Ransomware Attacks in March 2026: Monthly Report
Which ransomware groups claimed the most victims in March 2026, which industries got hit hardest, and what Q1 tells us about the rest of the year.
• 808 victims in March, up 19% from February’s 680. That’s the highest monthly count in 2026 so far and 33% above the 2025 monthly average. Q1 is pacing toward 8,660 victims for the year.
• Qilin hit 131 victims, their highest month ever. Three months running above 100 makes them the most consistent high-volume operation in the game right now.
• Healthcare dropped from 93 victims in February to 47 in March. That’s still above the 2025 average but the spike didn’t sustain. Manufacturing held the top spot again.
• The US accounted for 404 of 808 victims (50%). France jumped to second with 36. If half your vendors are US-based, half your third-party risk lives there too.
Breachsense tracked 808 companies claimed by ransomware groups in March 2026. That’s the highest monthly total this year, up 19% from February.
We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or duplicated across groups.
65 distinct ransomware groups were active in March, up from 54 in February. The ecosystem is expanding.
Here’s what the March 2026 numbers tell us.
March 2026 ransomware numbers at a glance
March was the busiest month of 2026 so far. Here’s what it means for you.
Ransomware leak sites are dark web pages where ransomware operators publish stolen data from victims who refuse to pay. Most modern ransomware groups use double extortion. They steal your data before encrypting it, then threaten to leak it publicly.
- 808 victim companies claimed across ransomware leak sites
- 65 active ransomware groups (up from 54 in February)
- 75 countries affected (up from 72 in February)
- 72 industries represented
- 19% increase from February’s 680 victims
- 33% above the 2025 monthly average of 609
After three months, Q1 2026 totals 2,165 victims. That annualizes to roughly 8,660, an 18.5% increase over 2025’s total of 7,307.
Most active ransomware groups: March 2026
Qilin posted their highest month ever. Akira nearly doubled.
| Rank | Group | Victims | Change from Feb |
|---|---|---|---|
| 1 | Qilin | 131 | +27 |
| 2 | Akira | 84 | +45 |
| 3 | TheGentlemen | 64 | -14 |
| 4 | DragonForce | 54 | +24 |
| 5 | LockBit | 51 | +17 |
| 6 | INC_RANSOM | 46 | +7 |
| 7 | Play | 43 | -1 |
| 8 | NightSpire | 35 | +10 |
| 9 | CoinbaseCartel | 22 | new |
| 10 | Bashe | 17 | new |
The top 10 groups accounted for 547 victims (67.7%). The remaining 55 groups split the other 261.
Qilin hit 131 victims, up from 104 in February and 107 in January. Three consecutive months above 100 is unprecedented for any single group in our tracking history. This isn’t a spike. It’s a sustained operation with stable infrastructure and a deep affiliate network.
Akira jumped from 39 to 84 victims, more than doubling their February count. They were quiet in February after a strong January (71 victims). The rebound suggests they had a temporary disruption, not a decline.
DragonForce continued climbing with 54 victims, up from 30 in February. They’ve grown every month this year.
TheGentlemen dropped from 78 to 64. Still a top-three finish, but the explosive growth we saw from January (41) to February (78) has leveled off.
LockBit posted 51 victims, up from 34 in February. They’re still well below their pre-disruption peak, but 51 victims puts them back in the top five for the first time in months.
CoinbaseCartel and Bashe are new to the top ten. CoinbaseCartel posted 22 victims in their first tracked month. Bashe had 17.
Countries most targeted by ransomware
The US accounted for exactly half of all March victims.
| Rank | Country | Victims | % of Total |
|---|---|---|---|
| 1 | United States | 404 | 50.0% |
| 2 | France | 36 | 4.5% |
| 3 | Germany | 32 | 4.0% |
| 4 | Italy | 25 | 3.1% |
| 5 | United Kingdom | 24 | 3.0% |
| 6 | Spain | 20 | 2.5% |
| 7 | India | 17 | 2.1% |
| 8 | Canada | 17 | 2.1% |
| 9 | Brazil | 14 | 1.7% |
| 10 | Japan | 12 | 1.5% |
France jumped from fourth (27 victims in February) to second (36 in March). Germany also moved up with 32 victims, its highest monthly count this year.
