
Ransomware Report - June 2026
Executive Summary
In June 2026, ransomware activity recorded a total of 707 victims globally, marking a 10.4% decline from the 789 victims reported in May 2026 — a second consecutive month-over-month decrease following April's peak of 867. While the overall trajectory continues to moderate, the decline was not evenly distributed: several previously dominant sectors and geographies pulled back sharply even as a handful of emerging actors and second-tier markets expanded.
The United States retained its position as the most impacted geography, accounting for 198 victims and representing approximately 28% of globally attributed incidents — its lowest monthly share in the current reporting cycle. Business Services remained the most heavily targeted confirmed sector for a third consecutive month, with 123 victims, though its volume fell substantially from May.
Qilin remained the most active threat group for a sixth consecutive month with 78 victims, though its output declined sharply. TheGentlemen (76 victims) held second place, while LockBit5 (59 victims) staged a notable return to the top three after a quiet May. Settra, a newly identified data-broker extortion group, emerged at scale for the first time with 22 victims, continuing the trend of encryption-free, credential-driven extortion actors established by FulcrumSec in May. Victim organizations were identified across at least 79 countries and territories.
Key Points
-
A total of 707 ransomware victims were recorded globally in June 2026.
-
Ransomware activity declined by approximately 10.4% from May to June 2026, the second consecutive monthly decrease, though volumes remain well within the elevated baseline established since late 2025.
-
The United States accounted for 198 victims, representing approximately 28% of globally attributed incidents — a marked decline in relative share compared to prior months, occurring alongside a sizable rise in unattributed geographic listings.
-
Among confirmed sectors, Business Services (123 victims), Manufacturing (83 victims), and Technology (56 victims) were the most targeted.
-
Healthcare recorded 51 victims and Consumer Services 53, with Consumer Services essentially flat month-over-month even meas most other major sectors declined.
-
Germany (49 victims) overtook the United Kingdom to become the second most targeted country outside the United States, while Brazil and India each roughly doubled their May victim counts.
-
Qilin led all threat groups with 78 victims, extending its run as the most active operator for a sixth consecutive month, though its total fell by nearly a third from May.
-
LockBit5 re-entered the top three with 59 victims after largely dropping out of the most-active rankings in May.
-
Settra emerged as a significant new data-broker extortion actor with 22 victims in its first month of large-scale activity, while FulcrumSec's monthly count collapsed from 23 to 2 even as it claimed one of the month's largest breaches.
-
65 distinct threat groups were active during June 2026. Victim organizations were identified across at least 79 countries and territories, with an additional 85 victims recorded under an unresolved "Unknown" geographic classification.
Ransomware Activity — June 2026
Ransomware activity in June 2026 continued to demonstrate broad global reach, though the month was defined less by a single dominant operator and more by a redistribution of activity across a wider set of groups.

Qilin remained the most active threat group with 78 recorded victims, extending its run as the leading operator for a sixth consecutive month even as its output declined significantly from May. TheGentlemen (76 victims) followed closely in second place, narrowing the gap with Qilin and reinforcing its position as one of the year's most consistent high-volume operators. LockBit5 (59 victims) staged a pronounced comeback into third place after largely falling out of the prior month's most-active rankings, consistent with the group's pattern of resurgence following its 2025 relaunch under a cross-platform "5.0" variant targeting Windows, Linux, and virtualization environments.
Akira (32 victims) and Incransom (30 victims) maintained steady mid-tier pressure, both moderating slightly from May. DragonForce (28 victims) continued a sustained multi-month decline, falling by nearly half after already softening in April and May. Nova (28 victims) continued its upward trajectory, extending gains first seen in April and May and cementing its status as one of the ecosystem's fastest-growing mid-tier operators.
Settra represented one of the most structurally notable developments of the month, emerging at scale as a newly tracked data-broker extortion group with 22 victims spanning consumer services, manufacturing, agriculture, and business services organizations, primarily in the United States and Taiwan. Rather than deploying encryption, the group has relied heavily on credentials harvested through infostealer malware to gain initial access — a pattern that closely mirrors FulcrumSec's emergence in May and reinforces the broader shift toward encryption-free, credential-driven extortion. Nightspire (22 victims) and SafePay (21 victims) rounded out the upper-middle tier, with SafePay moderating from its sharp April-to-May expansion.
Krybit (20 victims) and ShinyHunters (20 victims) both re-emerged prominently after limited visibility in the prior month, with ShinyHunters' activity coinciding with a series of high-profile institutional breaches described later in this report. Play (16 victims), Stormous (14), ThreeAM (14), and newly tracked CMDorganization (14) sustained the ecosystem's dense mid-tier. Icarus, a group first identified in April 2026, grew to 11 victims in June following its central role in a significant supply-chain breach affecting numerous downstream organizations.
FulcrumSec's tracked victim count fell sharply to just 2 in June, down from 23 in May, despite the group claiming responsibility for one of the month's largest and most consequential breaches — a reminder that monthly leak-site listings do not always move in lockstep with the scale or significance of individual incidents. In total, 65 distinct groups were identified as active during June 2026, a modest increase from May's 62, reflecting continued diversification at the mid and lower tiers of the RaaS ecosystem.
Ransomware Activity — May 2026 vs. June 2026
Ransomware activity declined from 789 victims in May 2026 to 707 in June 2026, a 10.4% month-over-month decrease and the second consecutive monthly decline. Unlike May's relatively broad-based softening, June's decline was concentrated among several previously dominant operators and geographies, while a number of mid-tier and emerging actors expanded.

Qilin fell from 114 victims in May to 78 in June, a decline of roughly 32%, while still retaining the top position. TheGentlemen eased slightly from 90 to 76. DragonForce continued its multi-month slide, falling from 55 to 28 — now less than half its April level. Akira declined from 43 to 32, and SafePay moderated from 29 to 21 after its sharp April surge. FulcrumSec's listed activity dropped from 23 to just 2, even as the group was linked to a major pharmaceutical-sector breach disclosed mid-month. Genesis, which had spiked to 21 victims in May, fell back to 6.
Against this backdrop, several operators expanded. Nova grew from 25 to 28 victims, extending its steady climb. LockBit5, which had not featured prominently among May's most active groups, surged back into contention with 59 victims in June — its strongest showing since March. Settra's emergence at 22 victims represented a wholly new entrant to the ecosystem, while Icarus grew from a handful of prior victims to 11 following its role in a widely reported SaaS supply-chain incident.
The overall decline in June may reflect a combination of natural oscillation following two elevated months, continued redistribution of affiliate activity across a broader set of operators, and a modest lag in geographic and sectoral attribution for the most recent reporting period — the latter suggested by the sizable rise in unattributed "Unknown" and "Not Found" listings this month.
Industry Impact in June 2026 — Ransomware Continues to Target Critical Sectors
In June 2026, ransomware attacks maintained pressure on the same core set of high-value industries observed in prior months, though confirmed victim counts declined across nearly every major sector even as the "Not Found" category expanded.

Business Services recorded the highest confirmed victim count at 123, retaining the top position for a third consecutive month despite falling from May's 160. This continued dominance reflects sustained attacker interest in professional services organizations — law firms, consulting firms, managed service providers, and staffing agencies — whose client data and broad third-party access continue to create outsized extortion leverage even as overall volumes moderate.
Manufacturing followed with 83 victims, down from 102 in May but still firmly in second place among confirmed sectors. Technology recorded 56 victims, a meaningful decline from May's 70, though the sector's exposure was underscored qualitatively by a major supply-chain incident detailed later in this report. Consumer Services (53 victims) was essentially unchanged from May, making it the only major sector to hold steady rather than decline. Healthcare recorded 51 victims, continuing to ease from April and May but remaining a persistent high-priority target, reinforced this month by one of the year's most significant pharmaceutical-sector data-theft incidents.
Agriculture and Food Production (36 victims) and Transportation/Logistics (26 victims) both moderated from May while continuing to reflect attacker interest in supply-chain-dependent industries. Construction (27 victims), Financial Services (25 victims), Education (24 victims), and Public Sector (24 victims) each recorded meaningful activity, with Public Sector targeting reinforced by a high-profile breach of a major European institution. Hospitality and Tourism (21 victims), Energy (12 victims), and Telecommunications (9 victims) rounded out the confirmed sector distribution.
The "Not Found" classification rose to 137 victims, up roughly a third from May's 103 and reversing the prior month's improvement in attribution coverage — a reminder that sector-level visibility in underground reporting channels can fluctuate month to month rather than improving in a straight line.
Geographical Distribution of Victims

The United States remained the most targeted country in June 2026, accounting for 198 victims. While still the dominant single geography, this represented a substantial decline from May's 308 victims and reduced the US share of total activity to approximately 28% — its lowest share in the current reporting cycle, down from roughly 39% in May. Part of this shift likely reflects a rise in incidents lacking confirmed geographic attribution, which grew notably this month; the true US-linked total may be somewhat understated as a result.
Germany recorded 49 victims, overtaking the United Kingdom to become the most impacted country outside the United States and posting a meaningful increase from its May total of 40. The United Kingdom fell sharply to 21 victims, down from 49 in May. Brazil more than doubled its May count, rising from 10 to 23 victims, while India also roughly doubled, climbing from 11 to 20 — both notable signals of broadening exposure across Latin America and South Asia. Canada declined to 20 victims from 32 in May, and Spain, which had emerged prominently in May with 23 victims, fell back to 8.
France (15 victims) and Italy (15 victims) recorded moderate declines from May, while Mexico (14 victims) held relatively steady. Thailand (13 victims) and Taiwan (10 victims) both increased from May, while Australia (11 victims) and Japan (10 victims) declined notably. The Netherlands (7 victims) eased from May's 12, and Singapore (9 victims) remained roughly stable.
Argentina (9 victims), Hong Kong (8 victims), Russia (7 victims), Turkey (7 victims), Vietnam (7 victims), South Korea (7 victims), and Malaysia (7 victims) each sustained measurable activity. Portugal, Switzerland, Indonesia, China, the United Arab Emirates, Peru, and Austria each recorded between 4 and 6 victims, with a long tail of countries across Africa, the Middle East, Latin America, and Eastern Europe each recording 1 to 3 victims.
In total, victim organizations were identified across at least 79 confirmed countries and territories. An additional 85 victims were recorded under an unresolved "Unknown" geographic classification — a notably larger unattributed pool than in May — underscoring that geographic attribution for the most recent reporting month often lags and should be interpreted with some caution. The continued growth in Brazilian and Indian victim counts reinforces the pattern flagged in prior reports of expanding attacker interest in Latin America and Asia-Pacific markets, even as reporting from these regions may still understate true exposure.
Major Ransomware Breaches Across Global Sectors — June 2026
During June 2026, ransomware and cyber-extortion activity produced several significant confirmed or claimed incidents across critical industries and regions.
Healthcare and Pharmaceuticals — Europe (Global Impact) - The month's most consequential incident involved the data-extortion group FulcrumSec's breach of Novo Nordisk, the Danish pharmaceutical company behind Ozempic and Wegovy. Novo Nordisk disclosed unauthorized access to a limited number of internal systems on June 11. FulcrumSec claimed it had spent more than two months inside the company's network after obtaining credentials exposed in client-side code, ultimately exfiltrating approximately 1.3 terabytes of data across roughly 700,000 files — including pseudonymized clinical trial records, proprietary drug compound data, source code, and dozens of internal AI models. After the company declined a reported $25 million demand, the group began releasing portions of the stolen data in mid-June. The incident builds directly on FulcrumSec's cloud-native extortion model first documented in May's report.
