Major Ransomware Attacks in 2026: What We Learned (Quarterly Report)

This quarterly report covers ransomware activity from October 2025 through the end of Q1 2026, drawn from public disclosures, CISA advisories, the HHS Office for Civil Rights healthcare breach portal, and reporting in established trade and general press. The IC3 2024 annual report from the FBI counted thousands of formal ransomware complaints in the United States alone, and CISA's joint advisories through 2025 documented sustained activity from LockBit affiliates (post-takedown), Cl0p, Akira, BlackCat/ALPHV remnants, Play, and Rhysida among the most frequently identified families. The numbers below are conservative because most incidents are never publicly disclosed; the lessons, however, are stable across quarters and translate directly to consumer defense.

Last updated: April 25, 2026 — Reviewed by Maria Volkov (OSCP, CIPP/E)

Quick Answer / TL;DR

• The single biggest shift in 2025-2026 is fragmentation: takedowns of major brands (LockBit February 2024, BlackCat self-exit 2024) have produced more groups, not fewer attacks.
• Healthcare, manufacturing, education, and state and local government dominate disclosed incidents; finance is heavily represented but underreported because disclosure rules vary.
• Initial access still arrives through phishing, unpatched edge devices, and stolen credentials sold by access brokers — the same three vectors documented in CISA advisories for years.
• Double extortion (encrypt + leak) is now the default; pure data-theft extortion (no encryption) is the fastest-growing variant.
• Top consumer antivirus suites blocked ransomware samples at near-perfect rates in 2025 lab tests (AV-TEST, AV-Comparatives, SE Labs); the laggards still missed real-world variants.

How We Compiled This Report

We track three public-data lanes: CISA Stop Ransomware advisories and joint cybersecurity advisories, the HHS Office for Civil Rights healthcare breach portal (incidents affecting 500+ individuals), and reporting in established outlets covering specific named victims. We do not source from leak-site screenshots without independent corroboration, we do not estimate losses where the victim has not disclosed them, and we do not name groups responsible unless attribution is supported by CISA or the victim itself. Where dollar losses appear, they come from victim 8-K filings or CISA-cited figures.

The 2025-2026 Threat Landscape: Five Trends

Trend	What changed	Why it matters to consumers
1. Affiliate fragmentation after takedowns	LockBit 4.0 emerged after Operation Cronos (Feb 2024); BlackCat affiliates dispersed to 5+ successor brands	More groups, less concentrated targeting — consumers and SMBs see more variety in tooling
2. Pure-extortion model expansion	Cl0p ran multiple data-theft-only campaigns through 2024-2025 (e.g., MOVEit, Cleo)	Backups alone do not solve extortion when data is leaked, not encrypted
3. Edge-device exploitation	VPN appliances, file-transfer products, and firewalls remain heavily targeted	Patch hygiene is the single highest-leverage SMB defense
4. AI-assisted phishing as initial access	Higher-quality lures reduce the "bad grammar" giveaway	Domain and URL verification matters more than ever
5. Healthcare overrepresentation in disclosures	US HIPAA breach rules force healthcare visibility	Other sectors are equally hit but disclose less

H2 — Notable Disclosed Incidents by Sector (Q4 2025 – Q1 2026)

Each entry below is sourced from public disclosure, CISA advisory, or the HHS breach portal. Names are used only where the victim has publicly acknowledged the incident or where regulatory filings are public record. Specific dollar losses are included only when reported by the victim itself.

Healthcare and Public Health Sector

Healthcare continues to lead disclosed incidents because of mandatory breach reporting under HIPAA in the US, and similar regimes in the EU and UK. CISA and HHS issued multiple joint advisories through 2025 covering ransomware against hospital systems, regional clinics, and clinical software vendors.

Pattern observed Q4 2025 – Q1 2026: regional hospital networks and clinical-software-as-a-service vendors were hit at rates consistent with 2024. Vendor incidents continue to ripple across hundreds of downstream provider organizations because of consolidation in the electronic health records and revenue-cycle software market.

Representative incident type: Multi-state regional health system disclosed a ransomware-related disruption affecting electronic health records access for a period of days to weeks; outpatient appointments were diverted, emergency department triage continued on paper, and a portion of patient data was later confirmed exposed on a leak site. Attributed in press reporting to a known ransomware-as-a-service brand.

Attack family pattern: LockBit affiliate tooling, Rhysida, and BlackCat-successor brands recur across healthcare disclosures. CISA's 2024 Stop Ransomware Guide on Rhysida specifically called out the healthcare and education sectors.

Lesson: For healthcare, the binding lesson is that downtime, not data return, is the primary cost. For consumers, healthcare incidents matter because exposed records often enable downstream identity-theft and medical-fraud waves 6-18 months later.

Manufacturing Sector

Manufacturing remains the second most disclosed sector in CISA advisories through 2025. Operational technology environments (factory-floor systems) are increasingly bridged to corporate IT, which means encryption of the IT side often halts production.

Pattern observed: Discrete manufacturers — automotive parts, packaging machinery, specialty chemicals — disclosed multi-day production stoppages following ransomware events. Several Fortune 1000 manufacturers filed 8-K disclosures noting "material impact" without quantifying losses pending insurance recovery.

Representative incident type: Mid-sized industrial manufacturer disclosed a ransomware-related shutdown of order-management and shipping systems; production paused for several business days and customer deliveries were delayed. The company stated it did not pay a ransom and restored from backups.

Attack family pattern: Akira, Play, and LockBit affiliates dominate manufacturing disclosures.

Lesson: Backups that include operational data and tested recovery runbooks are the difference between a four-day and a four-week outage. The same principle scales down to a personal computer — an untested backup is half a backup.

State, Local, Tribal, and Territorial Government

US state and local governments continued to be a high-disclosure category through Q1 2026, often because of FOIA-driven transparency rather than mandatory reporting. CISA maintains specific resources for SLTT entities and runs joint advisories with the FBI and MS-ISAC.

Pattern observed: County and municipal governments — especially in jurisdictions with constrained IT budgets — disclosed disruptions to court systems, payment portals, and benefits processing. Library systems and public-school districts adjacent to municipal networks were frequent secondary victims.

Representative incident type: County government in the United States disclosed a ransomware incident affecting court filings, vehicle registration, and tax-payment portals; recovery extended over several weeks with manual workarounds. No ransom was paid per the county's published statement.

Attack family pattern: Akira, Rhysida, and Play recur in SLTT disclosures.

Lesson: Public-sector incidents underscore that consumer-facing services (paying property tax, renewing licenses) can be unavailable for weeks. Personal disaster-recovery planning — printed copies of essential documents, alternative payment paths — has become more relevant than it sounds.

Financial Services Sector

Finance is heavily targeted but lightly disclosed because most incidents reach the threshold for SEC 8-K filing only when material. Smaller broker-dealers, regional banks, and credit unions often resolve incidents quietly with regulators. CISA and the Treasury's OFAC have repeatedly warned about sanctions exposure when paying ransoms to designated wallets.

Pattern observed Q4 2025 – Q1 2026: Mid-tier financial institutions and fintech vendors disclosed incidents at a steady rate. Credit unions and registered investment advisors appeared more frequently in state breach-notification filings than in headline-grabbing 8-Ks.

Representative incident type: Regional financial services firm disclosed a ransomware-related incident with limited member-data exposure; full operational recovery was reported within a defined window, and the firm declined to specify whether a ransom was paid.

Attack family pattern: Cl0p (data theft), Akira, and BlackCat-successor brands appear most frequently.

Lesson: Consumers whose financial institutions have disclosed incidents should review accounts, place fraud alerts, and consider freezing credit through the major bureaus. The data-theft model means information may be released months after the initial event.

Education Sector

Higher education and K-12 districts continued a multi-year run as ransomware targets through 2025-2026. CISA's K-12 Cybersecurity guidance has been updated repeatedly. Universities are frequent targets because of valuable research data alongside student PII.

Pattern observed: Public universities disclosed multi-system disruptions affecting student information systems, library catalogs, and research-computing environments. Several K-12 districts disclosed ransomware affecting payroll, transportation routing, and grade-management systems near the start of academic terms — a known seasonal pattern.

Representative incident type: Public university disclosed a ransomware incident affecting student information systems and library services; recovery extended several weeks with portions of student data later confirmed leaked. The institution did not pay a ransom.

Attack family pattern: Vice Society successor brands, Rhysida, and LockBit affiliates recur.

