In March 2026, ransomware attacks rose to the highest level of the year with 780 in total – a 13 percent increase on February’s figure (692). The number is also the second-highest in a single month since February 2025.
One industry that has seen a dramatic increase in attacks is the utility sector. Here, attacks rose by over 630 percent from February 2026 (3) to March 2026 (22). As hackers (often state-sponsored) look to wreak maximum havoc, targeting critical infrastructure is a key focus. Across the 22 attacks we noted, 16 different countries were targeted. The US was the most frequent with six claims on utility companies in total.
Manufacturers and government entities also saw high increases in the number of attacks, jumping by 36 and 30 percent, respectively, when comparing February 2026 to March 2026.
The number of confirmed attacks–those acknowledged by the targeted entities–was also high in March. Normally, it takes several weeks or months for attacks to be confirmed. For example, when we published our February 2026 report, just 38 attacks had been confirmed; today, 54 attacks have been confirmed for February. So far, March 2026 has seen 55 confirmed attacks, suggesting we’ll see far higher figures in the coming weeks.
Key findings for March 2026
- 780 attacks in total — 55 confirmed attacks (confirmed by the entity involved)
- Of the 55 confirmed attacks:
- 33 were on businesses
- 10 were on government entities
- 6 were on healthcare companies
- 6 were on educational institutions
- Of the 725 unconfirmed attacks*:
- 654 were on businesses
- 25 were on government entities
- 33 were on healthcare companies
- 12 were on educational institutions
- The most prolific ransomware gangs were Qilin (140), Akira (80), and The Gentlemen (68)
- Qilin (7) and The Gentlemen (5) had the most confirmed attacks
- Over 242 TB of data was stolen across all of these attacks
- The US saw the most attacks (375), followed by France (32), and Germany, the United Kingdom, and Canada (26 each)
*One attack was on an unknown company that couldn’t be attributed to a specific sector.
Ransomware attacks by sector
Healthcare
Attacks on healthcare providers declined by 15 percent from February 2026 to March 2026, falling from 46 to 39. Six attacks were confirmed in March.
The six confirmed attacks were recorded in six different countries. Qilin targeted Suchthilfe direkt Essen gGmbH in Germany and Aroostook Mental Health Services, Inc. in the US. The latter said it refused to meet the gang’s ransom demands.
In Japan, NetRunnerPR was said to be responsible for an attack on Shiraume Toyooka Hospital, while unknown hackers targeted Poland’s Samodzielny Publiczny Wojewódzki Szpital Zespolony.
In Oceania, an attack on Alphington Sports Medicine in Australia was claimed by BlackShrantac, and IntraCare in New Zealand confirmed it had been dealing with an attack after The Gentlemen added it to the group’s data leak site.
Government
Attacks on government entities rose significantly by 30 percent in March 2026, increasing from 27 in February 2026 to 35 in March 2026. 10 attacks in March have been confirmed so far.
Four attacks were confirmed in the US. Foster City and Jackson County Sheriff’s Office were targeted by unknown hackers, and Medusa targeted Passaic County with a ransom of $800,000. The City of Minot has just confirmed its Water Treatment Plant was targeted by hackers earlier last month. The attack impacted systems but never affected the quality or delivery of its drinking water. No communications were made with the hackers (also unknown).
Elsewhere, the following attacks were confirmed:
- Instituto de Previsión Social (IPS), Paraguay – claimed by Kairos with 2 TB allegedly stolen
- Gemeinde Matten, Switzerland – unknown hackers, ransom unpaid
- Namibia Airports Company (NAC) – targeted by INC
- Puerto de Vigo, Spain – unknown hackers, ransom unpaid
- Statistics South Africa – targeted by XP95 with a $100,000 ransom, which wasn’t paid
- Caja de Seguro Social (CSS), Panama – hit by The Gentlemen
Education
Attacks on the education sector remained relatively consistent from February 2026 to March 2026 with the former seeing 17 attacks and the latter 18. Six attacks were confirmed in March.
Five of the six confirmed attacks were confirmed in the US. Two of these (Community College of Beaver County and Alamo Heights Independent School District) haven’t been claimed by a ransomware gang as of yet.
