alt.hn

3/31/2026 at 10:02:34 AM

7,655 Ransomware Claims in One Year: Group, Sector, and Country Breakdown

 https://ciphercue.com/blog/7655-ransomware-claims-march-2025-to-march-2026

by adulion

3/31/2026 at 11:41:35 AM

> 141 countries appeared in the dataset. US organisations are the most frequent targets at 40%, but the remaining 60% spans six continents. European subsidiaries, APAC operations, and Latin American offices are all represented

Love how this subtly implies that only the US has independent companies, every other region just has subsidiaries and branch offices of US companies

by wongarsu

3/31/2026 at 1:27:53 PM

You could also read it as saying that it's only companies that are ultimately US owned that are affected :-)

by ninalanyon

3/31/2026 at 2:42:20 PM

And as an industry, we claim we are completely helpless against ransomware. We create all kinds of organizations and alliances such as FIDO and ICANN. Against ransomware, complete silence.

by rawgabbit

3/31/2026 at 7:45:16 PM

Ransomware as most people imagine it is a solved problem. After a close call, my employer invested in ZFS-backed storage. Our recovery time for recovery from accidental deletion went from "days of copying from offsite backups" to just minutes.

The only problem is when people build storage on ancient filesystems that don't support low-cost snapshots.

by elevation

3/31/2026 at 8:23:29 PM

We are seeing coordinated attacks where multiple systems have been compromised. It is not a simple restore from backup because they have stolen admin credentials and can repeatedly wreck the kludge of modern and legacy systems most companies deal with. For example, UMMC hospitals lost access to their Epic system, phone lines, and email.

https://www.comparitech.com/news/cybercriminals-say-they-hac...

by rawgabbit

3/31/2026 at 7:51:48 PM

> as most people imagine it

Which is to say, a conventional ransom: "pay us to restore your un-backed-up files".

But if the attacker has already exfiltrated your files to machines you don't control, and the ransom is "pay or we'll publish", then you'll need more than a modern filesystem to prevent this.

by elevation

3/31/2026 at 4:46:21 PM

I think it will only get worse, as skiddies get access to LLMs. The number of mainstream maintainers being hacked is quite alarming.

by giancarlostoro

3/31/2026 at 10:58:25 AM

> Of 129 active groups, the top five posted 3,027 of the 7,655 claims (40%). After them, the field fragments quickly.

Does it?

The 4th group accounted for 5.0%, 5th was 4.5%, 6th was 3.4% and 10th was 2.5%, I think it doesn't fragment particularly any more quickly after the top 5 than within the top 5.

Is this LLM analysis?

by jstanley

3/31/2026 at 11:35:34 AM

They don't mention it explicitly on the website that I could find, but the product goals and stated functionality lean heavily in the LLM direction.

The text also reads very LLM-like, so I'd say yes.

by thes1lv3r

3/31/2026 at 11:45:34 AM

Always a bit harder to tell with marketing pieces because both LLMs and marketing love certain patterns and heavily lean on saying things that seem meaningful but are actually non-sequiturs.

But I agree that this seems at least LLM-assisted

by wongarsu

3/31/2026 at 3:55:30 PM

this is a great representation of how clueless the security industry is.

the made up dimensions on this analysis are great for tech illiterate middle managers. while anyone with a brain known that script kiddies just execute a vuln scanner and only care to filter .mil and .ru targets. what country or industry? please. they barely will look at the country to give a discount on the ransom if it's too poor.

you can make the case that certain industries buy more irresponsible tech ptoducts as a whole, but it's mostly irrelevant to read into the attackers.

the whole tech industry security is made up exclusively of blame shifting.

by iririririr

3/31/2026 at 4:47:11 PM

>tech illiterate middle managers

Why they're the very fellows signing the cheques to the:

>clueless ... security industry

by jpfromlondon

3/31/2026 at 11:14:24 AM

The 40% acceleration in the second half is the number that jumps out. That is not just "more groups", something changed operationally in the ecosystem around September 2025.

SafePay dominating Germany with 72 claims is worth watching. Most ransomware analysis focuses on US-heavy groups, but a group concentrating on a single non-US market suggests either language capability, specific supply chain access, or targeting of regulatory environments where disclosure pressure increases payment rates. Germany's strict GDPR enforcement could make the threat of a leak more effective than in markets where fines are lower.

The 35% of claims with no sector attribution is a significant gap. If those ~2700 unattributed claims skew toward smaller organizations without public sector classification, the actual concentration in SMB targets could be much higher than the data shows.

The point about ecosystem resilience is the most important takeaway for defenders. 129 active groups means the threat model is not "prevent group X" but "assume breach and limit blast radius." That shifts investment from detection toward segmentation, backup isolation, and recovery speed.

by gebalamariusz

3/31/2026 at 12:05:54 PM

This not a helpful (nor human) comment despite all the words

by grosswait