7,655 Ransomware Claims in One Year: Group, Sector, and Country Breakdown

From March 2025 to March 2026, ransomware groups posted 7,655 victim claims to public leak sites over 376 days. That is roughly 20 per day, or one new organisation named every 71 minutes.

This article breaks down which groups are most active, what sectors they target, where the victims are located, and how claim volume has changed over the observation period. All figures are based on leak site postings ingested by CipherCue via the ransomware.live API. Claim counts are not confirmed breaches. They represent what threat actors have publicly stated.

One group posted 1,179 claims. Five groups account for 40%.

Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). The drop-off from there is gradual: the 6th group posted 261 claims (3.4%) and the 10th posted 191 (2.5%).

| Group | Claims | Share | Countries | |---|---|---|---| | Qilin | 1,179 | 15.4% | 74 | | Akira | 706 | 9.2% | 42 | | INC Ransom | 415 | 5.4% | 60 | | Play | 386 | 5.0% | 21 | | Safepay | 341 | 4.5% | 31 | | Sinobi | 261 | 3.4% | 21 | | DragonForce | 251 | 3.3% | 36 | | Clop | 248 | 3.2% | 36 | | TheGentlemen | 192 | 2.5% | 55 | | Lynx | 191 | 2.5% | 28 |

Qilin alone posted 1,179 claims, roughly 3.1 per day. Its geographic footprint spans 74 countries, the widest of any group. Top Qilin targets by country: US (438), France (55), Canada (48), Spain (41), Great Britain (36). This is not a group that picks one geography and stays there.

Akira is second at 706 claims across 42 countries, but with a heavier US concentration: 403 of its 706 claims (57%) targeted American organisations. Germany (34), Canada (31), and Italy (20) follow.

Play is the most US-concentrated of the top five. 249 of its 386 claims (64%) targeted the US, followed by Canada (27). Only 21 countries appear in its claim list, compared to Qilin's 74.

The long tail matters as much as the leaders: the remaining 124 groups collectively posted 4,628 claims. This suggests that disrupting any single group is unlikely to reduce the overall total significantly.

Manufacturing has been claimed 890 times. Technology is close behind at 843.

Of the 7,655 claims, 4,970 had a recognisable sector attributed by ransomware.live metadata. The remaining 2,685 (35%) had no sector data or were marked "Not Found".

| Sector | Claims | Top groups in this sector | |---|---|---| | Manufacturing | 890 | Qilin (150), Akira (144), Play (81), Sinobi (36), SafePay (34) | | Technology | 843 | Qilin (107), Clop (60), INC Ransom (52), Akira (47), Play (42) | | Healthcare | 537 | Qilin (85), INC Ransom (39), Sinobi (34), WorldLeaks (21), SafePay (21) | | Construction | 375 | Akira (61), Qilin (57), Play (50), DragonForce (24), Sinobi (23) | | Financial Services | 362 | Qilin (67), Akira (35) | | Business Services | 339 | Akira (50), Qilin (47), SilentRansomGroup (21), INC Ransom (20) | | Education | 260 | Qilin (50), INC Ransom (28), SafePay (20), Interlock (20) | | Consumer Services | 260 | Qilin (33), Akira (22), Play (21), INC Ransom (20) | | Public Sector | 256 | Qilin (41), Babuk2 (35), INC Ransom (22) | | Transportation/Logistics | 237 | Qilin (39), Akira (23) |

The top 10 sectors account for 4,359 of the 4,970 sector-attributed claims. The remaining 611 include Agriculture and Food Production (171), Hospitality and Tourism (168), Energy (160), and Telecommunication (106).

The group-sector relationship appears non-random. Qilin leads in 9 of the top 10 sectors, but Akira leads specifically in construction (61 claims) and business services (50 claims). Clop's technology concentration (60 claims, its top sector) is consistent with the group's reported focus on file transfer and managed service provider vulnerabilities. Play clusters heavily in manufacturing (81) and construction (50), sectors where operational downtime may create stronger payment pressure.

The US accounts for 40% of all claimed victims. 141 countries appear in total.

3,101 of the 7,655 claims named a US-based organisation. 1,077 claims had no country attribution. After the US, the distribution spreads across 140 additional countries.

| Country | Claims | Top groups | |---|---|---| | United States | 3,101 | Qilin (438), Akira (403), Play (249), INC Ransom (217) | | Germany | 315 | SafePay (72), Akira (34), Qilin (34) | | Canada | 311 | Qilin (48), INC Ransom (33), Akira (31), Play (27) | | United Kingdom | 232 | Qilin (36), SafePay (20), INC Ransom (13) | | France | 177 | Qilin (55) | | Italy | 169 | Qilin (32), Akira (20) | | Spain | 157 | Qilin (41), Akira (12) | | Brazil | 132 | INC Ransom (8) | | India | 129 | Qilin (7) | | Japan | 112 | Qilin (25) |

Germany's position at second is notable. SafePay alone posted 72 claims targeting German organisations, making it the dominant threat for that country by a wide margin. Canada and the UK show a broader spread of groups.

Volume increased 40% in the second half of the observation period

The first six months (March to August 2025) averaged 521 claims per month. The next six months (September 2025 to February 2026) averaged 732 per month. That is a 40% increase. December 2025 was the single highest month at 861 claims. What the data shows is that the baseline has shifted upward and has not returned to first-half levels.

What this means for risk and security teams

Vendor and supply chain risk: Manufacturing and technology together account for 35% of sector-attributed claims. If your supply chain depends on these providers, their exposure is your risk. Volume is trending up. Monthly averages increased 40% in the second half. Group fragmentation suggests a resilient ecosystem. With 129 active groups, no single law enforcement action is likely to reduce overall volume substantially. Geographic spread is genuine. 141 countries appeared in the dataset, spanning six continents.