Lesson: Education incidents matter to consumers because student records — full names, dates of birth, Social Security numbers in some US contexts — are gold for identity thieves operating on patient-zero data.

Technology and Vendor Sector

Software vendors and managed service providers remain high-leverage targets because a single compromise cascades to downstream customers. CISA has issued specific advisories on managed-service-provider compromise repeatedly through 2024-2025.

Pattern observed Q4 2025 – Q1 2026: Several MSPs and SaaS vendors disclosed incidents with downstream customer impact. File-transfer products and identity providers were especially targeted in the data-theft model.

Representative incident type: SaaS vendor serving multiple industries disclosed a security incident with customer data exposure; downstream customers issued their own breach notifications based on the vendor's disclosure.

Attack family pattern: Cl0p (data-theft model), various access-broker handoffs feeding multiple ransomware brands.

Lesson: Even disciplined organizations are exposed through their vendors. For consumers, the takeaway is that breach notifications increasingly arrive from companies you have never heard of — they were the back-end vendor for a service you used.

H2 — How These Attacks Started: Initial Access Vectors

CISA, Verizon's DBIR, and Mandiant's annual M-Trends report agree on the dominant entry points. The 2025 data is consistent with prior years.

Initial-access vector	Approximate share of incidents	Consumer parallel
Phishing (credentials, loaders)	~30-35%	The same vector targets your personal email
Exploitation of unpatched internet-facing software	~25-30%	Update your router, browser, and OS automatically
Stolen valid credentials (access brokers)	~20-25%	Reused passwords from old breaches are the gateway
Remote services brute force / weak MFA	~10-15%	Strong unique passwords plus 2FA closes this lane
Other (insider, supply chain, drive-by)	balance	Lower-volume but higher-impact

The single highest-confidence pattern across years is that two cheap controls — patching and MFA — would have stopped a majority of disclosed incidents. The same controls work on a personal laptop.

H2 — Active Ransomware Families to Know in 2026

Family	Primary model	Notable sectors targeted	Active status (Q1 2026)
LockBit (4.0 / affiliates)	Encrypt + leak	Wide cross-sector	Active despite Op Cronos 2024
Cl0p	Data theft (vulnerability-driven)	Cross-sector via vendor compromises	Active in periodic waves
Akira	Encrypt + leak	Manufacturing, SLTT, healthcare	Active throughout 2025
Rhysida	Encrypt + leak	Healthcare, education	Active per CISA advisories
Play	Encrypt + leak	SLTT, manufacturing	Active per CISA advisories
Black Basta / Cactus	Encrypt + leak	Wide cross-sector	Active periodically
BlackCat/ALPHV successors	Various	Wide	Fragmented across rebrands
Vice Society successors	Encrypt + leak	Education	Active under successor brands

CISA's stopransomware.gov maintains current Stop Ransomware Guides for many of these families, with technical indicators of compromise and mitigation guidance.

H2 — Lessons That Translate to Consumer Defense

Most ransomware writing focuses on enterprise mitigations. The consumer-applicable lessons are direct:

1. Phishing is the universal entry point. The same lures that compromise hospital networks also compromise home users. Our phishing email examples guide shows the 15 patterns that survive AI polish.

2. Patch automatically. Browsers, operating systems, and routers should auto-update. The CISA Known Exploited Vulnerabilities catalog routinely shows actively-exploited flaws being patched within days of disclosure — manual update cycles cannot keep pace.

3. Backups are the only universal cure for encryption. The 3-2-1 rule (three copies, two media types, one off-site or offline) works for personal data too. An external drive that is never disconnected is not a backup.

4. Top antivirus suites add a meaningful behavioral layer. Lab tests (AV-TEST December 2025, AV-Comparatives 2025, SE Labs Q4 2025) showed leading consumer products blocking ransomware samples at near-perfect rates. The laggards missed real-world variants.

5. Credentials are currency. Reused passwords from old breaches feed access-broker markets that supply ransomware operators. A password manager and 2FA on critical accounts close this lane.

6. Treat data-theft extortion separately. A clean backup does not undo a leak. Limit what is on each system to what that system genuinely needs.

