Ransomware groups posted 4,700 victims on their leak sites in the first half of 2026, marking a record high for the period. That figure represents a 16% increase compared to the same period last year, and a nearly 65% increase compared to the first half of 2024 — a sustained, multi-year upward trend rather than a one-off spike. June 2026 alone accounted for 708 new victim postings.
Leak-site victim counts are a useful, if imperfect, proxy for overall ransomware activity. They undercount incidents where victims pay before public shaming, or where groups don’t use a public leak site model at all, but the consistent year-over-year growth across multiple reporting periods indicates the underlying trend is real: more organizations are being successfully compromised and extorted, not just more groups choosing to publicize their victims.
This growth is happening despite years of law enforcement takedowns, sanctions against ransomware infrastructure, and widespread adoption of endpoint detection tools. That combination suggests the bottleneck for defenders isn’t tooling availability — it’s execution: patching cadence, credential hygiene, and how quickly lateral movement and data exfiltration get detected once initial access is achieved.
For security teams, the practical implication is to assume ransomware attempts against your organization are a “when,” not an “if,” and to weight investment toward detecting the middle stages of an intrusion — privilege escalation, internal reconnaissance, mass file access, and outbound data transfers — rather than relying solely on preventing initial access.