Securityaffairs

Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018


Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018

Pierluigi Paganini
July 10, 2026

Ransomware remains above 1,400 attacks yearly since 2023. Qilin leads in 2026, while the U.S. remains the main target.

Ransomnews has independently confirmed 9,291 ransomware attacks worldwide between January 2018 and July 2026, tracking incidents only when verified through victim disclosures, regulatory filings, official statements, or credible press reporting. Leak-site listings alone don’t qualify, operators inflate, duplicate, and occasionally fabricate claims. The result is a dataset that’s smaller than what most ransomware statistics cite, and more defensible.

“Confirmed ransomware attacks have run at roughly 1,400 to 1,550 per year since 2023, after a visible dip in 2022. The 2020 to 2021 surge, the 2022 trough (which coincided with the Conti shutdown and the Russia-Ukraine war reshuffling the ecosystem), and the post-2023 plateau are all visible in the yearly series. The current year always shows a partial count.” reads the Ransomnews ‘s report.

The 2022 drop to 960 confirmed attacks is the most significant single-year shift in the dataset: when Conti imploded and threat actors reorganized around the war in Ukraine, the volume genuinely fell. It came back. By 2023 it had exceeded the 2021 peak, and it’s stayed there.

“LockBit remains the all-time leader by confirmed victims, with more than 500 verified attacks attributed to the operation since 2019, ahead of Qilin, Akira and the now-defunct Conti.” states the report.

In 2026, however, Qilin leads with 53 confirmed victims, followed closely by a group called The Gentlemen with 51. LockBit sits at 26 confirmed victims this year, which tells you something about how law enforcement pressure has affected its operational tempo without shutting it down entirely.

“The United States accounts for roughly half of all confirmed ransomware attacks in the dataset, followed at a distance by France, Germany, Japan, Canada and the United Kingdom.” continues the report. “Part of that gap is real exposure and part is reporting bias: US breach-notification and SEC disclosure rules force more incidents onto the public record than most jurisdictions, which makes American attacks easier to confirm.”

In 2026, Japan sits in second place with 63 confirmed attacks, significantly more than Germany’s 41, which is a notable shift from the all-time rankings where France and Germany have historically held those positions. Whether that reflects increased targeting or improved Japanese disclosure practices is an open question.

The sector picture hasn’t changed.

“Business is the largest umbrella category at around three fifths of confirmed attacks, but the standout concentrations are in the public-facing sectors: government, healthcare and education together account for well over a third of all confirmed incidents.” concludes the report. “These are the sectors where operational disruption is most visible, which drives both the targeting and the confirmation rate.”

Healthcare alone has 1,297 confirmed attacks across the full dataset, and manufacturing — which sits outside the headline government-healthcare-education grouping — has more confirmed attacks than education at 1,037. The 2026 year-to-date total sits at 504 confirmed attacks as of July 8, with recent months provisional as confirmation lags the actual incidents by weeks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)







Source link