Ransomware Tracker
A live view of ransomware activity, built from the attacks that criminal groups claim on their dark-web leak sites. Below: who is most active, which sectors and countries are being hit, and how the pace is changing month to month.
Updated continuously · Data as of 13 Jul 2026, 00:43 UTC · Coverage since July 2025
These are claims, not confirmed breaches. Every figure here comes from listings that ransomware groups post on their own dark-web leak sites to pressure victims. Such listings are unverified, sometimes exaggerated, and occasionally false. A company appearing in this data has not necessarily confirmed any incident.
Claimed attacks per month
Last 12 months · current month partialMonthly ransomware reports
A citable deep-dive on every completed month — totals, trends, group movements, sectors and countries.
Most active groups
- 1Qilin1,438
- 2Akira697
- 3The Gentlemen599
- 4INC Ransom511
- 5DragonForce398
- 6Play344
- 7LockBit320
- 8SafePay283
- 9Sinobi274
- 10Cl0p243
Ranked by claimed claims
Most-targeted sectors
- 1Manufacturing1,332
- 2Business Services1,311
- 3Technology1,030
- 4Healthcare755
- 5Consumer Services614
- 6Construction598
- 7Financial Services514
- 8Agriculture and Food Production349
- 9Transportation/Logistics341
- 10Education327
Ranked by claimed claims
Most-affected countries
- 1United States4,015
- 2Germany427
- 3United Kingdom349
- 4Canada346
- 5France251
- 6Italy234
- 7Spain197
- 8Brazil175
- 9India154
- 10Australia150
Ranked by claimed claims
How this tracker works
ThreatVectr monitors the leak sites of 200+ ransomware groups through ransomware.live, an open monitoring service that watches the dark-web portals so we do not have to run our own crawler. Each new listing is counted once, by the group claiming it, the victim's sector and country where the listing states them, and the date the claim was posted.
The numbers above are aggregate counts only. ThreatVectr does not publish the names of the companies named in these listings, because a leak-site post is an accusation by criminals, not a verified fact. Read more in our editorial policy.
Most ransomware starts with one email
The groups above overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure before it becomes an incident.