Just three ransomware groups were responsible for almost half of all ransomware attacks during the last month, analysis of reported incidents has revealed.
According to cybersecurity analysts at Check Point, a total of 672 ransomware incidents were reported during March 2026, representing an increase in attacks compared with the previous month.
The figures, released on April 9, detailed how three ransomware operations dominated the attack landscape, as they accounted for 40% of incidents.
Qilin ransomware group alone was responsible for 20% of ransomware attacks. The ransomware-as-a-service (RaaS) operation has been active since 2022 and remains a prominent cyber threat.
Since early 2025, Qilin has significantly expanded affiliate recruitment and victim disclosures, which last year included a disruptive ransomware attack on global brewing giant Asahi.
During the same period, Akira ransomware accounted for 12% of all ransomware attacks. Akira has remained a threat since it first appeared in 2023 and the ransomware group has extorted hundreds of millions of dollars in ransom payments.
The group targets Windows, Linux, and ESXi systems and has shown an increased preference for targeting organizations in the business services and industrial manufacturing sectors.
Akira has continued to evolve its capabilities, researchers recently disclosed how the ransomware is now capable of completing all stages of an attack in under one hour from the initial compromise.
Dragonforce RaaS was responsible for 8% of ransomware attacks during March. According to Check Point, Dragonforce’s activity accelerated, something which researchers attributed to absorption of displaced RansomHub affiliates and a spike in social engineering campaigns.
Half of Ransomware Attacks Target the US
While the top three malicious actors accounted for 40% of incidents, a total of 47 different ransomware groups publicly impacted organizations worldwide during the period. Organizations in the United States accounted for just over half (52%) of victims.
“Attackers continue refining precision, timing, and targeting, exploiting seasonal cycles, emerging technologies, and operational blind spots,” said Check Point research.
Ransomware remains one of the most persistent and potentially cyber threats to organizations around the world. Despite being a known cybersecurity issue for at least a decade, attacks have become more disruptive, difficult to fix and financially costly.
Steps organizations can take to make the network robust against ransomware attacks include applying security patches and updates, enforcing multi-factor authentication on user accounts, and ensuring that the security team is well-resourced and has enough time to detect and examine potential red flags which might indicate attacks are in the network, prior to the ransomware being executed.