Alcorn School District was claimed by LockBit, Lehigh Carbon Community College was claimed by Medusa with a $100,000 ransom demand, and Monmouth University was added to PEAR’s data leak site after 16 TB of data was allegedly stolen.
Elsewhere, unknown hackers targeted St Anne’s Catholic School in the UK, causing the school to shut down for four days.
Businesses
Attacks on businesses increased by 15 percent from February 2026 to March 2026, rising from 600 to 687. We confirmed 32 attacks on global businesses throughout March.
As we’ve already noted, attacks on utility companies rose exponentially last month. One of the attacks was on German heating plant, Fernheizwerk Neukölln AG. The attack was attributed to DragonForce but a claim hasn’t appeared on the gang’s site as of yet. Heating supplies weren’t affected in the attack but accounting and internal communications were impacted.
Manufacturers saw the second-highest increase in attacks (up 36 percent). The largest number of confirmed attacks was also in this sector where 12 entities reported attacks.
Seven of the attacks took place in Asia:
- ELECQ, China – unknown hackers
- LHT Holdings Limited, Singapore – claimed by INC
- Swagerock, Japan – unknown hackers (shipping delayed for a week)
- Jean Co., Ltd., Taiwan – claimed by LockBit
- Trio-Tech International Pte. Ltd., Singapore – claimed by Gunra
- Omikenshi Co., Ltd., Japan – claimed by The Gentlemen
- OMAX Autos Limited, India – LockBit claimed an attack on OMAX in February 2026. This attack was noted later on in March. At the time of writing, it’s unclear if they refer to the same attack.
Two manufacturing attacks were also noted in the US (AkzoNobel Inc. claimed by Anubis and Ludlum Measurements, Inc. by Embargo). Embargo also claimed an attack on Westport Fuel Systems Inc. in Canada.
In Europe, attacks on LISI Group, France (claimed by Qilin), and Cabka N.V., the Netherlands (claimed by Play) were confirmed.
The most prolific ransomware strains in March 2026
Qilin claimed 140 attacks in March 2026 and seven of these attacks were confirmed.
As well as those mentioned above (Suchthilfe direkt Essen gGmbH, LISI Group, and Aroostook Mental Health Services, Inc.), Qilin was responsible for attacks on two other German companies, Arbeiter-Samariter-Bund (a humanitarian aid company) and political party Die Linke. It also claimed attacks on Italian tech company, Netalia Srl, and Duffy’s Sports Grill in the US.
Akira had the second-highest number of claims (80) with two of these being confirmed – Pyrénées Andorra and BHS Bau- und Handelsgruppe GmbH & Co. KG, Germany.
The Gentlemen had the third-highest number of claims (68) but the second-highest number of confirmed attacks. As well as the ones already noted (Omikenshi Co., Ltd., Caja de Seguro Social, and IntraCare), The Gentlemen was also responsible for attacks on MEDICUS SHUPPAN, Publishers Co., Ltd. in Japan and SATS Sverige, a fitness company in Sweden.
A new ransomware gang, AiLock, claimed to have stolen the highest amount of data with over 43 TB stolen in total. One of its attacks was confirmed – an attack on England Hockey where 129 GB was said to have been stolen.
PEAR’s attack on Monmouth University saw the largest breach of data in a confirmed attack with 16 TB in total. TENGU also said it had stolen 22.9 TB of data from a US real estate company, but that is yet to be confirmed.
March 2026 ransomware attacks by country
The US remained the top target last month with attacks increasing by nearly 12 percent from February 2026 (336) to March 2026 (375).
France saw one of the most significant increases in attacks (up 113 percent), followed by the United Kingdom (up 86 percent), Germany (up 73 percent), and Spain (up 58 percent).
Attacks in Italy (up 4 percent) and Japan (down 6 percent) remained similar, while attacks declined in Canada (down 21 percent), India (down 40 percent), Brazil (down 42 percent), and Thailand (down 28 percent).
Confirmed vs unconfirmed attacks
We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.
An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.
Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.
When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2026, it may later be confirmed as an attack in December 2025 and will, therefore, be attributed to a different month.
You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.
