From March 2025 to March 2026, ransomware groups posted 7,655 victim claims to public leak sites over 376 days. That is roughly 20 per day, or one new organisation named every 71 minutes.
This article breaks down which groups are most active, what sectors they target, where the victims are located, and how claim volume has changed over the observation period. All figures are based on leak site postings ingested by CipherCue via the ransomware.live API. Claim counts are not confirmed breaches. They represent what threat actors have publicly stated.
One group posted 1,179 claims. Five groups account for 40%.
Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). The drop-off from there is gradual: the 6th group posted 261 claims (3.4%) and the 10th posted 191 (2.5%).
| Group | Claims | Share | Countries |
|---|---|---|---|
| Qilin | 1,179 | 15.4% | 74 |
| Akira | 706 | 9.2% | 42 |
| INC Ransom | 415 | 5.4% | 60 |
| Play | 386 | 5.0% | 21 |
| Safepay | 341 | 4.5% | 31 |
| Sinobi | 261 | 3.4% | 21 |
| DragonForce | 251 | 3.3% | 36 |
| Clop | 248 | 3.2% | 36 |
| TheGentlemen | 192 | 2.5% | 55 |
| Lynx | 191 | 2.5% | 28 |
Qilin alone posted 1,179 claims, roughly 3.1 per day. Its geographic footprint spans 74 countries, the widest of any group. Top Qilin targets by country: US (438), France (55), Canada (48), Spain (41), Great Britain (36). This is not a group that picks one geography and stays there.
Akira is second at 706 claims across 42 countries, but with a heavier US concentration: 403 of its 706 claims (57%) targeted American organisations. Germany (34), Canada (31), and Italy (20) follow.
Play is the most US-concentrated of the top five. 249 of its 386 claims (64%) targeted the US, followed by Canada (27). Only 21 countries appear in its claim list, compared to Qilin's 74.
The long tail matters as much as the leaders: the remaining 124 groups collectively posted 4,628 claims. This suggests that disrupting any single group is unlikely to reduce the overall total significantly.
Manufacturing has been claimed 890 times. Technology is close behind at 843.
Of the 7,655 claims, 4,970 had a recognisable sector attributed by ransomware.live metadata. The remaining 2,685 (35%) had no sector data or were marked "Not Found".
| Sector | Claims | Top groups in this sector |
|---|---|---|
| Manufacturing | 890 | Qilin (150), Akira (144), Play (81), Sinobi (36), SafePay (34) |
| Technology | 843 | Qilin (107), Clop (60), INC Ransom (52), Akira (47), Play (42) |
| Healthcare | 537 | Qilin (85), INC Ransom (39), Sinobi (34), WorldLeaks (21), SafePay (21) |
| Construction | 375 | Akira (61), Qilin (57), Play (50), DragonForce (24), Sinobi (23) |
| Financial Services | 362 | Qilin (67), Akira (35) |
| Business Services | 339 | Akira (50), Qilin (47), SilentRansomGroup (21), INC Ransom (20) |
| Education | 260 | Qilin (50), INC Ransom (28), SafePay (20), Interlock (20) |
| Consumer Services | 260 | Qilin (33), Akira (22), Play (21), INC Ransom (20) |
| Public Sector | 256 | Qilin (41), Babuk2 (35), INC Ransom (22) |
| Transportation/Logistics | 237 | Qilin (39), Akira (23) |
The top 10 sectors account for 4,359 of the 4,970 sector-attributed claims. The remaining 611 include Agriculture and Food Production (171), Hospitality and Tourism (168), Energy (160), and Telecommunication (106). The balance of 6 claims sit in variant or inconsistent sector labels in the source data.
The group-sector relationship appears non-random. Qilin leads in 9 of the top 10 sectors, but Akira leads specifically in construction (61 claims) and business services (50 claims). Clop's technology concentration (60 claims, its top sector) is consistent with the group's reported focus on file transfer and managed service provider vulnerabilities. Play clusters heavily in manufacturing (81) and construction (50), sectors where operational downtime may create stronger payment pressure.
The US accounts for 40% of all claimed victims. 141 countries appear in total.
3,101 of the 7,655 claims named a US-based organisation. 1,077 claims had no country attribution. After the US, the distribution spreads across 140 additional countries.
| Country | Claims | Top groups |
|---|---|---|
| United States | 3,101 | Qilin (438), Akira (403), Play (249), INC Ransom (217) |
| Germany | 315 | SafePay (72), Akira (34), Qilin (34) |
| Canada | 311 | Qilin (48), INC Ransom (33), Akira (31), Play (27) |
| United Kingdom | 232 | Qilin (36), SafePay (20), INC Ransom (13) |
| France | 177 | Qilin (55) |
| Italy | 169 | Qilin (32), Akira (20) |
| Spain | 157 | Qilin (41), Akira (12) |
| Brazil | 132 | INC Ransom (8) |
| India | 129 | Qilin (7) |
| Japan | 112 | Qilin (25) |
Germany's position at second is notable. SafePay alone posted 72 claims targeting German organisations, making it the dominant threat for that country by a wide margin. This concentration may reflect German-language affiliates or a deliberate targeting campaign, though the data alone cannot confirm either explanation.
Canada and the UK show a broader spread of groups, with no single group accounting for more than a fifth of either country's total.
Volume increased 40% in the second half of the observation period
| Month | Claims |
|---|---|
| March 2025 | 594 |
| April 2025 | 495 |
| May 2025 | 492 |
| June 2025 | 488 |
| July 2025 | 538 |
| August 2025 | 519 |
| September 2025 | 566 |
| October 2025 | 814 |
| November 2025 | 708 |
| December 2025 | 861 |
| January 2026 | 674 |
| February 2026 | 767 |
| March 2026 (11 days) | 139 |
The first six months (March to August 2025) averaged 521 claims per month. The next six months (September 2025 to February 2026) averaged 732 per month. That is a 40% increase.
December 2025 was the single highest month at 861 claims. October 2025 was second at 814. Whether this reflects genuinely increasing ransomware activity, more groups adopting leak sites, or changes in ransomware.live ingestion coverage is not possible to determine from claim data alone. What the data does show is that the baseline has shifted upward and has not returned to first-half levels.
What this means for risk and security teams
- Vendor and supply chain risk: Manufacturing (890) and technology (843) together account for 1,733 of the 4,970 sector-attributed claims (35%). If your supply chain depends on mid-market manufacturers or technology providers, their ransomware exposure is your operational risk. A vendor appearing on a leak site, even if unconfirmed, should trigger a due diligence review.
- Volume is trending up, not down. Monthly averages increased 40% from the first half to the second half of this observation period. If the second-half rate sustains, the ecosystem is on pace for over 8,700 claims per year.
- Group fragmentation suggests a resilient ecosystem. With 129 active groups, no single law enforcement action is likely to reduce overall volume substantially. The top group (Qilin) accounts for only 15% of claims. Even removing it entirely would still leave 6,476 claims from 128 other groups.
- Geographic spread is genuine. 141 countries appeared in the dataset. US organisations are the most frequent targets at 40%, but the remaining 60% spans six continents. European subsidiaries, APAC operations, and Latin American offices are all represented.
Method note
Data source: ransomware.live API, ingested into CipherCue. The dataset contains 7,655 leak site claims with a discovered_date between 1 March 2025 and 11 March 2026 (376 days). Claims represent threat actor postings, not confirmed breaches. Sector and country attribution is taken from ransomware.live metadata where available. 2,685 claims (35%) had no sector data or were marked "Not Found". 1,077 claims (14%) had no country data. The sector table shows the top 10 of 14 sector categories; the remaining 611 claims include Agriculture and Food Production (171), Hospitality and Tourism (168), Energy (160), Telecommunication (106), and 6 claims with variant or inconsistent sector labels. Group-country and group-sector counts shown in tables are based on claims where both fields were populated. Monthly totals may shift as ransomware.live updates historical data. March 2026 is a partial month (11 days at time of analysis). Victim names are as posted by threat actors and may include duplicates where groups re-post or claim the same victim under different naming.
We built CipherCue to make ransomware claim data actionable for sales and risk teams. If you want to track which of your accounts and prospects appear on leak sites in real time, request a demo.