.png)
1. Executive Summary
North America recorded 9,055 ransomware victims since January 2024, making it by far the most targeted region globally and the operational center of gravity for the global criminal ransomware economy. The trajectory is steep but decelerating in growth rate. 3,157 victims in 2024, 4,353 in 2025 (a 38 percent increase), and 1,545 in Q1 2026 (annualized to roughly 4,600, a 6 percent increase over 2025). The US alone accounts for 89.5 percent of regional victims (8,101). Canada at 8.6 percent (782) is itself larger than most national datasets in this report. Mexico at 1.9 percent (172) is materially under-targeted relative to its economic size.
Ransomware Volumes Do Not Respond to Enforcement
The headline finding is that NA ransomware volume does not respond to disruption. LockBit was operationally degraded in February 2024 and remains crippled. ALPHV exited via an apparent exit scam in early 2024. RansomHub, the dominant 2025 successor, disappeared from leak sites in early 2026. Each of these events should have produced a measurable decline in regional volume. None did. The ecosystem absorbed every disruption within weeks through affiliate migration, and aggregate volume continued to climb. Monthly averages went from roughly 260 in 2024 to 360 in 2025 to 385 in Q1 26. Law enforcement actions have shifted who operates, not how much activity occurs.
The real story in 2026 is composition. The dominant 2025 operators (Cl0p, RansomHub, Play) have been displaced by a new top tier led by Qilin and DragonForce, with roughly 20 new groups posting NA victims in the most recent 90-day window. Sector targeting has rotated toward higher-leverage verticals, with healthcare up 46 percent year over year, financial services up 39 percent, and the emergence of dedicated law firm targeting by SilentRansomGroup. The Iran conflict that began in February 2026 has produced no measurable impact on NA volume, confirming that the criminal economy here operates on its own cycles independent of geopolitics. February 2025 saw an unprecedented spike of 607 victims in a single month, driven by Cl0p's MOVEit-style mass exploitation campaign and the maturation of post-LockBit successors. That campaign has now run its course, and Cl0p's volume has collapsed 84 percent. The successor pattern is what every CISO in this region should be preparing for, and Augur’s Ransomware Intelligence module can help you achieve that.
1.1 Key Observations
- Disruption no longer reduces volume. Three major law enforcement and operator disruption events in 24 months (LockBit February 2024, ALPHV early 2024, RansomHub early 2026) have collectively produced zero measurable decline in aggregate NA ransomware activity. Monthly averages have climbed from roughly 260 in 2024 to 385 in Q1 2026. The strategic implication is that the criminal ransomware economy is now structurally resilient to single-operator takedowns. Volume reduction requires either ecosystem-wide payment crackdowns or sustained, simultaneous pressure on multiple operators and affiliate pools.
- Affiliate migration is the key dynamic. When an operator goes down, its affiliates resurface within weeks under new banners. Qilin, DragonForce, IncRansom, and the new entrants (TheGentlemen, CoinbaseCartel, Insomnia) are the primary beneficiaries in 2025 and 2026. The practical detection consequence is that brand-based threat intelligence is now substantially less valuable than infrastructure-based attribution. The same operators are demonstrably running campaigns under multiple brand identities within the same quarter, which makes infrastructure overlap the more reliable attribution signal.
- Healthcare targeting is structural, not opportunistic. 954 healthcare victims in 28 months works out to a sustained cadence of roughly 1.2 healthcare organizations posted per day, rising to 1.4 per day in the most recent 90-day window. The sector combines legacy infrastructure, life-safety operational urgency, and HIPAA breach-notification timelines that compress negotiation windows in operators’ favor. We assess healthcare as a permanent priority target rather than a passing trend, and forecast continued growth through 2026.
- Ecosystem fragmentation is accelerating. Twenty new groups posted NA victims in the most recent 90-day window, including PayoutsKing, BlackNevas, WorldLeaks, MNT6, Crypto24, TheGentlemen, CoinbaseCartel, ShinyHunters, Insomnia, and SilentRansomGroup. The barrier to entry for new ransomware brands is now low enough that affiliate displacement from a single major disruption produces a fan-out of new operators rather than consolidation under a clean successor. This fragmentation increases attribution difficulty and reduces the effectiveness of brand-based blocklists and indicator feeds.
- Canada is materially under-recognized as a target. 782 Canadian victims since 2024 would make Canada a top-10 most-targeted country globally if ranked independently. Adjusted for population, the Canadian targeting rate is roughly 60 percent of the US rate, comparable to the most heavily targeted European economies. Canadian healthcare, education, and municipal targets feature disproportionately, driven by the same regulatory and operational urgency factors that make US healthcare attractive. Canadian organizations and government agencies should treat NA-region threat intelligence as directly applicable rather than as US-specific.
- Cl0p’s next mass-exploitation cycle is the largest forecasting uncertainty. Cl0p has demonstrated three previous mass-exploitation campaigns at roughly 12 to 18 month intervals (MOVEit 2023, GoAnywhere 2024, Cleo 2025), each producing 150 to 250 victims concentrated in a single window. The current 84 percent collapse in Cl0p volume reflects the exhaustion of the Cleo campaign, not a decline in operator capability. We assess the probability of a fourth Cl0p mass-exploitation event in calendar 2026 as moderate-to-high. NA organizations should treat file-transfer, managed-service, and supply-chain software exposure as a priority risk category in vulnerability management programs through year-end.
2. Country Breakdown
The country split tells three different stories. The US figure reflects raw scale, a large attack surface, and the highest concentration of mid-market targets with sufficient revenue to make extortion economically rational. Canada's 782 victims since 2024 understates its importance. Adjusted for population, Canada is being hit at roughly 60 percent of the US rate, comparable to the most heavily targeted European economies. Canadian healthcare, education, and municipal targets feature disproportionately in the dataset, driven by the same regulatory and operational urgency factors that make US healthcare attractive. Mexico's 172 victims are anomalously low. Possible explanations include lower English-language leak site representation of Spanish-language victims, lower digital exposure of mid-market Mexican targets, and a different threat-actor preference set that favors English-speaking targets where ransom negotiation tooling is mature. We assess Mexico as under-counted rather than under-targeted, and the true regional figure is likely materially higher than reported here.
3. Annual Trend
The number of victims is growing year on year.
4. Quarterly Trend
Q4 has consistently been the worst quarter each year. The pattern is operationally explicable. Holiday IT staffing thins out detection and response capacity at exactly the moment that retail, logistics, and financial services organizations carry their highest annual exposure. Year-end deadline pressure shortens negotiation windows in operators’ favor.
The Q4 2025 peak of 1,315 victims is the highest quarterly figure on record, and we expect Q4 2026 to exceed it. Q1 2025’s 1,268 figure is the second anomaly worth flagging. That number is heavily inflated by Cl0p’s February 2025 mass exploitation event, which alone contributed roughly 200 victims to the quarter. Excluding that campaign, Q1 2025 baseline volume was closer to 1,070, indicating that the underlying growth trajectory is steadier than the headline quarterly figures suggest. The Q1 2026 figure of 1,183 is therefore not a deceleration but a return to the post-campaign baseline. April 2026’s 362 victims project a Q2 2026 total in the 1,050 to 1,150 range, absent another mass exploitation event.
5. Most Active Threat Groups
The NA top ten is a snapshot of an ecosystem in active reorganization. Qilin and Akira together account for nearly 1,800 victims and are operating as near-peers at the top of the market, with Qilin pulling ahead in late 2025 and Q1 2026. Qilin is the clearest beneficiary of post-LockBit affiliate migration. Its operator profile favors mid-market US targets across manufacturing, technology, and healthcare, with operational signatures consistent with a mature, well-capitalized affiliate program. Akira occupies similar ground but with a slightly more disciplined targeting profile, fewer batch postings, and a higher proportion of completed extortion transactions based on leak site dwell time. Together, these two operators account for roughly 20 percent of all NA ransomware activity during the analysis period.
