Ransomware Landscape Report — H1 2026

4,472 organizations were named on ransomware leak sites in the first half of 2026 — an average of 24.7 every single day, across 104 active groups. Here's what the data says, and what it means for your defenses.

HookPhish Security Team Published July 14, 2026 ~20 min read Period: January 1 – June 30, 2026
HookPhish
HookPhish threat report

Ransomware — H1 2026

Source: aggregated public ransomware leak-site data — deduplicated, quality-checked and analyzed by HookPhish. Full details in the methodology.

4,472
Victims published
Jan–Jun 2026
104
Active ransomware groups
Business Services
Most-targeted sector
691 victims · 15.5%
839
Peak month (Apr)
+36% vs Jan low
40%
Victims in the United States
1,790 organizations
93.4 TB
Data claimed stolen
where disclosed

Executive overview

Organizations of every size play a role in global supply chains, public services and critical infrastructure — and in the first half of 2026, ransomware and data-extortion crews treated all of them as inventory. Between January 1 and June 30, 4,472 organizations were publicly named on ransomware leak sites: roughly 745 a month, or one new victim every hour of every day. That is only what was published. Victims who paid quietly, or whose attackers never operated a leak site, do not appear here at all — every figure in this report is a floor, not a ceiling.

Activity accelerated through the half: 2,155 victims in the first quarter became 2,317 in the second, a 7.5% increase, peaking at 839 disclosures in April. North America absorbed 43.5% of all named victims — the United States alone accounted for 40% — followed by Europe at 24.5%. Business Services overtook Manufacturing as the most-hit sector, and healthcare climbed quarter-over-quarter at exactly the moment one major brand publicly dropped its old rules against attacking hospitals.

Qilin was the most active group for the entire half, with 657 victims (14.7% of everything published). The five busiest groups — Qilin, The Gentlemen, Akira, DragonForce and INC Ransom — accounted for 41% of all activity. Yet the story of H1 2026 is as much about churn as dominance: 38 groups with no leak-site activity in Q4 2025 surfaced or resurfaced during the half and published 514 victims between them — more than one in ten of the total.

This report breaks down the half by month, quarter, group, sector, region and incident, and closes with the defensive picture the data actually supports: almost all of this began at the human layer — a phished credential, a socially-engineered help desk, an infostealer log — the harvested output of commodity password-stealing malware, sold on criminal markets — bought for a few dollars.

RaaS operations and emerging threat groups in H1 2026

The half was shaped by three parallel dynamics. Mature Ransomware-as-a-Service (RaaS) operations continued to drive the majority of volume: just 10 brands crossed the 100-victim mark, and together they produced 2,598 victims — 58% of everything published. At the same time, the ecosystem kept fragmenting: 104 distinct groups posted at least one victim, and 27 of them posted fewer than five. Finally, identity-centric extortion collectives — crews that steal and ransom data without deploying an encryptor at all — moved from the margins toward the center of the threat model.

Emerging and returning groups

Dedicated leak sites appeared for 38 groups that had no activity in the final quarter of 2025. Between them they published 514 victims (11.5% of the H1 total) — evidence of how little it now costs to stand up an extortion brand: leaked builders, recycled infrastructure and affiliates migrating from disrupted programs do most of the work. The most active of these new or returning names:

APT73
69 victims · since April
Payload
62 victims · since February
Krybit
58 victims · since April
Lamashtu
34 victims · since April
CMD Organization
31 victims · since May
M3RX
26 victims · since April
FulcrumSec
25 victims · since May
Settra
22 victims · since June
Lapsus$
21 victims · since March
Aurora
21 victims · since April
ALP-001
15 victims · since March
AuditTeam
15 victims · since April
ShadowByt3$
12 victims · since February
Icarus
12 victims · since May
DeadLock
10 victims · since June
LeakBazaar
9 victims · since May

Three are worth singling out. Payload appeared in February and reached 62 victims by June — the second-busiest of the half's new or returning brands, from a name nobody had heard of six months earlier. APT73 and Krybit both surfaced in April and immediately posted at scale, a tempo more consistent with experienced affiliates rebranding than with newcomers learning the trade. And the return of the Lapsus$ name in March — years of law-enforcement attention, including the widely reported 2022 arrests of its original members, notwithstanding — shows how durable a notorious brand can be; our blog covered its claimed intrusion at AYA Bank in March.

New groups are not junior-varsity threats. FulcrumSec, first seen in May, claimed one of the half's most consequential incidents — the Novo Nordisk data leak detailed in the incidents section below. The lesson for defenders: victimology, not brand recognition, is what matters. A group founded last month can still buy the same initial access, from the same brokers, as a group founded five years ago.

Qilin: continued dominance at declining altitude

Qilin published 657 victims in six months — 14.7% of global activity, and 58% more than the runner-up. Its footprint tilts American (42% of its victims were US organizations) and industrial: manufacturing (96), business services (76) and consumer services (51) top its sector mix. But the trajectory matters as much as the total: Qilin peaked at 138 victims in March and slid to 78 in June, its quietest month of the half (359 in Q1 → 298 in Q2). Whether that reflects affiliate churn, internal friction or simple operational cycles, the data can't say — but the crown is more contested than the half-year totals suggest.

The Gentlemen: the fastest riser

The clearest challenger is The Gentlemen, which grew from 33 victims in January to 90 in May and finished the half at 416 — number two globally, with momentum Qilin lacks (166 in Q1 → 250 in Q2, a 51% jump). Its targeting is notably less US-centric than its peers (15.4% US), with heavy activity across European and Asian manufacturing and technology firms, and it claimed one of the half's most significant energy-sector incidents at Romania's Oltenia Energy Complex. If current trajectories hold, the leaderboard looks different by year-end.

LockBit 5.0: the brand that would not die

After the 2024 law-enforcement takedown of the original LockBit infrastructure (Operation Cronos) and a publicly reported September 2025 relaunch that removed the program's old sector restrictions, LockBit 5.0 spent H1 2026 rebuilding: 198 victims, growing from 90 in Q1 to 108 in Q2. Two details stand out in the data. First, its geography is the least US-focused of any major brand (16.2% US) — consistent with a program courting affiliates who avoid American heat. Second, healthcare is its #3 sector (19 victims) — the kind of targeting the old LockBit program at least nominally prohibited. The removal of the rules is visible in the victim list.

ShinyHunters and identity-first extortion

Not every entry on a leak site involves an encryptor. ShinyHunters published 78 victims in H1 — concentrated in April (20) and June (20) — and its press-confirmed victims read like a stock index: Charter Communications, ADT, Carnival Corporation and Instructure all confirmed breaches after extortion threats. The publicly reported playbook — help-desk social engineering, MFA-reset abuse and abuse of valid SaaS credentials rather than malware — makes this the purest expression of human-layer risk in the entire dataset: no exploit chain, just people.

Victims published per month

Volume climbed steadily from 619 in January to a peak of 839 in April — a 36% rise — before easing through May (776) and June (702). Even the June “lull” sat 13.4% above where the year began. The spring surge follows a rhythm the ecosystem has repeated for years: affiliates return from the year-end slowdown, new programs launch and recruit, and credentials harvested by winter infostealer campaigns get put to work. Mid-year dips have historically rebounded in the third quarter.

Q1 versus Q2: who accelerated, who stalled

The quarter-over-quarter view exposes what half-year totals hide. Overall volume rose 7.5%, but the gains were not evenly distributed. The Gentlemen (+51%), DragonForce (104146) and SafePay (2160, nearly tripling) drove the acceleration, while Qilin, Akira and INC Ransom all cooled. Two collapses are instructive: Clop went from 127 victims in Q1 to just 2 in Q2 — the on/off signature of a campaign-driven operation that mass-exploits a file-transfer or managed service, publishes in bulk, then goes dark until the next zero-day. Sinobi fell from 80 to 6, the profile of a brand dissolving or rebranding. Planning defenses around whichever name currently tops the chart is a losing game; the churn is the constant.

Group momentum, month by month

How the five busiest groups moved across the half — each panel is that group's monthly victim count, January through June.

Qilin657
The Gentlemen416
Akira279
DragonForce250
INC Ransom232

The momentum view reads like a relay, not a marathon. Groups spike for a month or two — typically after a successful affiliate-recruitment drive or a fresh batch of purchased access — then fade as infrastructure is seized, affiliates migrate, or the operators cash out. DragonForce's arc is the archetype: 8 victims in January, 63 in April, 28 by June.

Notable incidents of H1 2026

Only 165 of the 4,472 victims in the dataset — under 4% — drew any identifiable press coverage. That gap is itself a finding: the overwhelming majority of ransomware victims are never written about, never analyzed, and never factored into anyone's risk model. The five incidents below were chosen because independent reporting exists and because together they span the half's range — critical infrastructure, healthcare, education and manufacturing; a 657-victim brand and a group that did not exist in January.

