State of Ransomware: June 2026

Published 1 July 2026 · ThreatVectr Intelligence

683-10%
Claimed attacks
vs 759 the month before
64
Groups active
77
Countries affected
53
Busiest day
15 June

Ransomware groups claimed 683 attacks on organisations worldwide in June 2026, down 10% on the previous month's 759. 64 distinct groups posted at least one victim during the month, across 77 countries. The busiest single day was 15 June, with 53 victims listed.

The Gentlemen was the most active operation of the month, claiming 117 victims — 17% of all listings. Qilin (78) and LockBit (34) followed. 6 groups appeared for the first time, including Settra, Booba project, Wallstreet, Blackfield.

Business Services bore the heaviest targeting, with 113 claimed victims, ahead of Manufacturing (76) and Technology (58). By geography, United States accounted for 193 claims — 28% of the month — with Germany (49) and United Kingdom (23) next.

Claims per day — June 2026

Most active groups

  1. 1The Gentlemen1117
  2. 2Qilin178
  3. 3LockBit334
  4. 4Akira·30
  5. 5INC Ransom·30
  6. 6Nova228
  7. 7DragonForce425
  8. 8SettraNew23
  9. 9SafePay·20
  10. 10Shinyhunters1120

First seen this month:Settra, Booba project, Wallstreet, Blackfield, Redact, Unsafe

Most-targeted sectors

  1. 1Business Services113
  2. 2Manufacturing76
  3. 3Technology58
  4. 4Consumer Services56
  5. 5Healthcare50
  6. 6Agriculture and Food Production36
  7. 7Construction31
  8. 8Transportation/Logistics26
  9. 9Public Sector22
  10. 10Hospitality and Tourism21

Most-affected countries

  1. 1United States193
  2. 2Germany49
  3. 3United Kingdom23
  4. 4Canada22
  5. 5France19
  6. 6India18
  7. 7Brazil17
  8. 8Italy16
  9. 9Mexico13
  10. 10Thailand13

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: June 2026”, https://threatvectr.com/ransomware-tracker/reports/june-2026

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr