Ransomware Attacks in March 2026: Monthly Report

Ransomware Attacks in March 2026: Monthly Report

  • author image
    • Josh Amishav
    • ·
    • Last updated Apr 01, 2026
    • ·
    • 6 Minute Reading Time

Which ransomware groups claimed the most victims in March 2026, which industries got hit hardest, and what Q1 tells us about the rest of the year.

• 808 victims in March, up 19% from February’s 680. That’s the highest monthly count in 2026 so far and 33% above the 2025 monthly average. Q1 is pacing toward 8,660 victims for the year.
• Qilin hit 131 victims, their highest month ever. Three months running above 100 makes them the most consistent high-volume operation in the game right now.
• Healthcare dropped from 93 victims in February to 47 in March. That’s still above the 2025 average but the spike didn’t sustain. Manufacturing held the top spot again.
• The US accounted for 404 of 808 victims (50%). France jumped to second with 36. If half your vendors are US-based, half your third-party risk lives there too.

Breachsense tracked 808 companies claimed by ransomware groups in March 2026. That’s the highest monthly total this year, up 19% from February.

We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or duplicated across groups.

65 distinct ransomware groups were active in March, up from 54 in February. The ecosystem is expanding.

Here’s what the March 2026 numbers tell us.

Contents

March 2026 ransomware numbers at a glance

March was the busiest month of 2026 so far. Here’s what it means for you.

Ransomware leak sites are dark web pages where ransomware operators publish stolen data from victims who refuse to pay. Most modern ransomware groups use double extortion. They steal your data before encrypting it, then threaten to leak it publicly.

  • 808 victim companies claimed across ransomware leak sites
  • 65 active ransomware groups (up from 54 in February)
  • 75 countries affected (up from 72 in February)
  • 72 industries represented
  • 19% increase from February’s 680 victims
  • 33% above the 2025 monthly average of 609

After three months, Q1 2026 totals 2,165 victims. That annualizes to roughly 8,660, an 18.5% increase over 2025’s total of 7,307.

Most active ransomware groups: March 2026

Qilin posted their highest month ever. Akira nearly doubled.

RankGroupVictimsChange from Feb
1Qilin131+27
2Akira84+45
3TheGentlemen64-14
4DragonForce54+24
5LockBit51+17
6INC_RANSOM46+7
7Play43-1
8NightSpire35+10
9CoinbaseCartel22new
10Bashe17new

The top 10 groups accounted for 547 victims (67.7%). The remaining 55 groups split the other 261.

Qilin hit 131 victims, up from 104 in February and 107 in January. Three consecutive months above 100 is unprecedented for any single group in our tracking history. This isn’t a spike. It’s a sustained operation with stable infrastructure and a deep affiliate network.

Akira jumped from 39 to 84 victims, more than doubling their February count. They were quiet in February after a strong January (71 victims). The rebound suggests they had a temporary disruption, not a decline.

DragonForce continued climbing with 54 victims, up from 30 in February. They’ve grown every month this year.

TheGentlemen dropped from 78 to 64. Still a top-three finish, but the explosive growth we saw from January (41) to February (78) has leveled off.

LockBit posted 51 victims, up from 34 in February. They’re still well below their pre-disruption peak, but 51 victims puts them back in the top five for the first time in months.

CoinbaseCartel and Bashe are new to the top ten. CoinbaseCartel posted 22 victims in their first tracked month. Bashe had 17.

Countries most targeted by ransomware

The US accounted for exactly half of all March victims.

RankCountryVictims% of Total
1United States40450.0%
2France364.5%
3Germany324.0%
4Italy253.1%
5United Kingdom243.0%
6Spain202.5%
7India172.1%
8Canada172.1%
9Brazil141.7%
10Japan121.5%

France jumped from fourth (27 victims in February) to second (36 in March). Germany also moved up with 32 victims, its highest monthly count this year.

The UK dropped from second (44 in February) to fifth (24 in March). That’s a significant shift. Whether it holds or bounces back will be clearer in April.

75 countries were hit in total, up slightly from February’s 72. The geographic spread continues to widen.

Industries hit hardest

Manufacturing led again. Healthcare cooled off after February’s spike.

Double extortion ransomware is an attack where criminals steal your data before encrypting it. If you restore from backups and refuse to pay, they threaten to publish the stolen data on leak sites. This makes backups alone an incomplete defense.

