Ransomware Attacks in June 2026: Monthly Report

Ransomware Attacks in June 2026: Monthly Report

Which ransomware groups claimed the most victims in June 2026, why Qilin finally dropped from number one, and which countries and industries got hit hardest.

• There were 707 victims in June, up 9% from May’s 646 and back above the 2025 monthly average of 609. Still below March’s 808 peak. The six-month total is 4,290, on pace for roughly 8,600 by year-end.
• Qilin lost the #1 spot for the first time in 2026, falling to third with 71 victims. TheGentlemen had the most with 94 victims, and a new group, DeadLock, was second with 81. LockBit rebounded from 18 victims to 43.
• Healthcare reclaimed the #1 industry spot with 54 victims. Manufacturing slipped to 49 victims. Legal and engineering both climbed into the top six.
• The share of US-based victims fell to 33% (234 of 707), the lowest this year. The UK dropped from 36 victims to 16, while India jumped from 11 to 28. Attacks reached 87 countries, more than any month this year.

May was the year’s low point so far. June bounced back, but the real story wasn’t the total number of victims. It was which group claimed the most of them.

We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or misattributed.

63 distinct ransomware groups were active in June, up from 61 in May. This is the first month of 2026 that Qilin didn’t claim the most victims.

Here’s what the June 2026 numbers tell us.

June 2026 ransomware numbers at a glance

June’s numbers bounced back. More victims, more groups, more countries. But the real shift was in the rankings.

Ransomware leak sites are dark web pages where ransomware operators publish stolen data from victims who refuse to pay. Many groups steal data and threaten to leak it. Some also encrypt files. A growing share, like ShinyHunters and WorldLeaks, skip encryption entirely and run pure data-extortion operations.

  • 707 victim companies claimed across ransomware leak sites
  • 63 active ransomware groups (up from 61 in May)
  • 87 countries affected (up from 73, the most so far this year)
  • 62 industries represented (up from 59)
  • 9% increase from May’s 646 victims
  • 16% above the 2025 monthly average of 609

Six months in, the 2026 total is 4,290 victims. That annualizes to roughly 8,600, about 17% ahead of 2025’s total of 7,307. May dipped below the trend. June put the year back on its upward path.

Most active ransomware groups: June 2026

For five straight months, Qilin sat at number one. In June, two other groups pushed past it.

RankGroupVictimsChange from May
1TheGentlemen94+24
2DeadLock81new
3Qilin71-30
4LockBit43+25
5Akira30-22
6INC_RANSOM29-1
7DragonForce29-12
8Nova28+5
9KRYBIT21+9
10SafePay20-5

The top 10 groups accounted for 446 victims (63.1%). The remaining 53 groups split the other 261. That’s almost exactly May’s 61.8% concentration, so the long tail held even as the names at the top changed.

TheGentlemen posted the most victims with 94, up from 70 in May. That’s their highest monthly total yet, and the first time they’ve been the most active group. They listed 41 victims in January and their count has risen almost every month since.

DeadLock is the month’s surprise. They jumped straight to number two with 81 victims, and no prior 2026 report tracked them at all. A group going from nothing to second place in a single month is rare. Next month tells us whether they’re a real operation or a one-hit wonder.

Qilin fell to third with 71 victims, down from 101. That ends a five-month streak at number one and is their weakest month of 2026. Qilin had been the one constant this year, posting right around 100 every month. June broke that pattern.

LockBit rebounded to 43 victims, up from 18. That’s their strongest month of 2026 and a sharp reversal of May’s collapse. LockBit was the biggest name in ransomware in 2024. Law enforcement disrupted them, and they fell to 113 victims across all of 2025. A 43-victim month says they aren’t done.

Akira dropped to 30 victims, down from 52. Akira’s monthly count keeps swinging with no clear direction: 71, 39, 84, 48, 52, 30.

DragonForce slipped again to 29 victims, down from 41. That’s two straight down months after growing all year. The clean climb is over.

Just outside the top 10: ShinyHunters (17), Payload (16), CMD (15), Play (15) and NightSpire (15) all posted double digits.

Countries most targeted by ransomware

The US was still the most-targeted country, but its share fell to a third of all victims. The attacks spread wider than at any point this year.

RankCountryVictims% of Total
1United States23433.1%
2Germany385.4%
3Italy304.2%
4Canada294.1%
5India284.0%
6France192.7%
7Spain192.7%
8Brazil182.5%
9United Kingdom162.3%
10Thailand152.1%

The US held first at 33% of all victims, down from 39% in May. The raw count fell from 254 to 234, but the bigger change is the share. It’s the lowest the US share has been all year, down from a 50% high in March.

Germany climbed to number two with 38 victims, up from 29. That bounces it back from its first monthly drop of the year in May.

Italy climbed to third with 30 victims, up from 19. It’s one of the sharpest month-over-month jumps in the top 10.

India broke into the top five with 28 victims, up from 11. That’s more than double May’s count.

The UK collapsed to ninth with 16 victims, down from 36. After ranging between 24 and 44 all year, that’s a sharp drop below its normal range.

Brazil (18) and Thailand (15) both cracked the top 10 this month. Latin America and Southeast Asia keep showing up more often as the map widens.

87 countries were hit in total, up from 73 in May, and more than any earlier month this year. More groups spreading across more countries is the clearest trend in the June data.

Industries hit hardest

Healthcare had the most victims again. Manufacturing dropped to second. Several mid-tier sectors moved up.

Double extortion ransomware is an attack where criminals steal your data before encrypting it. If you restore from backups and refuse to pay, they threaten to publish the stolen data on leak sites. This makes backups alone an incomplete defense.

RankIndustryVictimsChange from May
1Healthcare540
2Manufacturing49-9
3Construction44+2
4Consumer Goods35-3
5Legal34+7
6Engineering33+10
7Government30+8
8Technology28-3
9Education28new to top 10
10Real Estate25new to top 10

Healthcare reclaimed #1 with 54 victims, flat from May but enough to move back ahead once manufacturing fell. Healthcare has been at or near the top all year. Its 2026 run: 40, 93, 47, 64, 54, 54.

Manufacturing dropped to number two with 49 victims, down from 58. Manufacturing’s run since February goes 94, 76, 50, 58, 49. It’s been sliding since the February peak but is still one of the two sectors attackers hit most.

Construction held third with 44 victims, up from 42. It’s quietly been a top-three sector two months running.

Legal jumped to 34 victims, up from 27, and engineering climbed to 33, up from 23. Both moved up as the mix shifted toward professional services.

Government rose to 30 victims, up from 22. Technology fell to 28 victims, down from 31, continuing its slide from April’s spike.

Education (28 victims) and real estate (25) both broke into the top 10. Finance slipped to 25 victims, down from 31, just missing the cut.

New and rising groups

DeadLock (81 victims): The story of the month. A group with no prior 2026 footprint jumped straight to second place. Debuts this big usually don’t hold, so next month tells us whether DeadLock is a real operation or a one-off spike.

Nova (28 victims): Up from 23 in May and climbing for a second month. Nova broke into the top 10 in May and has held its place.

KRYBIT (21 victims): Back up from 12 in May, returning to the double digits it posted in April.

SETTRA (10 victims): A newer name posting its first double-digit month.

The number of active groups ticked up from 61 to 63. That’s not the whole story. DeadLock’s sudden arrival and Qilin’s drop show how fast the rankings can turn over, even when the total barely moves.

Month over month and YTD summary

MetricJanuaryFebruaryMarchAprilMayJuneYTD Total
Total victims6776808087726467074,290
Active groups585465706163n/a
Countries hit607275797387n/a
Industries hit616372725962n/a
Top groupQilin (107)Qilin (104)Qilin (131)Qilin (103)Qilin (101)TheGentlemen (94)Qilin (617)

June’s 707 sits mid-pack for the year, above the 2025 monthly average of 609. Every 2026 month has cleared that bar.

Qilin still has the most victims for the year, 617 across six months, even after June’s drop. TheGentlemen is second with 429, and DragonForce third with 277.

What security teams should do

The rankings changed, but the playbook didn’t.

Don’t fixate on the top group. For five straight months, Qilin was the most active by a wide margin. In June it fell to third. The lineup at the top changes month to month, so you can’t predict which crew will hit you. Your defense can’t depend on who’s ranked highest. It has to target how they all get in.

A brand-new group can hit hard. DeadLock didn’t appear in a single report before June, then ended the month with 81 victims, second only to TheGentlemen. An unfamiliar name isn’t a small threat. New crews can do as much damage as the established ones.

Healthcare and manufacturing are still the top targets. Together they accounted for 103 victims in June, about 15% of all attacks. If you’re in either sector, or you supply companies that are, the pressure hasn’t eased.

Check your credential exposure. Most ransomware attacks start with stolen credentials bought from infostealer logs. There’s a gap of days to weeks between when credentials are stolen and when they’re exploited to deploy ransomware. Dark web monitoring catches those credentials in that window. With a brand-new group cracking the top two this month, waiting until something hits your network is too late. You need to find your leaked credentials before attackers use them.

Methodology

This data reflects publicly claimed victims only. The actual number of attacks is higher because:

  • Many victims pay before being listed publicly
  • Some groups operate private negotiation channels without public leak sites
  • Not all ransomware attacks involve data theft or public claims

When multiple groups claim the same victim, we count it once for the total but list it under each claiming group in the per-group breakdown. Industry and country are based on the company’s primary business and headquarters.

June 2026 Ransomware FAQ

Breachsense tracked 707 companies listed on ransomware leak sites in June 2026, from 63 distinct groups across 87 countries. The actual number of attacks is higher since many victims pay before being publicly listed.
TheGentlemen claimed 94 victims in June 2026, overtaking Qilin after its five-month run at number one. A new group, DeadLock, placed second with 81 victims, and Qilin fell to third with 71.
The US accounted for 33% of all ransomware victims in June 2026 with 234 claims. Germany followed with 38 victims, Italy with 30, Canada with 29, and India with 28.
Healthcare was the most targeted sector in June 2026 with 54 victims. Manufacturing followed with 49 victims and construction with 44. Legal and engineering both climbed, with 34 and 33 victims.
Year to date, the six-month total of 4,290 victims puts 2026 on pace for roughly 8,600 by year-end, up about 17% from 2025’s total of 7,307. June ran ahead of the 2025 monthly average of 609, as every 2026 month has.
Most ransomware groups buy stolen credentials from infostealer malware logs rather than breaking in themselves. There’s often a gap of days to weeks between when credentials are stolen and when ransomware gets deployed. Monitoring for leaked credentials can help you catch and reset them before attackers use them.