State of Ransomware: March 2026

Published 1 April 2026 · ThreatVectr Intelligence

800+2%
Claimed attacks
vs 781 the month before
50
Groups active
76
Countries affected
40
Busiest day
3 March

Ransomware groups claimed 800 attacks on organisations worldwide in March 2026, up 2% on the previous month's 781. 50 distinct groups posted at least one victim during the month, across 76 countries. The busiest single day was 3 March, with 40 victims listed.

Qilin was the most active operation of the month, claiming 140 victims — 18% of all listings. NightSpire (66) and The Gentlemen (58) followed. 4 groups appeared for the first time, including Krybit, Lapsus$, Exitium, Cry0.

Manufacturing bore the heaviest targeting, with 107 claimed victims, ahead of Business Services (99) and Technology (97). By geography, United States accounted for 349 claims — 44% of the month — with France (38) and United Kingdom (32) next.

Claims per day — March 2026

Most active groups

  1. 1Qilin·140
  2. 2NightSpire466
  3. 3The Gentlemen158
  4. 4DragonForce456
  5. 5INC Ransom253
  6. 6LockBit353
  7. 7Akira348
  8. 8Handala3339
  9. 9Coinbasecartel633
  10. 10Play523

First seen this month:Krybit, Lapsus$, Exitium, Cry0

Most-targeted sectors

  1. 1Manufacturing107
  2. 2Business Services99
  3. 3Technology97
  4. 4Healthcare68
  5. 5Financial Services51
  6. 6Construction50
  7. 7Consumer Services44
  8. 8Public Sector34
  9. 9Education32
  10. 10Transportation/Logistics28

Most-affected countries

  1. 1United States349
  2. 2France38
  3. 3United Kingdom32
  4. 4Italy24
  5. 5Germany22
  6. 6Canada19
  7. 7Brazil16
  8. 8Spain16
  9. 9Israel16
  10. 10India13

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: March 2026”, https://threatvectr.com/ransomware-tracker/reports/march-2026

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr