Ransomware roundup_ H1 2026 mid-year report

Global ransomware attacks reached a new high in H1 of 2026 with an average of 23 attacks per day.

During the first six months of 2026, we logged 4,217 ransomware attacks. This is an 11 percent increase on the second half of 2025 (3,809).

DateTotal Attacks# of DaysAttacks per Day
H1 20242,45618213
H2 20243,17918417
H1 20253,70618120
H2 20253,80918421
H1 20264,21718123

Of these 4,217 attacks, 484 were confirmed by the targeted organizations. The rest were claimed by ransomware groups on their data leak sites but have not been publicly acknowledged by the targets.

Attacks on governments and businesses rose by 12 percent, while the healthcare sector saw a four percent increase. Attacks on education dropped by 13 percent.

Within the business sector, the manufacturing industry remains the most targeted, accounting for just over 22 percent of attacks across all businesses (822 in total). Here, attacks increased by 10 percent when compared to H2 of 2025 (750).

This increase wasn’t the largest, though. Transportation companies saw the biggest uptick in attacks (up 52%). Healthcare businesses–those operating within the sector but not providing direct care, e.g. pharmaceutical companies and billing providers–also saw a large increase in attacks (up 35%), as did retailers (up 28%) and tech companies (up 23%).

Also of note in H1 2026 was a decline in the number of attacks carried out in the US. Here, attacks dropped by eight percent when compared to H2 2025. This is likely due to the large number of claims made by The Gentlemen. Unlike many of its counterparts, The Gentlemen’s attacks aren’t heavily concentrated in the US. Just over 17 percent of its attacks were carried out on US organizations, compared to 47 percent of Qilin’s attacks.

The Gentlemen also rose to become the most prolific ransomware strain in June 2026, knocking Qilin off the top spot for the first time in many months. It claimed 115 victims in June alone, compared to 78 from Qilin.

Key findings for H1 2026 ransomware attacks

  • 484 confirmed ransomware attacks
    • 319 were on businesses
    • 83 were on government entities
    • 49 were on healthcare companies
    • 33 were on educational institutions
  • 3,733 unconfirmed attacks*
    • 3,356 were on businesses
    • 102 were on government entities
    • 198 were on healthcare companies
    • 71 were on educational institutions
  • 5,019,204 records compromised in the confirmed attacks
  • Median ransom demand: $150,000 (average: $1.36M)
  • Qilin was the most prolific ransomware group with 641 victims in total, followed by The Gentlemen (464) and Akira (317)
  • Qilin (54) and The Gentlemen (51) had the most confirmed attacks
  • The United States was the most targeted country with 1,832 attacks in total, followed by Canada (200), Germany (164), the United Kingdom (157), Italy (131), France (117), and Spain (100)
  • China saw one of the biggest upticks in attacks from H2 2025 to H1 2026 (up 540% from 5 to 30)

*6 attacks were on unknown companies that couldn’t be attributed to a specific sector.

Ransomware attacks by sector

We categorize attacks into four sectors: business, education, government, and healthcare. All sectors bar education saw an increase in attacks from H2 2025 to H1 2026.

Ransomware attacks on government agencies

  • 83 confirmed attacks
  • 102 unconfirmed attacks
  • Median ransom demanded = $100,000 (Average: $372,820)
  • 15 entities confirmed they hadn’t paid a ransom and one (Murray County in the US) confirmed it had paid its hackers $200,000

Ransomware attacks on healthcare

  • 49 confirmed attacks
  • 198 unconfirmed attacks
  • Median ransom demanded = $310,000 (Average: $6.15 million – due to NetRunner’s $100M demand on Nippon Medical, see below)
  • 5 entities confirmed they hadn’t paid a ransom (none confirmed to have paid)

Ransomware attacks on education

  • 33 confirmed attacks
  • 71 unconfirmed attacks
  • Median ransom demanded = $384,440 (Average: $412,750)
  • 4 entities confirmed they hadn’t paid a ransom (none confirmed to have paid)

Ransomware attacks on businesses

  • 316 confirmed attacks
  • 3,359 unconfirmed attacks
  • Median ransom demanded = $100,000 (Average: $732,200)
  • 9 entities confirmed they hadn’t paid a ransom and 2 confirmed they had paid (Instructure and Weil, Gotshal & Manges LLP in the US)

As we have already noted, some business sectors were more heavily targeted than others, including:

  • Manufacturing – 822 attacks recorded (inc. 81 confirmed) – UP 10% from H2 2025 (750)
  • Service-based businesses – 609 attacks recorded (inc. 38 confirmed) – similar to H2 2025 levels (605)
  • Retail – 326 attacks recorded (inc. 28 confirmed) – UP 28% from H2 2025 (254)
  • Technology – 323 attacks recorded (inc. 30 confirmed) – UP 23% from H2 2025 (263)
  • Finance – 257 attacks recorded (inc. 22 confirmed) – similar to H2 2025 levels (260)
  • Legal – 233 attacks recorded (inc. 14 confirmed) – UP 15% from H2 2025 (202)

The top 10 biggest ransom demands in H1 2026

According to our data, the following organizations saw the biggest ransom demands (across confirmed attacks) in the first half of 2026. Note that most companies and ransomware groups do not disclose their ransom demands, so data is limited.

  1. Nippon Medical School Musashi Kosugi Hospital, Japan – $100 million: NetRunner demanded this astronomical ransom from the Japanese healthcare company in February 2026. Perhaps unsurprisingly, Nippon Telenet refused to meet the demands.
  2. Weil, Gotshal & Manges LLP, US – $18 million to $20 million: In late May 2026, the US legal firm is reported to have paid up to $20 million to the Silent Ransom Group (sometimes referred to as Luna Moth) to have stolen data deleted.
  3. Jones Day, US – $13 million: Silent Ransom Group also issued a hefty ransom demand to US legal firm Jones Day in March 2026. There’s no evidence to suggest this was paid.
  4. UnoAerre Industries S.p.A., Italy – $4.48 million: The Italian manufacturer was issued with a $4.5 million demand by unknown hackers in May 2026. UnoArre refused to pay.
  5. Land and Agricultural Development Bank of South Africa (Land Bank) – $3.1 million: The government bank also refused to meet the ransom demands of its hackers (unknown) in January 2026.
  6. STELIA Aerospace North America Inc., Canada – $2.07 million: Rhysida issued the aerospace manufacturer with this ransom in April 2026 for 10 TB of stolen data. Stelia confirmed to Comparitech that the incident had been contained to the Stelia North America IT environment and didn’t impact its broader Airbus Atlantic network.
  7. TINYpulse (WebMD Health Services), US – $2 million: ShadowByt3$ issued the $2 million to Nintendo after it was caught up in this breach. The hackers said they had breached 859 MB of data via the third party (TINYpulse).
  8. Nidec Chaun-Choung Technology Corporation, Taiwan – $2 million: New ransomware group Blackfield came forward to claim this June 2026 attack on the Taiwanese manufacturer, issuing a $2 million ransom for 2 TB of stolen data.
  9. Delano Public Schools, US – $1.2 million: LockBit made various threats to the US school district after breaching its network in May 2026. Its demand of $1.2 million wasn’t met due to LockBit being a sanctioned organization, which legally ruled out any negotiations.
  10. Lørenskog kommune, Norway – $1.18 million: CMD Organization placed a 20 BTC ransom on the data it had said it had stolen from the Norwegian municipality during its attack in April 2026.

The top 5 biggest data breaches via ransomware in H1 2026

All five of the biggest reported data breaches from 2026 so far occurred in Japan. It’s important to note here that this doesn’t necessarily point toward Japan being subject to bigger breaches, but is more likely to be a result of a prompt and efficient data breach reporting system.

  1. Nippon Telenet Co., Ltd., Japan – 1,041,044 affected: Having noted a system failure on March 9, 2026, due to a ransomware attack, the utility company later confirmed that over 1 million pieces of personal information may have been involved in the attack. The hackers remain unknown.
  2. YCC Information Systems Co., Ltd. – 755,000 affected: As it stands, around 755,000 people were impacted in this attack on the Japanese tech company in April 2026. Various entities have confirmed they’ve been impacted in the breach, including Yamagata City where over 500,000 people were affected. Hackers unknown.
  3. CKC Network, Inc. and Gakusan Co., Ltd., Japan – 664,000 affected: The education provider was targeted in an attack by unknown hackers in May 2026.
  4. MEDICUS SHUPPAN, Publishers Co., Ltd, Japan – 641,000 affected: In March 2026, the publishing company was targeted in an attack that was later claimed by The Gentlemen. 641,000 entries of personal data were affected, which may include some duplicate entries for the same person).
  5. Anabuki Housing Service Co., Ltd., Japan – 207,773 affected: Initially, the housing agency said that approximately 496,000 pieces of personal information may have been involved in this attack in February 2026 (claimed by Qilin). In May, it revised this figure to 207,773.

Also in the top 10 are F-One Co., Ltd., Japan (170,000), Köfteci Yusuf, Turkey (163,000), Beacon Mutual Insurance Company, US (162,439), the City of Suffolk, US (157,725), and Plaza Home Mortgage, US (137,976).

The most prolific ransomware strains in H1 2026

Qilin takes the top spot overall with 641 attack claims, but in June it was overtaken for the first time in many, many months. In June 2026, Qilin added 78 victims to its data leak site. The Gentlemen added 115.

The Gentlemen has gained notoriety in recent months, with a large number of its attack claims confirmed. In June alone, it was confirmed as the gang behind seven attacks, including the one on Australia’s Mackay Sugar, which caused huge disruptions to its operations.

Looking at The Gentlemen’s confirmed attacks throughout the first half of 2026 (50 in total), governments were a key target (10 attacks confirmed) as were manufacturers (10 attacks confirmed).

Across Qilin’s confirmed attacks (54 in total), governments were also a focus (9), as was healthcare (8).

Ransomware attacks by country in H1 2026

The US was the most heavily targeted country in the first half of 2026 with 1,832 attacks recorded here in total. This was an eight percent decrease on H2 of 2025’s figure, though (1,985).

Out of all the countries that saw the highest number of attacks in H1 of 2026, the US was the only one to see a decline. As mentioned, this could be due to the high number of claims from The Gentlemen, which aren’t concentrated within the US, unlike other groups.

Canada had the second-highest figure (200), a four percent increase from H2 of 2025 (192). Germany, the United Kingdom, Italy, France, and Spain made up the rest of the top most targeted countries, with Italy seeing the biggest increase in attack levels (up 66%).

China saw one of the biggest influxes in attacks, rising by 540 percent from 5 in H2 of 2025 to 30 in H1 of 2026. Chile also saw a big increase (up 200%), as did Hong Kong (up 167%), Taiwan (up 161%), Czechia (up 150%), and South Africa (up 140%).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that matches a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed.”

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attack claims. Claims from ransomware groups often come about a month after the attack, if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different month.

All data is derived from our worldwide ransomware tracker (updated daily) – here .