The UK dropped from second (44 in February) to fifth (24 in March). That’s a significant shift. Whether it holds or bounces back will be clearer in April.
75 countries were hit in total, up slightly from February’s 72. The geographic spread continues to widen.
Industries hit hardest
Manufacturing led again. Healthcare cooled off after February’s spike.
Double extortion ransomware is an attack where criminals steal your data before encrypting it. If you restore from backups and refuse to pay, they threaten to publish the stolen data on leak sites. This makes backups alone an incomplete defense.
| Rank | Industry | Victims | Change from Feb |
|---|---|---|---|
| 1 | Manufacturing | 76 | -18 |
| 2 | Construction | 53 | +9 |
| 3 | Finance | 48 | +11 |
| 4 | Healthcare | 47 | -46 |
| 5 | Legal | 43 | -5 |
| 6 | Technology | 36 | -5 |
| 7 | IT | 35 | -11 |
| 8 | Government | 31 | +8 |
| 9 | Consumer Goods | 28 | -5 |
| 10 | Education | 26 | +9 |
Healthcare dropped from 93 victims in February to 47 in March. That’s a 49% decrease. February’s spike didn’t sustain, which suggests it was driven by a specific campaign or a few groups rather than a permanent shift in targeting. Healthcare is still above its 2025 monthly average of 45, but February’s numbers weren’t the start of a trend.
Construction climbed to second place with 53 victims, up from 44 in February. Construction companies often have thin IT security and manage access for many subcontractors. That makes them attractive targets.
Finance hit 48 victims, up from 37 in February. Financial services companies hold data that’s valuable for both extortion and fraud.
Government jumped from 23 to 31 victims. Government entities are notoriously slow to patch and often run legacy systems.
Education went from 17 to 26 victims. Schools and universities are hitting budget-constrained targets that often can’t afford extended downtime.
New and rising groups
CoinbaseCartel (22 victims): New to our tracking. 22 victims in their first month is a significant debut. We’ll be watching their techniques and targeting patterns.
Bashe (17 victims): Also new to the top ten. Appeared in late February and ramped up in March.
Payload (16 victims): A smaller group that’s been consistent. Not flashy, but persistent.
CipherForce (14 victims): Another new name posting double-digit victim counts.
The number of active groups grew from 54 to 65. The ransomware ecosystem is expanding, not consolidating. New groups keep appearing while established ones maintain volume.
Month over month and Q1 summary
| Metric | January | February | March | Q1 Total |
|---|---|---|---|---|
| Total victims | 677 | 680 | 808 | 2,165 |
| Active groups | 58 | 54 | 65 | – |
| Countries hit | 60 | 72 | 75 | – |
| Industries hit | 61 | 63 | 72 | – |
| Top group | Qilin (107) | Qilin (104) | Qilin (131) | Qilin (342) |
March broke the trend. January and February were flat at ~680 victims each. March jumped 19%. If this is the new baseline rather than a one-month spike, 2026 could end well above the annualized 8,660 pace.
Qilin dominated Q1 with 342 total victims across three months. No other group came close. Akira was second with 194 (71 + 39 + 84).
The number of active groups grew every month: 58 → 54 → 65. February’s dip was a blip. The ecosystem is growing.
What security teams should do
March’s jump from 680 to 808 victims isn’t something to ignore.
Check your credential exposure now. Most ransomware starts with stolen credentials purchased from infostealer logs. There’s a window between when credentials are stolen and when ransomware gets deployed. Dark web monitoring catches credentials in that window. If your employees’ or vendors’ logins are already circulating, you want to know before attackers use them.
If you’re in manufacturing or construction: Your industries led the victim count again. Manufacturing has been the top target for three straight months. Construction jumped to second. Both industries tend to have complex vendor networks and limited security staff relative to their exposure.
Watch the new groups. CoinbaseCartel, Bashe, CipherForce, and Payload all posted double-digit victim counts in March. New groups are unpredictable. Their operational security is often weaker (which means more data gets leaked), but their targeting can be aggressive as they try to build reputation.
Methodology
This data reflects publicly claimed victims only. The actual number of attacks is higher because:
- Many victims pay before being listed publicly
- Some groups operate private negotiation channels without public leak sites
- Not all ransomware attacks involve data theft or public claims
When multiple groups claim the same victim, we count it once. Industry and country are based on the company’s primary business and headquarters.