7,655 Ransomware Attacks in 12 Months — Who Is Getting Hit and Why It Keeps Getting Worse
One organisation every 71 minutes. That is how often a ransomware group publicly names a new victim on a leak site. Over the past 12 months, 129 different groups posted 7,655 claims across 141 countries. The numbers are not slowing down. They are accelerating.
Think of the ransomware ecosystem like a hydra. Cut off one head — say, law enforcement takes down a major group — and three more pop up within weeks. The data from CipherCue, pulled from the ransomware.live API, makes this painfully clear.
The big players are not who you think
Qilin leads the pack with 1,179 claims — roughly 3.1 per day. They operate in 74 countries. The US is their favourite target (438 claims), but France, Canada, Spain, and the UK are all in their rotation. This is not a regional gang. It is a global operation with industrial-scale output.
Akira comes second at 706 claims, though their focus is more US-heavy — 57% of their targets are American. Then you have INC Ransom (415), Play (386), and Safepay (341). These five groups alone account for 40% of all claims.
But here is the thing nobody talks about: the remaining 124 groups posted 4,628 claims combined. There is no single kill shot. Even if Qilin vanished tomorrow, the ecosystem would barely flinch.
Who is actually getting hit?
Manufacturing tops the list at 890 claims. Technology is close behind at 843. Together, they make up 35% of all sector-attributed attacks. Healthcare comes third at 537 — which should alarm everyone who relies on hospitals staying operational.
The pattern makes sense if you think about it. Manufacturers cannot afford downtime. A factory floor sitting idle costs thousands per hour. That pressure to get back online fast? That is exactly what ransomware groups exploit.
Construction (375), financial services (362), and education (260) round out the top targets. Even agriculture and food production saw 171 claims. No sector is too niche to be left alone.
The US takes 40% of the hits
3,101 of the 7,655 claims targeted American organisations. That is not surprising given the size of the US economy. But the spread after that is wide: Germany (315), Canada (311), UK (232), France (177), Italy (169), Spain (157), Brazil (132), India (129), and Japan (112).
Germany stands out. SafePay alone posted 72 claims against German targets. Whether that reflects German-language affiliates or a deliberate campaign is unclear, but the concentration is real.
Volume jumped 40% in the second half
The first six months of the observation period averaged 521 claims per month. The second half averaged 732. December 2025 hit 861 — the single worst month. If that second-half pace holds, we are looking at over 8,700 claims per year.
Some of that increase could reflect more groups adopting leak sites or better data collection. But the trend line is clear either way: the baseline has shifted up and it has not come back down.
What you can actually do about it
If you run a business: Your supply chain is your weak link. If your vendors get hit, you feel it. Start asking suppliers about their incident response plans. It is not paranoid — it is Tuesday in 2026.
If you work in IT: Offline backups are still the single most effective defence. Not cloud-synced backups. Actual offline copies that ransomware cannot encrypt. Test your restores quarterly. A backup you have never tested is a prayer, not a plan.
If you are an individual: Use a password manager. Enable 2FA on everything. Keep your devices updated. It sounds basic because it is. Most ransomware enters through phishing emails and stolen credentials, not sophisticated zero-days.
The uncomfortable truth is that ransomware has become a mature industry. It has affiliates, customer service, and competitive dynamics. Pretending it will go away on its own is not a strategy.
Sources: CipherCue | Hacker News
