ThreatVectr Intelligence

Ransomware Tracker

A live view of ransomware activity, built from the attacks that criminal groups claim on their dark-web leak sites. Below: who is most active, which sectors and countries are being hit, and how the pace is changing month to month.

Updated continuously · Data as of 13 Jul 2026, 00:43 UTC · Coverage since July 2025

These are claims, not confirmed breaches. Every figure here comes from listings that ransomware groups post on their own dark-web leak sites to pressure victims. Such listings are unverified, sometimes exaggerated, and occasionally false. A company appearing in this data has not necessarily confirmed any incident.

9,176
Claimed attacks tracked
2,218 in the last 90 days
142
Active ransomware groups
156
Countries affected
703
Claimed in last 30 days
185 in the last 7 days

Claimed attacks per month

Last 12 months · current month partial

Monthly ransomware reports

A citable deep-dive on every completed month — totals, trends, group movements, sectors and countries.

Most active groups

  1. 1Qilin1,438
  2. 2Akira697
  3. 3The Gentlemen599
  4. 4INC Ransom511
  5. 5DragonForce398
  6. 6Play344
  7. 7LockBit320
  8. 8SafePay283
  9. 9Sinobi274
  10. 10Cl0p243

Ranked by claimed claims

Most-targeted sectors

  1. 1Manufacturing1,332
  2. 2Business Services1,311
  3. 3Technology1,030
  4. 4Healthcare755
  5. 5Consumer Services614
  6. 6Construction598
  7. 7Financial Services514
  8. 8Agriculture and Food Production349
  9. 9Transportation/Logistics341
  10. 10Education327

Ranked by claimed claims

Most-affected countries

  1. 1United States4,015
  2. 2Germany427
  3. 3United Kingdom349
  4. 4Canada346
  5. 5France251
  6. 6Italy234
  7. 7Spain197
  8. 8Brazil175
  9. 9India154
  10. 10Australia150

Ranked by claimed claims

How this tracker works

ThreatVectr monitors the leak sites of 200+ ransomware groups through ransomware.live, an open monitoring service that watches the dark-web portals so we do not have to run our own crawler. Each new listing is counted once, by the group claiming it, the victim's sector and country where the listing states them, and the date the claim was posted.

The numbers above are aggregate counts only. ThreatVectr does not publish the names of the companies named in these listings, because a leak-site post is an accusation by criminals, not a verified fact. Read more in our editorial policy.

Most ransomware starts with one email

The groups above overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure before it becomes an incident.

Start free — no card required
© 2026 Threat Vectr