Ransomware roundup_ April 2026

In April 2026, ransomware attacks dropped by nearly 22 percent, falling to the lowest level in six months. A total of 628 ransomware attacks were recorded in April, following a peak in March (801).

Attacks on government entities decreased significantly with less than half the number reported in April (19) compared to March (41).

The only sector that didn’t see a decline was the healthcare sector. Here, attacks increased by nearly 10 percent, rising from 41 in March to 45 in April.

Within the business sector, attacks declined across all industries bar one – healthcare. Attacks on businesses operating within the healthcare sector (e.g. pharmaceutical/medical device manufacturers and healthcare tech companies) remained at a consistent level – 31 attacks were recorded in both March and April 2026.

As our recent Q1 healthcare ransomware report found, both healthcare providers and healthcare businesses remain a key target for hackers.

Prime examples in April include the attack on healthcare provider Signature Healthcare and Dutch healthcare tech company ChipSoft.

The attack on Signature Healthcare forced the hospital to resort to downtime procedures, divert ambulances, and cancel chemotherapy appointments. Anubis claimed the attack and said it stole 2 TB of data. The attack on ChipSoft caused mass disruption, impacting the company’s electronic health record (EHR) platform, used by around 80 percent of hospitals in the Netherlands. Patient data was also deleted. Ransomware group Embargo claimed the attack and theft of 100 GB of data.

April’s dip in attacks can be attributed somewhat to a dip in claims from the most dominant strain of recent months – Qilin. The group’s claims dropped by 28 percent from March (145) to April (105).

Key findings for April 2026

  • 628 attacks in total — 43 confirmed attacks (confirmed by the entity involved)
  • Of the 43 confirmed attacks:
    • 27 were on businesses
    • 8 were on government entities
    • 4 were on healthcare companies
    • 4 were on educational institutions
  • Of the 585 unconfirmed attacks:
    • 524 were on businesses
    • 11 were on government entities
    • 41 were on healthcare companies
    • 9 were on educational institutions
  • The most prolific ransomware gangs were Qilin (105), The Gentlemen (67), and DragonForce (60)
  • INC had the most confirmed attacks (5), followed by Payload and The Gentlemen (4 each), and LockBit and DragonForce (3 each)
  • Nearly 125 TB of data was stolen across all of these attacks
  • The US saw the most attacks (260), followed by Canada (32), the United Kingdom (30), and Germany (29)

Ransomware attacks by sector

Healthcare


Attacks on healthcare providers increased by 10 percent from March 2026 to April 2026, rising from 41 to 45. Four attacks were confirmed in April.

Three of the confirmed attacks took place in the United States. As well as Signature Healthcare (noted above), Minidoka Memorial Hospital noted disruptions to its systems following an attack over Easter weekend. New group, Blackwater, claimed the attack, saying it stole 577 GB from the hospital.

An attack on Advanced Diagnostic Imaging (AdvancedHEALTH) was confirmed over the weekend after one of its clinics (Columbia Surgical Partners) said it was unable to access electronic medical records. The hackers are unknown.

In Australia, the Bendigo & District Aboriginal Co-operative was targeted in early April but services to the community weren’t significantly impacted. INC claimed this attack.

Blackwater lists Minidoka Memorial Hospital on its data leak site.
Blackwater lists Minidoka Memorial Hospital on its data leak site.

During the first four months of 2026, we’ve recorded 165 attacks on the healthcare sector. This is a 10 percent increase from the same period of 2025 (150). 31 attacks throughout 2026 have been confirmed.

Government


Attacks on government entities dropped dramatically in April 2026, falling from 41 in March 2026 to 19 in April (54%). Eight attacks in April have been confirmed to date.

Four attacks were confirmed in the US. Three of these (Kent District Library, the City of Ardmore, and Adams County) haven’t been claimed by a group as of yet. Yesterday, the City of Ardmore confirmed it hadn’t met its hackers’ ransom demands of $300,000, meaning we’ll likely see a claim from a group soon if data has been stolen.

Interlock claimed an attack on Winona County — the second attack suffered by the Minnesota county in 2026. Interlock said it had stolen 1.9 TB of data.

Interlock lists Winona County, MN on its data leak site.
Interlock lists Winona County, MN, on its data leak site.

Elsewhere, Anderlues la Commune in Belgium was targeted by The Gentlemen. Another attempt was made on the municipality a week later but this was unsuccessful. Dorotea Kommun in Sweden was targeted by INC and the Rural Municipality of Gimli in Canada was targeted by Payload. German local authority Verbandsgemeinde Sprendlingen-Gensingen confirmed an attack but the hackers remain unknown.

From January to April 2026, we’ve noted 120 attacks on government entities – a 23 percent decrease from the same period of 2025 (156). 49 attacks have been confirmed in 2026 so far.

Education


Attacks on the education sector dipped by 32 percent in April 2026, dropping to 13 from 19 in March 2026. Four attacks were confirmed in April.