5.1 Play (802 victims) is the steady mid-tier operator that has neither grown nor declined materially across the analysis period. Its targeting profile is the most consistent in the top ten, favoring mid-market US companies in the 50 million to 500 million revenue band with minimal variation in sector preference. We assess Play as a mature operator that has optimized for sustainable extortion economics rather than top-of-leaderboard volume. IncRansom (472) is a different operator profile, characterized by aggressive data exfiltration and explicit threats of regulatory reporting (SEC disclosure timelines, HIPAA breach notification) as extortion leverage. Its 143 percent year-over-year growth in the Iran-conflict period suggests it is attracting affiliates from disrupted programs.
5.2 Cl0p (459) is the operator most likely to be misread by readers who treat the cumulative figure as predictive. Cl0p is a campaign-driven actor, not a steady-state RaaS. Its volume tracks the lifecycle of whatever zero-day or n-day vulnerability it is currently weaponizing, principally in managed file transfer products. The 2023 MOVEit campaign produced the largest single victim cluster on record. The 2024 GoAnywhere and 2025 Cleo campaigns were smaller but followed the same pattern. The 84 percent collapse in Cl0p volume during the Iran-conflict period reflects the exhaustion of the current campaign cycle, not a decline in operator capability. We assess Cl0p as dormant rather than declining, and expect a return to high volume the next time a comparable file-transfer or managed-service vulnerability becomes available.
5.3 RansomHub (390) is the single most significant operator absence in the 2026 dataset. The group was the dominant post-ALPHV successor through most of 2025 and was on track to overtake Qilin before disappearing from leak sites in early 2026. Its affiliate base has not gone home. The 322 percent year-over-year increase in DragonForce volume, the 143 percent increase in IncRansom volume, and the appearance of TheGentlemen, CoinbaseCartel, and Insomnia as new top-20 operators are all consistent with the absorption of redistributed RansomHub affiliates. We assess that no single clean successor brand has emerged. The affiliate pool has fragmented across at least five operators.
5.3 DragonForce (277) is the operator that warrants priority watchlisting. Malaysian-origin, with reported targeting of US critical infrastructure and a 322 percent year-over-year increase, it is the fastest-rising operator in the top tier. Its tradecraft includes a public affiliate program with relatively low entry barriers, which makes it an attractive landing point for displaced affiliates from disrupted operations.
5.4 LockBit 3.0 (263) is now operating at roughly half its 2023 peak and should be treated as a residual rather than active threat for prioritization purposes, though its affiliate network has demonstrably persisted under other banners. Medusa (258) is differentiated by its blog-focused public shaming approach and its preferential targeting of education and healthcare, the two sectors with the lowest public tolerance for negotiation refusal.
5.5 Lynx (235) is the youngest operator in the top ten and the fastest-growing entrant from a 2025 standing start. We expect it to enter the top five in 2026 if current growth holds.
Two operators not in the top ten warrant flagging here because they appear in the Iran-conflict period analysis later in this report. SilentRansomGroup’s concentrated targeting of US law firms is the clearest sectoral targeting innovation in the dataset, with three law firm victims posted in 48 hours in early May 2026. TheGentlemen, which crossed regions and posted five NA victims in a single day on 6 May, displays the batch-publication operational signature characteristic of mass exploitation campaigns. Both groups are growth candidates for the next top-tier list.
6. Industry Targeting
The sector distribution reflects a mature criminal economy that has identified the highest-leverage targets and optimized for them. Business Services (1,905) and Manufacturing (1,321) lead the count by absolute volume, but the more analytically significant figures sit lower in the table. Healthcare at 954 victims is the standout. Nearly one in ten NA ransomware victims is a healthcare organization, a rate that has no parallel in any other region we track. Combined with Education (404) and Public Sector (348), critical services account for roughly 19 percent of all NA attacks. The targeting pattern is not opportunistic.
