From January to June 2026, Comparitech researchers logged an average of one ransomware attack on a government entity every day. Attacks jumped by over 13 percent when compared to H2 2025, increasing from 165 to 187 attacks.
Of the 187 attacks recorded in H1 2026, 89 were confirmed by the targeted entities.
As the chart above shows, attacks on government entities increased overall in H1 2026, but Q2 did see a slight dip. Whether or not this dip will continue remains to be seen because government agencies appear to be in the crosshairs for some of 2026’s most notorious ransomware gangs.
From H2 2025 to H1 2026, attacks in the US declined across all sectors by eight percent, and attacks on US government agencies declined by 23 percent. Some of this can be attributed to attacks via The Gentlemen not being as concentrated within the US (unlike other key gangs, such as Qilin).
As in our H1 report, cybercriminal group The Gentlemen is starting to dominate and alter the ransomware threat landscape. Attacks on government agencies via The Gentlemen rose significantly in the first half of 2026, up from a single attack in H2 2025 to 22 a year later. While this is due, in part, to The Gentlemen only emerging in September 2025, it does highlight that governments are a key target for this prolific gang. Attacks via LockBit also increased significantly (up 250%) but attacks via Qilin declined (down 45%).
Governments remain a lucrative target for hackers because of the amount of disruption the encryption of systems can cause and the volume of sensitive data often available. This doubles the groups’ chances of receiving a ransom payment.
For example, it took German municipal transport company Verkehrsgesellschaft Main-Tauber 11 weeks to recover from its January 2026 attack. A February 2026 attack on the city of Suffolk, VA resulted in one of the biggest recent data breaches on a government entity. Suffolk notified nearly 158,000 people
Murray County in the US also confirmed it had met its hackers’ demands, paying $200,000 in May 2026 to prevent data from being released.
*Please note: this sector-specific report was written after our general H1 2026 report, so figures may have changed slightly as more attacks have been confirmed.
Key findings for H1 2026 ransomware attacks on government agencies
- 187 attacks in total
- 89 confirmed attacks
- 98 unconfirmed attacks
- 179,000 records are known to have been breached in the confirmed attacks
- Median ransom demand: $100,000 – a fifth of the median in H2 2025 ($500,000)
- The most prolific ransomware strains with the highest number of claims against government organizations were The Gentlemen (22), Qilin (21), LockBit (14), APT73/BASHE (12), and INC (10)
- The Gentlemen had the most confirmed attacks (10), followed by Qilin (9), LockBit (7), and INC (6)
Government data breaches via ransomware in H1 2026
To date, the number of people impacted by data breaches following ransomware attacks on government entities is just under 179,000. Most of these stem from the below:
- The City of Suffolk, US – 157,725 affected: In February 2026, this US city was targeted in a ransomware attack. While the attack was stopped before ransomware was deployed, a data breach did occur. Cloak took credit for this, saying it had stolen 2.5 TB of data.
- İzelman A.Ş., Turkey – 10,000 affected: The municipal parking service for the Turkish city of İzmir confirmed it detected a ransomware attack on its systems in March 2026. It later confirmed that 10,000 may have been impacted in the subsequent breach. Hackers unknown.
- Winona County, US – 6,196 affected: Winona County has confirmed two attacks in 2026 – one in January and one in April. In May, Winona County started notifying over 6,000 people of a breach following its attack in January. It is yet to confirm if the April attack also resulted in a data breach. Interlock claimed the April attack, while the hackers remain unknown in January’s incident.
All of these breaches stem from Q1 2026, highlighting the delay in reporting breaches following ransomware attacks. It takes an average of about four months for most government agencies to notify victims of data breaches. Some take much longer. For example, last month, the City of Middletown in Ohio, US, began notifying 123,791 people of a breach from July 2025.
The top 5 biggest ransom demands on government agencies in H1 2026
In H1 2026, one government entity confirmed it had paid a ransom (Murray County, US, mentioned above) and 16 entities said they hadn’t paid.
