Ransomware roundup_ Q1 2026

During the first three months of 2026, ransomware attacks remained high with Comparitech researchers tracking 2,200 attacks in total. This is a slight increase on Q4 of 2025 (up 1.66 percent).

When comparing Q4 of 2025 to Q1 of 2026, the education and healthcare sectors saw significant declines in ransomware, dropping by 23 percent and 14 percent, respectively. However, businesses operating in the healthcare sector (but not providing direct care, e.g. pharmaceutical and medical device manufacturers) saw the most significant increase with attacks rising by 35 percent.

Transportation (up 29%), finance (up 16%), retail (up 15%), technology (up 13%), and construction companies (up 12%) all saw an uptick in attacks.

Attacks on the manufacturing sector rose significantly throughout 2025 and plateaued in Q1 of 2026. While this does make for positive reading, the attack numbers in this sector remain high, accounting for 22 percent of all attacks on businesses (429 attacks in total).

Key findings for Q1 2026:

  • 2,200 attacks in total — 193 confirmed attacks
  • Of the 193 confirmed attacks:
    • 121 were on businesses
    • 35 were on government entities
    • 22 were on healthcare companies
    • 15 were on educational institutions
  • Of the 2,007 unconfirmed attacks*:
    • 1,805 were on businesses
    • 62 were on government entities
    • 98 were on healthcare companies
    • 38 were on educational institutions
  • The most prolific ransomware gangs were Qilin (353 attack claims), The Gentlemen (202), Akira (201), INC (131), Clop (122), and Play (119)
  • Qilin and The Gentlemen had the most confirmed attacks out of these claims with 23 and 20, respectively
  • Over 454 TB of data has been stolen across all these attacks
  • The US saw the most attacks (1,041), followed by Canada (105), the United Kingdom (82), Italy (67), Germany (65), and France (62)

*4 unconfirmed attacks couldn’t be attributed to a sector due to limited company information.

Ransomware attacks by sector

Government

From Q4 of 2025 to Q1 of 2026, attacks on government entities increased by just two percent, rising from 95 in the last quarter of 2025 to 97 in Q1 of 2026.
  • 97 attacks in total (confirmed and unconfirmed)
  • 35 confirmed attacks
  • 62 unconfirmed attacks
  • Average ransom of $480,000 million across all attacks – up from $381,000 in Q4 of 2025
  • Largest ransom of $3.1 million was demanded from the Land and Agricultural Development Bank of South Africa by unknown hackers. This wasn’t paid

Also of note are the number of government transportation companies targeted in Q1 of 2026. Five attacks were confirmed, including Verkehrsgesellschaft Main-Tauber (Germany), Nagoya Port Authority (Japan), Tulsa International Airport (US), Namibia Airports Company, and Puerto de Vigo (Spain).

Healthcare

Q1 of 2026 saw 120 attacks on the healthcare sector, which is a 14 percent decrease on Q4 of 2025 where 140 attacks were recorded.
  • 120 attacks in total (confirmed and unconfirmed)
  • 22 confirmed attacks
  • 98 unconfirmed attacks
  • Average ransom of $16.9 million across all attacks – up from $577,800 in Q4 of 2025
  • Largest ransom of $100 million was demanded by NetRunner from Nippon Medical School Musashi Kosugi Hospital, Japan. This wasn’t paid
  • Largest reported breach: Nippon Medical School Musashi Kosugi Hospital, Japan, with 131,700 people affected

Education

Throughout Q1 2026, the education sector saw 53 attacks in total, which is a 23 percent decrease on Q4 of 2025 (69).

  • 53 attacks in total (confirmed and unconfirmed)
  • 15 confirmed attacks
  • 38 unconfirmed attacks
  • Average ransom of $224,000 across all attacks – down from $458,200 in Q4 of 2025
  • Largest ransom of $457,000 from Rhysida on a California school district (unconfirmed)

Businesses

Attacks on businesses climbed from 1,847 in Q4 of 2025 to 1,926 in Q1 of 2026—a four percent increase.

  • 1,926 attacks in total (confirmed and unconfirmed)
  • 121 confirmed attacks
  • 1,805 unconfirmed attacks
  • Average ransom of $647,000 across all attacks – up from $487,000 in Q4 of 2025
  • Largest ransom of $13 million was demanded by the Silent ransomware group from legal firm Jones Day
  • Largest reported breach: Anabuki Housing Service Co., Ltd., Japan, with 496,000 people affected. Qilin claimed the attack after allegedly stealing 240 GB of data

As we’ve already noted, certain sub-industries saw far greater increases than others from Q4 of 2025 to Q1 2026.

Companies operating within the healthcare sector, such as medical billing providers, healthcare device manufacturers, and pharmaceutical companies that don’t offer direct care to patients, saw the greatest increase. Here, attacks rose by 35 percent from 60 in Q4 of 2025 to 81 in Q1 of 2026. Attacks on these types of companies remain a key focus for hackers due to the disruption they can cause to multiple companies via one central organization and the amount of data up for grabs.

In recent months, we’ve seen a number of huge data breaches as a result of attacks on this sector last year. They include Insightin Health, which notified more than 1.14 million people of its breach.

Transportation companies also saw a significant increase in attacks (up 29 percent from Q4 of 2025 to Q1 of 2026). This is in addition to the government-owned transportation companies noted above.

Following extensive attacks in recent months, attacks on manufacturers plateaued in the first quarter of 2026. Nevertheless, figures do remain high with 429 attacks in total (the highest in any sub-industry). Two attacks in Japan highlight why the manufacturing sector is another prime target for hackers. Akira’s attack on Swagerock Japan demonstrates the disruption these attacks can cause after order shipping was delayed by a week, while BlackShrantac’s attack on F-One Co., Ltd. shows how large the subsequent data breaches can be with 170,000 people impacted.

The most prolific ransomware strains in Q1 2026

Not much has changed throughout the start of 2026 when it comes to the top ransomware strains. Qilin continues to take the top spot with 353 attacks in total. The Gentlemen and Akira followed with 202 and 201 attacks, respectively.

Qilin also had the most confirmed attacks (23) but The Gentlemen wasn’t too far behind with 20 confirmed attacks.

Nine of Qilin’s confirmed attacks were carried out in the US, five in Germany, and the rest across eight different countries. Qilin’s confirmed attacks also target an array of industries but four attacks each were carried out on healthcare providers, manufacturers, and retailers. Three government entities were also targeted.

None of The Gentlemen’s confirmed attacks were on US entities, but across 15 different countries. Government entities, educational institutions, and healthcare providers also make up the majority of The Gentlemen’s confirmed attacks with five, four, and three attacks each, respectively.

PEAR claims to have stolen the most data with over 46 TB in total. 16 TB alone was said to have been stolen from Monmouth University.

Q1 2026 ransomware attacks by country

The US remained the biggest target for ransomware gangs in Q1 of 2026 with 1,041 attacks in total. This was a five percent decrease from Q4 of 2025 where 1,094 attacks were recorded.

Attacks in Canada and Germany also decreased quarter on quarter, falling by 14 percent and 16 percent, respectively.

In contrast, increases were seen in the United Kingdom (up 52 percent), Italy (up 72 percent), Brazil (up 20 percent), and Japan (up 52 percent).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2025, it may later be confirmed as an attack in December 2024 and will, therefore, be attributed to a different quarter.