Complexul Energetic Oltenia

Attack: December 26, 2025 · Claimed: January 2026 · Group: The Gentlemen · Energy · Romania

Romania's largest coal-based energy producer was hit in the final days of 2025 and appeared on The Gentlemen's leak site in January. Press reporting described encrypted documents and disruption to key IT systems at a company that supplies a significant share of the country's electricity — an early signal of the energy-sector pressure that continued through the half.

Coverage: securityaffairs.com

Conpet S.A.

Attack: February 3, 2026 · Claimed: February 2026 · Group: Qilin · Energy · Romania

Weeks after the Oltenia attack, Romania's national oil-pipeline operator disclosed a cyberattack claimed by Qilin. The company reported that corporate IT systems and its website were affected while pipeline operations continued — a textbook example of how ransomware reaches critical infrastructure through the business network first. Coordinated or not, two state-linked Romanian energy companies named in two months made the country's energy sector one of the half's clearest concentrations.

Coverage: bleepingcomputer.com

St Anne's Catholic School, Southampton

Attack: March 22, 2026 · Claimed: May 2026 · Group: Lynx · Education · United Kingdom

A single school forced to close for four days shows the other end of the victim spectrum. BBC reporting described an attack that threatened deletion of school files and was reported to the UK Information Commissioner. Education accounted for 149 victims in H1 — organizations with minimal security staffing and maximum disruption sensitivity.

Coverage: bbc.com

UFP Technologies

Attack detected: February 14, 2026 · Claimed: April 2026 · Group: Payouts King · Medical devices · United States

The medical-device component maker disclosed an attack in which files were stolen and billing and label-creation systems were disrupted. The claim surfaced on the leak site of Payouts King roughly two months after detection — a reminder that mid-tier brands, not just the majors, land established manufacturers.

Coverage: securityweek.com

Novo Nordisk

Claimed: June 2026 · Group: FulcrumSec · Pharmaceuticals · Denmark

FulcrumSec — a group first observed in May — claimed a roughly two-and-a-half-month intrusion at the pharmaceutical giant that reportedly began with an exposed GitHub access token, and leaked pseudo-anonymized records relating to about 11,500 clinical-trial participants after a $25 million demand went unpaid, per press reporting. No encryption, no malware: a stolen developer credential and patience.

Coverage: databreaches.net

Regional impact observations

Ransomware touched every region in H1 2026, but not evenly. The distribution is a map of affiliate economics — language, insurance penetration, digital dependency and the informal rule that keeps most groups away from CIS-region targets:

  • North America1,944 victims (43.5%) — remained the gravitational center of the ecosystem. The concentration reflects both the size of the target economy and affiliate economics: English-language phishing scales best against English-speaking mid-market companies with cyber-insurance coverage. Most impacted: United States (1790), Canada (153), Bermuda (1).
  • Europe1,096 victims (24.5%) — held its position as the second-most impacted region. Activity concentrated in the industrial core — Germany and the UK together absorbed more victims than the next four countries combined. Most impacted: Germany (213), United Kingdom (205), France (130), Italy (124).
  • Asia520 victims (11.6%) — saw broad, shallow targeting across a dozen economies, led by India and an unusually persistent cluster in Thailand and Taiwan's manufacturing and technology firms. Most impacted: India (85), Japan (69), Thailand (69), Taiwan (56).
  • Latin America & Caribbean316 victims (7.1%) — continued its multi-year climb, led by Brazil and Mexico. Regional victims skew toward manufacturing, agriculture and financial services — sectors digitalizing faster than their security budgets. Most impacted: Brazil (91), Mexico (65), Argentina (30), Colombia (29).
  • Middle East146 victims (3.3%) — recorded moderate but strategically notable volume, led by Turkey, the UAE and Israel, with hacktivist-adjacent brands mixing extortion and ideology. Most impacted: Turkey (43), United Arab Emirates (31), Israel (26), Saudi Arabia (13).
  • Oceania94 victims (2.1%) — was dominated by Australia, whose mandatory-reporting regime also makes its incidents unusually visible in press coverage. Most impacted: Australia (82), New Zealand (8), Samoa (2), Papua New Guinea (1).
  • Africa86 victims (1.9%) — remained the smallest region by volume but not by trajectory, with Egypt and South Africa leading a slowly widening footprint across emerging markets. Most impacted: Egypt (22), South Africa (15), Morocco (8), Tunisia (6).

