If the ransomware numbers from late 2025 alarmed you, April 2026 is not going to be reassuring.

Security researchers tracked 772 organizations claimed by ransomware groups in April 2026 alone β€” across 81 countries, with 70 distinct ransomware groups active during the month. That works out to roughly 25 new victims per day.

We covered the Q4 2025 surge back in March. April’s numbers show that surge was not a blip. This is the baseline now.

Here is what the data shows, who is behind it, and what it means if you are not a Fortune 500 company with a dedicated security team.

The Numbers at a Glance

  • 772 total victims claimed by ransomware groups in April 2026
  • 70 distinct ransomware groups active β€” up from 65 in March
  • 326 US victims across 42 states and districts
  • 81 countries affected globally

The United States remains the most heavily targeted country by a significant margin. US organizations account for roughly 42% of all April victims. That is not because attackers specifically hate America β€” it is because the US has a high concentration of organizations with money to pay ransoms, and a legal and insurance environment that has historically made paying ransoms relatively common.

Who Is Doing It

Qilin held the top spot for the fourth consecutive month, claiming 103 victims in April. Qilin has become one of the most prolific ransomware operations of 2026, targeting hospitals, law firms, and manufacturing companies with equal enthusiasm. They operate a Ransomware-as-a-Service (RaaS) model, meaning the core Qilin team develops the ransomware and rents it out to affiliates who do the actual hacking.

TheGentlemen was second with 82 victims β€” a surprising surge from a group that was barely on the radar in early 2026. Researchers are still piecing together their infrastructure and affiliate network, but their rapid rise mirrors how previous groups like LockBit and BlackCat grew before eventually being disrupted by law enforcement.

DragonForce came in third with 63 victims. DragonForce gained notoriety in late 2025 for attacking critical infrastructure in Southeast Asia before expanding globally.

These three groups alone account for roughly a third of April’s total victims. The remaining 67 groups split the rest.

How They Are Getting In

The methods have not changed dramatically, but the execution has gotten more efficient.

Identity is the primary entry point. Stolen credentials, phishing attacks targeting login pages, and vishing calls convincing employees to hand over SSO credentials account for the majority of initial access. Once attackers have valid login credentials, many corporate defenses simply let them walk in β€” because the credentials look legitimate.

VPN and remote access vulnerabilities remain popular. Organizations that did not patch their VPN appliances or remote desktop systems are consistently being targeted. Unpatched edge devices are essentially open doors.

Ransomware-as-a-Service continues to lower the barrier to entry. You no longer need to be technically sophisticated to run a ransomware operation. You need to be able to run a phishing campaign, buy a credential dump from a forum, and follow instructions. The technical sophistication is provided by the group selling you access to their ransomware platform.

Who Is Being Targeted

The data consistently shows that attackers are not primarily going after large enterprises. They are going after organizations with limited security resources β€” small and mid-sized businesses, local governments, healthcare providers, schools, and law firms.

Why? Because large enterprises increasingly have endpoint detection, 24/7 security operations centers, incident response retainers, and security awareness programs that catch attacks earlier. Smaller organizations often have none of these.

A ransomware group would rather hit 20 small law firms that each pay $50,000 than spend months trying to breach one major financial institution that might detect them and kick them out before they can encrypt anything.

This is the uncomfortable math of modern ransomware. If you are a small organization, you are not too small to be a target. You are exactly the right size.

The Healthcare Problem

Healthcare organizations were disproportionately represented in April’s victims. Hospitals, clinics, and medical billing companies face a particular pressure: when your systems are encrypted and you cannot access patient records, lives may be at risk. Ransomware groups know this. They deliberately target healthcare because the pressure to restore operations quickly is greater β€” and the likelihood of paying is higher.

This is not speculation. Several major hospital systems have paid multi-million dollar ransoms in the past 18 months specifically because they calculated that the operational cost of downtime exceeded the ransom demand.

If you work in healthcare IT or manage any medical records systems, April’s numbers should be treated as a direct warning.

What Actually Works

If the numbers are bad and the tactics are consistent, what actually reduces risk?

Multi-factor authentication everywhere. A stolen password is nearly useless if MFA is enabled. This single control stops a significant percentage of ransomware initial access attempts.

Patching, especially edge devices. VPN appliances, firewalls, and remote access tools are consistently targeted because many organizations lag months behind on patching them. These are exactly the systems that need to be updated first, not last.

Offline, tested backups. If ransomware encrypts your files, the only guaranteed recovery path without paying is having backups that the ransomware cannot reach. Backups need to be disconnected from the main network (or immutable in cloud storage), and they need to be tested regularly. A backup you have never tried to restore is not a backup β€” it is a hope.

Incident response planning before you need it. Organizations that survive ransomware attacks best are the ones that have already decided what to do: who makes the call on paying, who handles law enforcement contact, who manages communications. Making those decisions under pressure, in the middle of an incident, is extremely difficult.

Employee training on phishing and vishing. Since identity is the primary entry point, training employees to recognize suspicious emails and suspicious phone calls directly reduces the chance of an attacker getting in.

A Note on the β€œPay or Not Pay” Question

Every organization that gets hit with ransomware faces the same agonizing question: do we pay?

There is no universally correct answer. Paying funds criminal operations and encourages more attacks. Not paying means potentially losing everything if backups are insufficient. Law enforcement in the US and most of Europe advises against paying but cannot compel compliance.

What is clear is that organizations with good backups and a clear incident response plan rarely have to seriously consider paying. The goal is to be in that position before the attack happens β€” not to figure it out while your files are encrypted.

Final Thought

772 victims in one month is not an abstract statistic. Each of those 772 represents an organization β€” often a small one β€” whose operations were disrupted, whose data was stolen, and whose leadership had to make impossible decisions under enormous pressure.

The groups doing this are organized, well-funded, and getting more sophisticated. The only effective response is to take basic security measures seriously before they arrive.

Check whether your organization has MFA enabled, your backups tested, and your systems patched. Those three things, consistently done, will put you ahead of a significant portion of the victims in next month’s report.