Two of the confirmed attacks were claimed by Payload. Franziskusschule Wilhelmshaven in Germany and B3 Bruck an der Mur in Austria. The latter confirmed no ransom was paid.

KRYBIT claimed an attack on Hong Kong school The Church of Christ in China Kei To Secondary School, while the hackers remain unknown in an attack on Spring Lake Park School District in the US.

2026 so far (up to April) has seen 68 attacks on the education sector – a drop of 31 percent (from 99) in the same period of 2025. Throughout 2026, 21 attacks have been confirmed.

Businesses


551 attacks on businesses were recorded in April 2026, a drop of 21 percent from March 2026 (698). 27 attacks were confirmed in April.

As we have already noted, attacks on businesses operating within the healthcare sector remained at a consistent level last month. 31 attacks were recorded in both March and April 2026.

Alongside ChipSoft, three other attacks were also confirmed:

  • Nordenta A/S, Denmark – claimed by Kairos with 1.68 TB allegedly stolen
  • MomCreate Co., Ltd. (CureSmile), Japan – unknown hackers
  • Kukje Pharm Co., Ltd., South Korea – claimed by Gunra with 54 GB allegedly stolen

Eight attacks were also confirmed on manufacturers with two of these claimed by The Gentlemen (Gem Terminal Industry Co., Ltd., Taiwan, and Heinrich Kopp GmbH, Germany) and two by LockBit (Pricon Microelectronics, Inc., Philippines, and Shun Hing Systems Integration Co., Ltd., Hong Kong).

DragonForce claimed an attack on Lift AG, Switzerland, where systems were stabilized after four days. And Rhysida added STELIA Aerospace North America Inc. to its data leak site, issuing a $2.07 million ransom for 10 TB of data.

Grand Process Technology Corporation, Taiwan, and Shin FA-COM Co., Ltd., Japan, also confirmed attacks but the hackers remain unknown.

Another tech company, YCC Information Systems Co., Ltd. in Japan also confirmed an attack last month with a number of its customers warning of data breaches. At the time of writing, nearly 755,000 people are thought to have been impacted. Hackers unknown.

From January to April of this year, we’ve noted 2,500 attacks on businesses worldwide, an increase of eight percent from the same period in 2025 (2,315).

The most prolific ransomware groups in April 2026

Remaining at the top spot is Qilin with 105 claims throughout April 2026. However, this figure was a 28 percent decline from the number of claims made in March 2026 (145).

In contrast, attacks by The Gentlemen remained relatively consistent (67 in April compared to 70 in March), while DragonForce upped the ante with its claims rising by more than 11 percent from 54 in March to 60 in April.

Other gangs with significant increases in attacks in April were PEAR (up 100 percent from 6 to 12) and Payload (up 21 percent from 14 to 17).

Payload and also saw the second-highest number of confirmed attacks (alongside The Gentlemen). As well as the three attacks via Payload mentioned above (Franziskusschule Wilhelmshaven, B3 Bruck an der Mur, and Rural Municipality of Gimli), it also claimed responsibility for an attack on the Jamaican finance company, JOH Investments Limited.

INC had the highest number of confirmed attacks with German construction company Berge-Bau GmbH & Co. KG, Singaporean water damage restoration company BELFOR (Asia) Pte Ltd, and utilities company Mastercom Australia, all confirming attacks (as well as Bendigo & District Aboriginal Co-operative and Dorotea Kommun mentioned above).

Only one attack was confirmed for Qilin, which was Travel Expert (Asia) Enterprises Limited in Singapore.

April 2026 ransomware attacks by country

The US was the top target last month with 260 attacks in total. This was a 31 percent decrease from March 2026 (379).

Canada saw the second-highest number of attacks (32), which was a 23 percent increase from March (26). Two attacks (STELIA and the Rural Municipality of Gimli) were confirmed.

The United Kingdom also saw an increase in attacks, rising from 27 in March to 30 in April. One attack was confirmed here on automotive data expert, Autovista. The attack, which took place on April 11, 2026, caused significant disruptions to systems across Europe and Australia. Restoration is ongoing but nearly complete as of May 4.

Australia also saw an increase in attacks (up 45%), as did Germany (up 7%), while attacks declined in Italy (down 8%), France (down 34%), and Spain (down 11%).

Data breaches confirmed in April 2026

As well as the significant breach reported by YCC Information Systems Co., Ltd., a number of other companies reported breaches in April 2026. The largest of these are:

  • Sandhills Medical Foundation, Inc. – notifying 169,017 people of a breach from May 2025. Claimed by INC
  • Southern Illinois Dermatology – notifying 160,312 people of a breach from November 2025. Claimed by Insomnia
  • City of Suffolk – notifying 157,725 people of a breach from February 2026. Claimed by Cloak with 2.5 TB stolen
  • Rodenburg Law Firm – notifying 81,307 people of a breach from August 2025. Claimed by Akira with 144 GB stolen

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2026, it may later be confirmed as an attack in December 2025 and will, therefore, be attributed to a different month.

You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.