The top 10 sectors account for 4,359 of the 4,970 sector-attributed claims. The remaining 611 include Agriculture and Food Production (171), Hospitality and Tourism (168), Energy (160), and Telecommunication (106). The balance of 6 claims sit in variant or inconsistent sector labels in the source data.

The group-sector relationship appears non-random. Qilin leads in 9 of the top 10 sectors, but Akira leads specifically in construction (61 claims) and business services (50 claims). Clop's technology concentration (60 claims, its top sector) is consistent with the group's reported focus on file transfer and managed service provider vulnerabilities. Play clusters heavily in manufacturing (81) and construction (50), sectors where operational downtime may create stronger payment pressure.

The US accounts for 40% of all claimed victims. 141 countries appear in total.

3,101 of the 7,655 claims named a US-based organisation. 1,077 claims had no country attribution. After the US, the distribution spreads across 140 additional countries.

Country

Claims

Top groups

United States

3,101

Qilin (438), Akira (403), Play (249), INC Ransom (217)

Germany

315

SafePay (72), Akira (34), Qilin (34)

Canada

311

Qilin (48), INC Ransom (33), Akira (31), Play (27)

United Kingdom

232

Qilin (36), SafePay (20), INC Ransom (13)

France

177

Qilin (55)

Italy

169

Qilin (32), Akira (20)

Spain

157

Qilin (41), Akira (12)

Brazil

132

INC Ransom (8)

India

129

Qilin (7)

Japan

112

Qilin (25)

Germany's position at second is notable. SafePay alone posted 72 claims targeting German organisations, making it the dominant threat for that country by a wide margin. This concentration may reflect German-language affiliates or a deliberate targeting campaign, though the data alone cannot confirm either explanation.

Canada and the UK show a broader spread of groups, with no single group accounting for more than a fifth of either country's total.

Volume increased 40% in the second half of the observation period

Month

Claims

March 2025

594

April 2025

495

May 2025

492

June 2025

488

July 2025

538

August 2025

519

September 2025

566

October 2025

814

November 2025

708

December 2025

861

January 2026

674

February 2026

767

March 2026 (11 days)

139

The first six months (March to August 2025) averaged 521 claims per month. The next six months (September 2025 to February 2026) averaged 732 per month. That is a 40% increase.

December 2025 was the single highest month at 861 claims. October 2025 was second at 814. Whether this reflects genuinely increasing ransomware activity, more groups adopting leak sites, or changes in ransomware.live ingestion coverage is not possible to determine from claim data alone. What the data does show is that the baseline has shifted upward and has not returned to first-half levels.

What this means for risk and security teams

• Vendor and supply chain risk: Manufacturing (890) and technology (843) together account for 1,733 of the 4,970 sector-attributed claims (35%). If your supply chain depends on mid-market manufacturers or technology providers, their ransomware exposure is your operational risk. A vendor appearing on a leak site, even if unconfirmed, should trigger a due diligence review.
• Volume is trending up, not down. Monthly averages increased 40% from the first half to the second half of this observation period. If the second-half rate sustains, the ecosystem is on pace for over 8,700 claims per year.
• Group fragmentation suggests a resilient ecosystem. With 129 active groups, no single law enforcement action is likely to reduce overall volume substantially. The top group (Qilin) accounts for only 15% of claims. Even removing it entirely would still leave 6,476 claims from 128 other groups.
• Geographic spread is genuine. 141 countries appeared in the dataset. US organisations are the most frequent targets at 40%, but the remaining 60% spans six continents. European subsidiaries, APAC operations, and Latin American offices are all represented.

Method note

Data source: ransomware.live API, ingested into CipherCue. The dataset contains 7,655 leak site claims with a discovered_date between 1 March 2025 and 11 March 2026 (376 days). Claims represent threat actor postings, not confirmed breaches. Sector and country attribution is taken from ransomware.live metadata where available. 2,685 claims (35%) had no sector data or were marked "Not Found". 1,077 claims (14%) had no country data. The sector table shows the top 10 of 14 sector categories; the remaining 611 claims include Agriculture and Food Production (171), Hospitality and Tourism (168), Energy (160), Telecommunication (106), and 6 claims with variant or inconsistent sector labels. Group-country and group-sector counts shown in tables are based on claims where both fields were populated. Monthly totals may shift as ransomware.live updates historical data. March 2026 is a partial month (11 days at time of analysis). Victim names are as posted by threat actors and may include duplicates where groups re-post or claim the same victim under different naming.

We built CipherCue to make ransomware claim data actionable for sales and risk teams. If you want to track which of your accounts and prospects appear on leak sites in real time, request a demo.

Source: Hacker News