Top victim countries

The United States absorbed 40% of all named victims — 1,790 organizations, more than the next eleven countries combined. Germany, the United Kingdom and Canada round out the top four. Wherever your organization sits, the takeaway is the same: ransomware is a global, machine-translated business that scales across borders effortlessly.

Industry impacts

The target list is a portrait of the mid-market economy. Business Services (691 victims, 15.5%), Manufacturing (614) and Technology (486) topped the table — sectors full of companies large enough to pay a ransom but rarely large enough to run a mature security program. Attackers are not picking industries so much as picking soft targets; the common denominator is under-resourced human-layer defense.

  • Business Services nearly doubled quarter-over-quarter (245 446) — the sharpest sector move in the dataset. IT providers, accountants, law firms and consultancies are force multipliers: one MSP or bookkeeping firm yields dozens of downstream victims' data, and attackers price that in.
  • Manufacturing stayed effectively flat and high (312 302) — the steady-state favorite, where downtime is measured in idle production lines and missed shipping windows.
  • Healthcare climbed from 158 to 194 — a 23% rise that coincides with LockBit 5.0's publicly reported removal of its old prohibition on hospital targeting. In this sector downtime is measured in patient safety, not lost revenue.
  • Technology cooled sharply (289197) after a Q1 spike inflated by Clop's bulk publications, while Consumer Services (126 183) and Agriculture & Food Production (74 107) both rose meaningfully.

Group trends, patterns and the long tail

104 groups published at least one victim in H1 2026 — but the distribution is brutally top-heavy, and the tiers behave differently:

  • The majors (100+ victims): 10 groups, 2,598 victims — 58% of everything. Qilin, The Gentlemen, Akira, DragonForce, INC Ransom, LockBit 5.0, NightSpire, Play, Clop, Coinbase Cartel. These are institutions with affiliate programs, negotiation portals and PR strategies.
  • The middle class (20–99): 35 groups, 1,482 victims — including Sinobi, SafePay, ShinyHunters, Everest, Lynx, World Leaks and most of the half's emerging brands. This is where the churn lives: rising stars and dissolving programs pass each other in opposite directions.
  • The long tail (under 20): 59 groups, 392 victims. 10 brands posted exactly one victim and vanished. Individually negligible; collectively, about 9% of the problem — and a reminder that blocklisting known groups is not a strategy.

For a defender the lesson is not to chase names — the roster churns every quarter — but to defend against the shared playbook nearly all of them run: initial access through phishing or stolen credentials, privilege escalation, data theft, then encryption or naked extortion. The brands are interchangeable; the entry points are not.

What this means for your defenses

The single most useful fact behind these 4,472 incidents is how they started. Year after year, the dominant initial-access routes into a ransomware intrusion are phishing and stolen or reused credentials — the human layer, not a zero-day. This half's data makes the point twice over: 2,606 of the 4,472 victims — 58% — had employee or customer credentials already circulating in infostealer logs at the time they were attacked, and the half's marquee identity-extortion campaigns needed no malware at all. A group does not need to be sophisticated to take your network; it needs one employee to click, or one password that is already for sale.

That reframes this report's numbers into a concrete to-do list:

  • Continuously test and train your people with realistic phishing simulations and security awareness training — including the help-desk and MFA-reset scenarios the identity crews used all half — so the click rate that feeds these leak sites keeps falling.
  • Find exposed credentials before an attacker does, with dark web monitoring and breach monitoring — the 58% infostealer figure above is the single most actionable number in this report.
  • Treat your vendors as your attack surface: Business Services' near-doubling means your MSP, accountant and law firm are now the likeliest path to your data.
  • Turn all of it into a single, trackable human-risk score so you can prove the exposure is shrinking quarter over quarter — the same cadence this report uses.

Curious where you stand right now? Run a free check with the HookPhish data breach checker to see whether your organization's credentials are already exposed — the same kind of data that preceded a majority of the incidents above.

Conclusion and outlook

The first half of 2026 confirmed that ransomware is no longer a story about a handful of cartels. It is a commodity market: 104 brands, a shared supply chain of initial-access brokers and infostealer logs, and a victim published every hour. Volume grew 7.5% quarter-over-quarter, the leader lost altitude while its challengers accelerated, and 38 new or returning brands proved that the barrier to entry keeps falling.