RankIndustryVictimsChange from Feb
1Manufacturing76-18
2Construction53+9
3Finance48+11
4Healthcare47-46
5Legal43-5
6Technology36-5
7IT35-11
8Government31+8
9Consumer Goods28-5
10Education26+9

Healthcare dropped from 93 victims in February to 47 in March. That’s a 49% decrease. February’s spike didn’t sustain, which suggests it was driven by a specific campaign or a few groups rather than a permanent shift in targeting. Healthcare is still above its 2025 monthly average of 45, but February’s numbers weren’t the start of a trend.

Construction climbed to second place with 53 victims, up from 44 in February. Construction companies often have thin IT security and manage access for many subcontractors. That makes them attractive targets.

Finance hit 48 victims, up from 37 in February. Financial services companies hold data that’s valuable for both extortion and fraud.

Government jumped from 23 to 31 victims. Government entities are notoriously slow to patch and often run legacy systems.

Education went from 17 to 26 victims. Schools and universities are hitting budget-constrained targets that often can’t afford extended downtime.

New and rising groups

CoinbaseCartel (22 victims): New to our tracking. 22 victims in their first month is a significant debut. We’ll be watching their techniques and targeting patterns.

Bashe (17 victims): Also new to the top ten. Appeared in late February and ramped up in March.

Payload (16 victims): A smaller group that’s been consistent. Not flashy, but persistent.

CipherForce (14 victims): Another new name posting double-digit victim counts.

The number of active groups grew from 54 to 65. The ransomware ecosystem is expanding, not consolidating. New groups keep appearing while established ones maintain volume.

Month over month and Q1 summary

MetricJanuaryFebruaryMarchQ1 Total
Total victims6776808082,165
Active groups585465
Countries hit607275
Industries hit616372
Top groupQilin (107)Qilin (104)Qilin (131)Qilin (342)

March broke the trend. January and February were flat at ~680 victims each. March jumped 19%. If this is the new baseline rather than a one-month spike, 2026 could end well above the annualized 8,660 pace.

Qilin dominated Q1 with 342 total victims across three months. No other group came close. Akira was second with 194 (71 + 39 + 84).

The number of active groups grew every month: 58 → 54 → 65. February’s dip was a blip. The ecosystem is growing.

What security teams should do

March’s jump from 680 to 808 victims isn’t something to ignore.

Check your credential exposure now. Most ransomware starts with stolen credentials purchased from infostealer logs. There’s a window between when credentials are stolen and when ransomware gets deployed. Dark web monitoring catches credentials in that window. If your employees’ or vendors’ logins are already circulating, you want to know before attackers use them.

If you’re in manufacturing or construction: Your industries led the victim count again. Manufacturing has been the top target for three straight months. Construction jumped to second. Both industries tend to have complex vendor networks and limited security staff relative to their exposure.

Watch the new groups. CoinbaseCartel, Bashe, CipherForce, and Payload all posted double-digit victim counts in March. New groups are unpredictable. Their operational security is often weaker (which means more data gets leaked), but their targeting can be aggressive as they try to build reputation.

Methodology

This data reflects publicly claimed victims only. The actual number of attacks is higher because:

  • Many victims pay before being listed publicly
  • Some groups operate private negotiation channels without public leak sites
  • Not all ransomware attacks involve data theft or public claims

When multiple groups claim the same victim, we count it once. Industry and country are based on the company’s primary business and headquarters.

March 2026 Ransomware FAQ

Breachsense tracked 808 companies listed on ransomware leak sites in March 2026, from 65 distinct groups across 75 countries. The actual number of attacks is higher since many victims pay before being publicly listed.

Qilin claimed 131 victims in March 2026, their highest single month ever. They’ve been above 100 victims for three consecutive months. Akira was second with 84, and TheGentlemen third with 64.

The US accounted for 50% of all ransomware victims in March 2026 with 404 claims. France was second with 36, Germany third with 32. Italy and the UK rounded out the top five.

Manufacturing was the most targeted sector in March 2026 with 76 victims. Construction was second with 53 and finance third with 48. Healthcare dropped from 93 in February to 47 in March.

Yes. Q1 2026 totaled 2,165 victims across three months. That annualizes to roughly 8,660, an 18.5% increase over 2025’s total of 7,307. March was the highest single month of the year so far.

Most ransomware groups buy stolen credentials from infostealer malware logs rather than breaking in themselves. There’s often a gap of days to weeks between when credentials are stolen and when ransomware gets deployed. Monitoring for leaked credentials can help you catch and reset them before attackers use them.

Related Articles

©2026 Breachsense - All Rights Reserved