According to the Breachsense March 2026 Ransomware Report, the Qilin ransomware group claimed 131 victims in March — an all-time single-month record for any ransomware group — followed by Akira (84) and TheGentlemen (64).
By the Numbers
| Metric | March 2026 | February 2026 | Change |
|---|---|---|---|
| Total victims (all groups) | 808 | 680 | +19% |
| Active ransomware groups | 65 | 54 | +11 new groups |
| Qilin victims | 131 | 104 | +26% |
Geographic Distribution
The United States accounted for 50% of all victims (404), but European countries experienced the steepest increases:
| Country | March Victims | Month-over-Month Change |
|---|---|---|
| United States | 404 | — |
| France | 36 | +113% |
| United Kingdom | — | +86% |
| Germany | 32 | +73% |
| Spain | — | +58% |
France's 113% increase was the largest single-month jump among major economies, consistent with a broader pattern of escalating cyberattacks against French organisations in early 2026.
Sector Breakdown
Manufacturing remained the most targeted sector for the third consecutive month:
| Sector | March Victims |
|---|---|
| Manufacturing | 76 |
| Construction | 53 |
| Finance | 48 |
| Healthcare | 47 |
Notable Targets
Qilin's March campaign included attacks against Tulsa International Airport and, in late February, Malaysia Airlines — with passenger records, personnel files, and vendor contracts among the claimed data.
Context
The 19% month-over-month increase and expansion from 54 to 65 active groups signals a ransomware ecosystem that is growing, not consolidating. For organisations in the EU subject to NIS2 incident reporting requirements, the concentration of attacks on manufacturing and critical infrastructure sectors reinforces the urgency of having tested incident response plans (ISO 27001 Annex A controls 5.24–5.28) before an attack materialises.