Industrial organisations experienced 2,073 ransomware attacks in the 12 months from March 2025.

67% of ransomware victims confirmed their ransomware incident stemmed from an identity attack.

58% of cybersecurity leaders would consider paying cybercriminals to end a ransomware attack.

Nearly 1 in 4 middle market organizations reported a ransomware attack or demand in the past year.

Capital goods organisations experienced 1,192 ransomware attacks in the 12 months from March 2025.

Organizations across 39 countries were impacted by disclosed ransomware attacks in Q1 2026.

Ransomware payouts now average $40 million, nearly triple their level in 2024.

Ransomware victims were located in 97 countries in Q1 2026.

Within capital goods, machinery experienced 442 ransomware attacks and construction and engineering experienced 394 ransomware attacks in the 12 months from March 2025.

Victims were given an average of 7.7 days to meet ransom demands in Q1 2026.

38% of publicly disclosed ransomware incidents were not attributed to any known group in Q1 2026.

The average volume of data stolen per undisclosed ransomware incident was 743 GB in Q1 2026.

Among publicly disclosed attacks, Qilin was responsible for 22 attacks (8%), ShinyHunters 16 attacks (6%), and INC 11 attacks (4%).

79 ransomware groups claimed victims during Q1 2026.

In the 12 months from March 2025, industrial organisations accounted for 29.6% of all ransomware activity on average.

When identity breaches impact business, the primary consequences are data theft (49%), ransomware (48%), and financial theft (47%).

Data exfiltration occured in 96% of ransomware attacks in Q1 2026.

Undisclosed ransomware attacks increased by 2% year-on-year.

The Gentlemen claimed 273 attacks since its emergence in 2025 through the end of Q1 2026.

48% of all breaches now involve ransomware.