Public Sector and International Institutions — Europe - The extortion group ShinyHunters claimed a breach of the Council of Europe, alleging theft of roughly 297 gigabytes of data across approximately 429,000 files, including more than a decade of payroll records, personnel files, and medical information tied to thousands of staff. The group set a mid-June deadline for negotiation. Security researchers linked the intrusion to the same underlying vulnerability the group had exploited days earlier against a major UK university, part of a broader campaign believed to have affected more than 100 organizations globally.
These incidents collectively underscore the continued dominance of data exfiltration as the primary extortion lever, the growing normalization of encryption-free, credential- and OAuth-driven attack methods, and the expanding willingness of threat actors to target pharmaceutical research, SaaS supply chains, and international institutions alongside traditionally dominant sectors.
Recommendations — June 2026 Ransomware Outlook
To mitigate the ongoing ransomware threat, organizations should continue strengthening defensive resilience through layered controls. The June 2026 incidents highlight several critical vectors requiring immediate attention, including dormant credential exposure, OAuth and SaaS integration risk, and the growing normalization of encryption-free data extortion.
-
Audit and deactivate dormant credentials and legacy service accounts, particularly those tied to third-party integrations and abandoned prototypes, as these remain a recurring initial-access vector.
-
Implement rigorous secrets management to prevent API keys, access tokens, and credentials from being exposed in client-side code, repositories, or CI/CD pipelines.
-
Enforce phishing-resistant MFA across all remote access channels and review OAuth token lifecycles, scopes, and revocation procedures for all connected SaaS applications.
-
Deploy advanced EDR/XDR solutions and continuously monitor for indicators of compromise across endpoint, network, and cloud telemetry, with particular attention to abnormal data access and query patterns in CRM and cloud data platforms.
-
Extend third-party and SaaS supply-chain risk management to cover all connected application integrations, not just primary vendors, given the recurring pattern of attackers pivoting through trusted third-party connections to reach downstream customers.
-
Apply heightened protection to research, clinical trial, and AI/ML model data in pharmaceutical and technology environments, where the value and sensitivity of stolen intellectual property can substantially raise extortion leverage.
-
Maintain offline, encrypted, and regularly tested backup systems, and segment enterprise networks to limit lateral movement and reduce blast radius following initial compromise.
-
Conduct regular incident response exercises calibrated to current threat actor TTPs, with specific scenarios addressing credential-based cloud extortion, SaaS supply-chain compromise, and encryption-free data theft.
Conclusion
The ransomware landscape in June 2026 reflected a second consecutive month-over-month decline in victim volume, with 707 globally recorded victims distributed across at least 79 countries and 65 active threat groups — confirming that the RaaS ecosystem remains structurally resilient even as headline volumes ease from April's peak.
The United States remained the most targeted country but saw its relative share of global activity fall to its lowest level in the current reporting cycle, while Germany, Brazil, and India each recorded notable increases in exposure. Business Services retained its position as the most targeted confirmed sector for a third consecutive month, though nearly every major sector recorded lower confirmed volumes than in May, alongside a marked rise in unattributed incidents.
The emergence of Settra as a new credential-driven extortion actor, LockBit5's return to the top three, and FulcrumSec's high-profile breach of Novo Nordisk despite a collapse in its own monthly victim count together illustrate an ecosystem in continued flux — one where headline-grabbing incidents and aggregate victim counts do not always move together. The Council of Europe and Klue/Salesforce incidents further reinforce the growing prominence of credential- and integration-based attack paths over traditional encryption.
Ransomware remains a persistent, adaptive, and strategically driven threat. The continued diversification of the RaaS ecosystem, the normalization of encryption-free data extortion, and the demonstrated willingness to target pharmaceutical research, SaaS supply chains, and international institutions underscore the need for sustained investment in credential hygiene, cloud security, detection, response, and recovery capabilities across all industries and organizational sizes.