H2 — Antivirus and Ransomware Protection: 2025 Lab Results

Test (Lab)	Date	What was measured	Top performers	Bottom performers
AV-TEST Home Windows	Dec 2025	Real-world malware including ransomware samples	6/6 protection score (top tier)	4/6 or lower
AV-Comparatives Real-World Protection	2025 series	Including in-the-wild ransomware variants	99.5%+ block	<95%
SE Labs Home Anti-Malware	Q4 2025	End-to-end attack chains	AAA rating	A or below
MRG Effitas Q3 2025	Q3 2025	Online banking and ransomware certification	Certified	Failed

Consumer takeaway: paid does not automatically equal effective. Independent test data — never vendor marketing — is the only honest evaluation. Our methodology page details how we weight lab results in our rankings.

FAQs

What are the most active ransomware groups in 2026?

Through Q1 2026, public reporting and CISA advisories continued to track LockBit affiliates (despite the February 2024 international takedown), BlackCat/ALPHV remnants and successors, Cl0p, Akira, Rhysida, and Play among the most frequently named groups in disclosed incidents. The landscape has fragmented: when one brand is disrupted, affiliates rebrand or migrate, so counts by group should be read as snapshots.

Which industries are hit hardest by ransomware in 2026?

Healthcare, manufacturing, education, state and local government, and small-to-mid finance dominate disclosed incidents through Q1 2026. CISA's Stop Ransomware advisories and the HHS Office for Civil Rights breach portal show healthcare disproportionately represented because US disclosure laws make those incidents more visible — actual targeting cuts across all sectors.

How do ransomware attacks usually start?

Verizon's 2025 DBIR and CISA joint advisories repeatedly cite three initial-access vectors: phishing emails delivering credentials or loaders, exploitation of unpatched internet-facing software (often within days of disclosure), and abuse of valid stolen credentials sold on access-broker markets. Phishing remains the single most common entry point against consumers and small businesses.

Should I pay a ransomware demand?

Law enforcement guidance — including from the FBI and CISA — is to avoid paying. Payment funds further attacks, does not guarantee data return (decryptors fail or attackers leak data anyway), and may carry sanctions risk if the receiving wallet is OFAC-listed. Report to CISA at stopransomware.gov and to the FBI at ic3.gov before considering any payment.

How can I protect a personal computer from ransomware?

The defensive playbook for consumers has not changed much: keep the operating system and browsers patched, use a top-tier antivirus suite with behavior-based ransomware protection, maintain offline or immutable backups (the 3-2-1 rule), enable two-factor authentication on accounts that hold cloud backups, and treat unsolicited attachments and links as hostile. Lab tests from AV-TEST and SE Labs in 2025 showed top consumer suites blocking ransomware samples at near-perfect rates.

Where can I track ransomware incidents officially?

CISA publishes joint advisories at stopransomware.gov and adds variant-specific Stop Ransomware Guides as families evolve. The HHS Office for Civil Rights breach portal lists healthcare incidents above 500 records (US). FBI IC3 publishes annual reports with ransomware-specific sections. For variants and decryptor availability, the No More Ransom project at nomoreransom.org is the cross-government resource.

The Bottom Line

Ransomware in early 2026 is more fragmented, not less common. Brand takedowns produce affiliate dispersal, not deterrence. The dominant entry points have not changed in a decade: phishing, unpatched edge software, stolen credentials. For consumers, the implications are direct — patch automatically, run a top-tier antivirus suite (we test against AV-TEST, AV-Comparatives, and SE Labs data), keep offline backups, and treat unsolicited links and attachments as hostile by default. We update this report quarterly. The next refresh will cover Q2 2026 and add any cross-cutting trends from the spring CISA advisory cycle.

Recommended reading from this site:

• What is ransomware — the technical primer
• Phishing email examples — the dominant initial-access vector
• How to protect yourself online — the consumer defensive checklist
• Best antivirus — our current ranked picks based on independent lab data, no paid placements

External authoritative references used in this report:

• CISA Stop Ransomware portal — stopransomware.gov
• FBI Internet Crime Complaint Center 2024 Annual Report — ic3.gov
• HHS Office for Civil Rights Breach Portal — ocrportal.hhs.gov
• Verizon Data Breach Investigations Report 2025 — verizon.com/business/resources/reports/dbir/
• AV-TEST December 2025 Home Windows Test — av-test.org
• No More Ransom Project — nomoreransom.org