State of Ransomware: April 2026

Published 1 May 2026 · ThreatVectr Intelligence

8030%
Claimed attacks
vs 800 the month before
62
Groups active
83
Countries affected
99
Busiest day
27 April

Ransomware groups claimed 803 attacks on organisations worldwide in April 2026, level with the previous month. 62 distinct groups posted at least one victim during the month, across 83 countries. The busiest single day was 27 April, with 99 victims listed.

Qilin was the most active operation of the month, claiming 103 victims — 13% of all listings. The Gentlemen (87) and DragonForce (63) followed. 12 groups appeared for the first time, including Lamashtu, M3rx, Aurora, Titan.

Business Services bore the heaviest targeting, with 170 claimed victims, ahead of Manufacturing (113) and Healthcare (77). By geography, United States accounted for 284 claims — 35% of the month — with Germany (48) and United Kingdom (44) next.

Claims per day — April 2026

Most active groups

  1. 1Qilin·103
  2. 2The Gentlemen187
  3. 3DragonForce163
  4. 4Apt73New58
  5. 5Coinbasecartel444
  6. 6Akira142
  7. 7LockBit140
  8. 8INC Ransom333
  9. 9Krybit3122
  10. 10NightSpire820

First seen this month:Lamashtu, M3rx, Aurora, Titan, Leakbazaar, Blackwater, Netrunner, Secpo and 4 more

Most-targeted sectors

  1. 1Business Services170
  2. 2Manufacturing113
  3. 3Healthcare77
  4. 4Consumer Services71
  5. 5Technology65
  6. 6Financial Services38
  7. 7Construction37
  8. 8Agriculture and Food Production33
  9. 9Transportation/Logistics32
  10. 10Public Sector29

Most-affected countries

  1. 1United States284
  2. 2Germany48
  3. 3United Kingdom44
  4. 4Canada27
  5. 5France27
  6. 6Italy24
  7. 7Australia19
  8. 8Spain16
  9. 9Mexico16
  10. 10Thailand16

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: April 2026”, https://threatvectr.com/ransomware-tracker/reports/april-2026

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr