Ransomware Attacks in June 2026: Monthly Report
Which ransomware groups claimed the most victims in June 2026, why Qilin finally dropped from number one, and which countries and industries got hit hardest.
• There were 707 victims in June, up 9% from May’s 646 and back above the 2025 monthly average of 609. Still below March’s 808 peak. The six-month total is 4,290, on pace for roughly 8,600 by year-end.
• Qilin lost the #1 spot for the first time in 2026, falling to third with 71 victims. TheGentlemen had the most with 94 victims, and a new group, DeadLock, was second with 81. LockBit rebounded from 18 victims to 43.
• Healthcare reclaimed the #1 industry spot with 54 victims. Manufacturing slipped to 49 victims. Legal and engineering both climbed into the top six.
• The share of US-based victims fell to 33% (234 of 707), the lowest this year. The UK dropped from 36 victims to 16, while India jumped from 11 to 28. Attacks reached 87 countries, more than any month this year.
May was the year’s low point so far. June bounced back, but the real story wasn’t the total number of victims. It was which group claimed the most of them.
We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or misattributed.
63 distinct ransomware groups were active in June, up from 61 in May. This is the first month of 2026 that Qilin didn’t claim the most victims.
Here’s what the June 2026 numbers tell us.
June 2026 ransomware numbers at a glance
June’s numbers bounced back. More victims, more groups, more countries. But the real shift was in the rankings.
Ransomware leak sites are dark web pages where ransomware operators publish stolen data from victims who refuse to pay. Many groups steal data and threaten to leak it. Some also encrypt files. A growing share, like ShinyHunters and WorldLeaks, skip encryption entirely and run pure data-extortion operations.
- 707 victim companies claimed across ransomware leak sites
- 63 active ransomware groups (up from 61 in May)
- 87 countries affected (up from 73, the most so far this year)
- 62 industries represented (up from 59)
- 9% increase from May’s 646 victims
- 16% above the 2025 monthly average of 609
Six months in, the 2026 total is 4,290 victims. That annualizes to roughly 8,600, about 17% ahead of 2025’s total of 7,307. May dipped below the trend. June put the year back on its upward path.
Most active ransomware groups: June 2026
For five straight months, Qilin sat at number one. In June, two other groups pushed past it.
| Rank | Group | Victims | Change from May |
|---|---|---|---|
| 1 | TheGentlemen | 94 | +24 |
| 2 | DeadLock | 81 | new |
| 3 | Qilin | 71 | -30 |
| 4 | LockBit | 43 | +25 |
| 5 | Akira | 30 | -22 |
| 6 | INC_RANSOM | 29 | -1 |
| 7 | DragonForce | 29 | -12 |
| 8 | Nova | 28 | +5 |
| 9 | KRYBIT | 21 | +9 |
| 10 | SafePay | 20 | -5 |
The top 10 groups accounted for 446 victims (63.1%). The remaining 53 groups split the other 261. That’s almost exactly May’s 61.8% concentration, so the long tail held even as the names at the top changed.
TheGentlemen posted the most victims with 94, up from 70 in May. That’s their highest monthly total yet, and the first time they’ve been the most active group. They listed 41 victims in January and their count has risen almost every month since.
DeadLock is the month’s surprise. They jumped straight to number two with 81 victims, and no prior 2026 report tracked them at all. A group going from nothing to second place in a single month is rare. Next month tells us whether they’re a real operation or a one-hit wonder.
Qilin fell to third with 71 victims, down from 101. That ends a five-month streak at number one and is their weakest month of 2026. Qilin had been the one constant this year, posting right around 100 every month. June broke that pattern.
LockBit rebounded to 43 victims, up from 18. That’s their strongest month of 2026 and a sharp reversal of May’s collapse. LockBit was the biggest name in ransomware in 2024. Law enforcement disrupted them, and they fell to 113 victims across all of 2025. A 43-victim month says they aren’t done.
Akira dropped to 30 victims, down from 52. Akira’s monthly count keeps swinging with no clear direction: 71, 39, 84, 48, 52, 30.
DragonForce slipped again to 29 victims, down from 41. That’s two straight down months after growing all year. The clean climb is over.
Just outside the top 10: ShinyHunters (17), Payload (16), CMD (15), Play (15) and NightSpire (15) all posted double digits.
Countries most targeted by ransomware
The US was still the most-targeted country, but its share fell to a third of all victims. The attacks spread wider than at any point this year.
| Rank | Country | Victims | % of Total |
|---|---|---|---|
| 1 | United States | 234 | 33.1% |
| 2 | Germany | 38 | 5.4% |
| 3 | Italy | 30 | 4.2% |
| 4 | Canada | 29 | 4.1% |
| 5 | India | 28 | 4.0% |
| 6 | France | 19 | 2.7% |
| 7 | Spain | 19 | 2.7% |
| 8 | Brazil | 18 | 2.5% |
| 9 | United Kingdom | 16 | 2.3% |
| 10 | Thailand | 15 | 2.1% |
The US held first at 33% of all victims, down from 39% in May. The raw count fell from 254 to 234, but the bigger change is the share. It’s the lowest the US share has been all year, down from a 50% high in March.
Germany climbed to number two with 38 victims, up from 29. That bounces it back from its first monthly drop of the year in May.
Italy climbed to third with 30 victims, up from 19. It’s one of the sharpest month-over-month jumps in the top 10.
India broke into the top five with 28 victims, up from 11. That’s more than double May’s count.
The UK collapsed to ninth with 16 victims, down from 36. After ranging between 24 and 44 all year, that’s a sharp drop below its normal range.
Brazil (18) and Thailand (15) both cracked the top 10 this month. Latin America and Southeast Asia keep showing up more often as the map widens.
87 countries were hit in total, up from 73 in May, and more than any earlier month this year. More groups spreading across more countries is the clearest trend in the June data.
Industries hit hardest
Healthcare had the most victims again. Manufacturing dropped to second. Several mid-tier sectors moved up.
Double extortion ransomware is an attack where criminals steal your data before encrypting it. If you restore from backups and refuse to pay, they threaten to publish the stolen data on leak sites. This makes backups alone an incomplete defense.
| Rank | Industry | Victims | Change from May |
|---|---|---|---|
| 1 | Healthcare | 54 | 0 |
| 2 | Manufacturing | 49 | -9 |
| 3 | Construction | 44 | +2 |
| 4 | Consumer Goods | 35 | -3 |
| 5 | Legal | 34 | +7 |
| 6 | Engineering | 33 | +10 |
| 7 | Government | 30 | +8 |
| 8 | Technology | 28 | -3 |
| 9 | Education | 28 | new to top 10 |
| 10 | Real Estate | 25 | new to top 10 |
Healthcare reclaimed #1 with 54 victims, flat from May but enough to move back ahead once manufacturing fell. Healthcare has been at or near the top all year. Its 2026 run: 40, 93, 47, 64, 54, 54.
Manufacturing dropped to number two with 49 victims, down from 58. Manufacturing’s run since February goes 94, 76, 50, 58, 49. It’s been sliding since the February peak but is still one of the two sectors attackers hit most.
Construction held third with 44 victims, up from 42. It’s quietly been a top-three sector two months running.
Legal jumped to 34 victims, up from 27, and engineering climbed to 33, up from 23. Both moved up as the mix shifted toward professional services.
Government rose to 30 victims, up from 22. Technology fell to 28 victims, down from 31, continuing its slide from April’s spike.
Education (28 victims) and real estate (25) both broke into the top 10. Finance slipped to 25 victims, down from 31, just missing the cut.
New and rising groups
DeadLock (81 victims): The story of the month. A group with no prior 2026 footprint jumped straight to second place. Debuts this big usually don’t hold, so next month tells us whether DeadLock is a real operation or a one-off spike.
Nova (28 victims): Up from 23 in May and climbing for a second month. Nova broke into the top 10 in May and has held its place.
KRYBIT (21 victims): Back up from 12 in May, returning to the double digits it posted in April.
SETTRA (10 victims): A newer name posting its first double-digit month.
The number of active groups ticked up from 61 to 63. That’s not the whole story. DeadLock’s sudden arrival and Qilin’s drop show how fast the rankings can turn over, even when the total barely moves.
Month over month and YTD summary
| Metric | January | February | March | April | May | June | YTD Total |
|---|---|---|---|---|---|---|---|
| Total victims | 677 | 680 | 808 | 772 | 646 | 707 | 4,290 |
| Active groups | 58 | 54 | 65 | 70 | 61 | 63 | n/a |
| Countries hit | 60 | 72 | 75 | 79 | 73 | 87 | n/a |
| Industries hit | 61 | 63 | 72 | 72 | 59 | 62 | n/a |
| Top group | Qilin (107) | Qilin (104) | Qilin (131) | Qilin (103) | Qilin (101) | TheGentlemen (94) | Qilin (617) |
June’s 707 sits mid-pack for the year, above the 2025 monthly average of 609. Every 2026 month has cleared that bar.
Qilin still has the most victims for the year, 617 across six months, even after June’s drop. TheGentlemen is second with 429, and DragonForce third with 277.
What security teams should do
The rankings changed, but the playbook didn’t.
Don’t fixate on the top group. For five straight months, Qilin was the most active by a wide margin. In June it fell to third. The lineup at the top changes month to month, so you can’t predict which crew will hit you. Your defense can’t depend on who’s ranked highest. It has to target how they all get in.
A brand-new group can hit hard. DeadLock didn’t appear in a single report before June, then ended the month with 81 victims, second only to TheGentlemen. An unfamiliar name isn’t a small threat. New crews can do as much damage as the established ones.
Healthcare and manufacturing are still the top targets. Together they accounted for 103 victims in June, about 15% of all attacks. If you’re in either sector, or you supply companies that are, the pressure hasn’t eased.
Check your credential exposure. Most ransomware attacks start with stolen credentials bought from infostealer logs. There’s a gap of days to weeks between when credentials are stolen and when they’re exploited to deploy ransomware. Dark web monitoring catches those credentials in that window. With a brand-new group cracking the top two this month, waiting until something hits your network is too late. You need to find your leaked credentials before attackers use them.
Methodology
This data reflects publicly claimed victims only. The actual number of attacks is higher because:
- Many victims pay before being listed publicly
- Some groups operate private negotiation channels without public leak sites
- Not all ransomware attacks involve data theft or public claims
When multiple groups claim the same victim, we count it once for the total but list it under each claiming group in the per-group breakdown. Industry and country are based on the company’s primary business and headquarters.
