Skip to main content
Darkfield
← All research

Trend · · 6 min read

The 2026 Half-Year Ransomware Index

A data-driven read on the first half of 2026 from the live Darkfield corpus — total leak-site disclosures, the busiest operators, and which sectors and countries absorbed the most claims. Figures update with the dataset.

This index is generated directly from the live Darkfield corpus, so the figures below move with the dataset rather than freezing at publication. It covers Jan 2026 – Jun 2026 of public ransomware leak-site activity. Every number traces back to a permanent dossier you can open and verify.

42,309

Victim disclosures tracked

225

Active operators

459

Operators catalogued

Who claimed the most

A small number of operators account for a disproportionate share of public disclosures. These are the busiest brands by claimed victims in the corpus right now — each links to its live operator dossier.

LockBit
3,536 victims
Cl0p
2,744 victims
lockbit3
2,016 victims
Qilin
1,935 victims
Incransom
1,682 victims
ALPHV/BlackCat
1,662 victims
Akira
1,648 victims
Black Basta
1,323 victims
Top operators by claimed victims · Darkfield corpus

Which sectors absorbed the claims

Ransomware targeting is not evenly distributed — operators specialise. The sector index tracks the full breakdown; the leaders are below.

Business Services
3,795 victims
Manufacturing
3,672 victims
Technology
3,544 victims
Healthcare
2,593 victims
Financial Services
1,181 victims
Education
1,082 victims
Transportation/Logistics
1,080 victims
Construction
988 victims
Top sectors by disclosures · Darkfield corpus

Where the victims are

Geographic concentration follows both where ransomware crews focus and where disclosure is most public. The full picture lives on the country index.

United States
14,134 victims
United Kingdom
1,611 victims
Canada
1,368 victims
Germany
1,304 victims
France
852 victims
Italy
837 victims
Australia
640 victims
India
622 victims
Top countries by disclosures · Darkfield corpus

The shape of the half-year

Monthly disclosure volume across all tracked operators. Recent months are frequently revised upward as operators back-date and re-post claims, so the final bar is a floor, not a ceiling.

Jan 2026
874 disclosures
Feb 2026
1,035 disclosures
Mar 2026
871 disclosures
Apr 2026
543 disclosures
May 2026
638 disclosures
Jun 2026
215 disclosures
Monthly leak-site disclosures · all operators

How to read these numbers

Every figure here is a count of public claims made by criminal operators on their own leak sites — not a census of all ransomware activity, and not a set of verified breaches. Attacks settled quietly never appear; re-listings can momentarily inflate a month. The full provenance, definitions and limits are documented in our methodology.

Cite or embed this report

Reusing these figures? A citation or a live embed keeps the data attributable and current.

Citation
Orizon. (2026). The 2026 Half-Year Ransomware Index. Darkfield. https://darkfield.orizon.one/research/2026-ransomware-half-year-index
Embed (live, auto-updating)
<iframe src="https://darkfield.orizon.one/embed/stats" width="100%" height="240" loading="lazy" title="Darkfield live ransomware statistics" style="border:1px solid #23262b;border-radius:12px;max-width:560px"></iframe>
<p style="font:12px sans-serif">Source: <a href="https://darkfield.orizon.one/research/2026-ransomware-half-year-index">The 2026 Half-Year Ransomware Index</a> by <a href="https://orizon.one">Orizon</a></p>

By Orizon Research. Compiled with AI assistance, reviewed before publication. Findings are evidence pointers, not legal verdicts. Corrections  .