Across the confirmed attacks, the following five organizations were hit with the biggest known ransom demands:
- Land and Agricultural Development Bank of South Africa – $3.1 million: South Africa’s Land Bank refused to meet this hefty ransom demand, issued by unknown hackers following an attack in January 2026. Systems were restored in April 2026
- Lørenskog kommune, Norway – $1.18 million: CMD Organization placed a 20 BTC ransom on the data it had said it had stolen from the Norwegian municipality during its attack in April 2026.
- Passaic County, US – $800,000: In March 2026, Medusa issued the US county with an $800,000 ransom demand to delete data it said it had stolen during its attack. Passaic confirmed to Comparitech that it was working to restore its systems following the attack and was investigating Medusa’s claims. No data breach notifications have been issued as of yet.
- Latvijas valsts meži (LVM) – $686,300: Latvia’s forestry company was crippled by a ransomware attack in June 2026. It said hackers exploited a vulnerability in a system that hadn’t been updated for two years. LVM said the hackers hadn’t contacted them directly, but cybersecurity researchers said an unknown hacker demanded €600,000 to decrypt the data.
- Secretaria de Estado de Saúde de Mato Grosso, Brazil – $500,000: The Brazilian local health authority refused to meet LockBit’s demands following an attack in March 2026. Some reports suggested as much as 200 TB had been stolen but the SES-MT said it was less than 1 TB.
Ransomware attacks on government agencies by country
The US accounted for 31 percent of all 187 attacks noted on government entities in H1 2026 with 58 in total. This was a 23 percent decline on H2 2025’s figure of 75.
Germany (9), France (8), and South Africa (6) followed the US with the most attacks in H1 2026. While France’s figure also declined (down 20%), Germany saw a 13 percent increase and South Africa a 50 percent increase.
33 of the attacks in the US were confirmed. Seven were confirmed in Germany and four each in Italy and Spain.
Which ransomware groups are targeting government entities?
As we’ve already seen, The Gentlemen claimed the most attacks against government organizations in H1 2026. It claimed responsibility for 22 attacks on government agencies in H1 2026, despite only claiming one such attack in H2 2025. The Gentlemen first started adding victims to its site in September 2025, making 75 attack claims throughout the rest of 2025.
While this could suggest The Gentlemen’s new focus on government agencies in 2026, it’s also worth noting that The Gentlemen has upscaled its operations in all sectors significantly throughout 2026 so far (504 attack claims in total).
10 of the entities targeted by The Gentlemen in 2026 have confirmed attacks. One was in the US (The City of Boyne City), six were across Europe (Anderlues la Commune in Belgium, Ministarstvo zdravstva Republike Hrvatske in Croatia, Zámek Náměšť nad Oslavou in Czechia, Nationalmuseet in Denmark, Feuerwehr Allensbach in Germany, and Ayuntamiento de Beniel in Spain). The others were the Instituto Nacional de Derechos Humanos in Chile, Caja de Seguro Social (CSS) in Panama, and Witzenberg Municipality in South Africa.
Qilin’s attacks on government entities dropped by 45 percent, falling from 38 in H2 2025 to 21 in 2026. Nine of its attacks were confirmed, with four of those in the US (Tulsa International Airport, the City of Seal Beach and Seal Beach Police Department, Rusk County, and the City of Sandstone), two in France (Ville de Quiberon and Ville d’Eyguières), and one each in Romania (CONPET S.A.), Colombia (Enviaseo E.S.P), and Libya (Central Bank of Libya).
Attacks by LockBit on government agencies also increased by 250 percent from four in H2 2025 to 14 in H1 2026. Seven were confirmed, each in a different country. Like the Secretaria de Estado de Saúde de Mato Grosso (mentioned above), Městský úřad Jemnice in the Czech Republic also confirmed it hadn’t met LockBit’s ransom demands. Elsewhere, operations at the Nagoya Port Authority in Japan were disrupted after LockBit launched an attack in January 2026. Sociedad Hipotecaria Federal in Mexico, Hanover Police Department in the US, Grad Rovinj – Città di Rovigno in Croatia, and Nandrin in Belgium all noted data breaches following their attacks.
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.
All data is derived from our worldwide ransomware tracker (updated daily) – here.