Three developments deserve particular attention in the second half. First, identity-first extortion: the ShinyHunters playbook — no encryptor, no exploit, just social engineering against help desks and SaaS platforms — produced some of the half's largest confirmed breaches, and it is the easiest model for new crews to copy. Second, supply-chain leverage: the near-doubling of Business Services victims signals that attackers increasingly buy one intrusion and sell many victims. Third, the healthcare drift: with at least one major program publicly abandoning its hospital prohibition and healthcare volume already climbing, the sector should assume the old informal restraints are gone.

None of these trends favor the defender who bets on perimeter tools alone. Every trajectory in this report — the group churn, the sector shifts, the credential statistics — points at the same conclusion: the human layer is where ransomware starts, and it is the layer where measurable improvement is fastest. Organizations that continuously train their people, watch for their credentials on dark-web markets, and score their human risk the way they score their financials will be the ones missing from the H2 dataset.

Methodology & sources

Victims are counted by the date they were first disclosed on a ransomware group leak site (discovery date), deduplicated across monthly pulls. Figures reflect publicly claimed victims and are a floor, not a ceiling — many incidents are never posted.

The dataset is aggregated from publicly visible posts made by ransomware operators on their own extortion (“leak”) sites, collected across public threat-intelligence feeds for the period January 1 – June 30, 2026. Victims are counted by disclosure (leak-site posting) date and deduplicated across the six monthly datasets. Quarter comparisons split the half at March 31. “Emerging” groups are those with no observed leak-site activity in Q4 2025; some are genuinely new, others are rebrands or returning operations. 270 victims (~6%) had no disclosed country and are excluded from regional figures. Excludes victims with no disclosed sector.

How the derived figures were produced: the infostealer figure counts victims whose records showed at least one employee or user credential circulating in publicly available infostealer logs when the victim record was compiled — exposure that predates or coincides with the leak-site posting and does not, by itself, establish the initial-access vector for that incident. The data claimed stolen total sums only the sizes attackers themselves disclosed and is unverified. Press coverage counts victims with at least one identifiable independent news article about the incident.

Leak-site claims are allegations by criminal actors and may be exaggerated, unverifiable or recycled — for example, a handful of 2026 posts re-advertised incidents first reported publicly in 2023–2024. Such posts remain in the counts (they are real leak-site activity) but were excluded from the incident spotlights, which are limited to victims with independent 2026 press coverage.

Corrections: if you spot an error in this report, or you represent an organization named here and have information we should review, email info@hookphish.com or use our contact form. Material corrections are noted on this page with the date of the change.

HookPhish does not exfiltrate, host, or disclose any stolen data. Figures are provided for awareness and defensive purposes only and reflect publicly claimed victims, which may include unverified or contested claims. Organizations named in the incidents section are victims of crimes, not subjects of criticism.

References

  1. Romania's Oltenia Energy Complex suffers major ransomware attack — Security Affairs
  2. Romanian oil pipeline operator Conpet discloses cyberattack — BleepingComputer
  3. Southampton school closed after ransomware attack — BBC News
  4. Medical device maker UFP Technologies hit by cyberattack — SecurityWeek
  5. FulcrumSec leaks Novo Nordisk data after $25M demand goes unpaid — DataBreaches.net
  6. Charter confirms data breach after ShinyHunters extortion threat — BleepingComputer
  7. ADT confirms data breach after ShinyHunters leak threat — BleepingComputer
  8. Carnival confirms data breach affecting nearly 6 million people — BleepingComputer
  9. Edu-tech firm Instructure discloses cyber incident — BleepingComputer

How to cite this report

HookPhish Security Team, “Ransomware Landscape Report — H1 2026,” HookPhish, July 14, 2026, https://www.hookphish.com/reports/ransomware-h1-2026/

Written by the HookPhish Security Team

The HookPhish Security Team builds and operates HookPhish's phishing-simulation, security-awareness training and dark-web / breach-monitoring products, and analyzes aggregated public ransomware leak-site data as part of that work. Every figure in this report is derived from the underlying dataset, and sources are cited above. Learn more about our research or get in touch.

Published July 14, 2026.

Security training designed for people. Built for enterprise.

Learn how HookPhish can effortlessly transform your security program and reduce your human cyber-risk.

Fill out the form to schedule a 30-minute chat with a product expert. We'll discuss the challenges you want to solve, walk through HookPhish, and answer any questions.

  • A 30-minute call — no obligation, no pressure
  • We reply within one business day
  • See simulation, training, risk scoring and monitoring in one platform

Book a personalized demo

Looking to become a partner? Use this form instead.

We'll only use this to contact you about your demo. No spam. See our privacy policy.