Healthcare combines three structural drivers that compress negotiation windows in operators’ favor: legacy infrastructure that complicates segmentation and detection, life-safety operational urgency that shortens executive decision cycles, and HIPAA breach-notification timelines that increase the cost of public disclosure. Operators have learned that healthcare organizations make payment decisions in days rather than weeks, and they have built targeting playbooks around that fact.
The sector distribution reflects a mature criminal economy that has identified the highest-leverage targets and optimized for them. Business Services (1,905) and Manufacturing (1,321) lead the count by absolute volume, but the more analytically significant figures sit lower in the table. Healthcare at 954 victims is the standout. Nearly one in ten NA ransomware victims is a healthcare organization, a rate that has no parallel in any other region we track. Combined with Education (404) and Public Sector (348), critical services account for roughly 19 percent of all NA attacks. The targeting pattern is not opportunistic. Healthcare combines three structural drivers that compress negotiation windows in operators’ favor: legacy infrastructure that complicates segmentation and detection, life-safety operational urgency that shortens executive decision cycles, and HIPAA breach-notification timelines that increase the cost of public disclosure. Operators have learned that healthcare organizations make payment decisions in days rather than weeks, and they have built targeting playbooks around that fact.
Financial Services at 567 victims and Technology at 1,006 represent the high-value end of the distribution. Both sectors carry significant data-exfiltration leverage independent of encryption outcomes. Manufacturing’s 1,321 victims primarily reflect operational-shutdown leverage, where production line interruption costs accumulate faster than ransom demands. Energy at 203 is low in absolute terms but warrants attention because it is the sector most likely to attract state-aligned actors using ransomware brands as cover, and because DragonForce’s reported targeting of US critical infrastructure points to this sector specifically. Education at 404 is a chronic target with structural characteristics similar to healthcare, including legacy systems, regulatory exposure under FERPA, and limited cybersecurity budgets. The combined critical-services figure (Healthcare + Education + Public Sector) is the single most actionable number in this report for sector-specific policy and procurement decisions.
7. Recent Notable Victims (Last 30 Days)
PayoutsKing is a new group that posted 10+ NA victims in a single day (April 29), indicating either a mass exploitation event or a data dump from a prior breach.
8. Ransomware and the Iran Conflict: North America Impact
Period of analysis: 1 February to 7 May 2026. This section isolates ransomware activity in North America against the same window in 2025 to test whether the Iran conflict has measurably affected the region. The headline finding is that volume is essentially unchanged. The composition of the threat actor landscape, however, has shifted significantly for reasons unrelated to the conflict.
9. Volume Holds Flat
North America recorded 1,231 ransomware victims between 1 February and 7 May 2026, against 1,228 in the same window of 2025. The United States accounts for 1,119 victims (90.9 percent), Canada 79 (6.4 percent), and Mexico 33 (2.7 percent), tracking the long-run regional split.
Monthly volume sits inside the 350 to 420 band that has held since late 2025. We assess that the conflict has not produced a detectable signal in NA ransomware tempo. The criminal ecosystem here operates on its own cadence, driven by affiliate cycles and exploitation campaigns rather than by Middle East kinetic events.
10. Group Landscape: Major Reshuffle
While volume is flat, the actor mix has changed substantially year over year. The dominant 2025 operators have been displaced. Qilin and DragonForce have absorbed most of the redistributed volume, and roughly 20 new groups have appeared with NA targeting since February.
Cl0p's collapse from 215 to 34 victims is consistent with the conclusion of its mass file-transfer exploitation wave. RansomHub's complete disappearance from the top 20 is the single largest structural change in this period. We assess that its affiliate base has migrated to Qilin, DragonForce, and the new entrants, with no evidence of a clean successor brand.
11. New Groups Since February
Twenty groups posted NA victims for the first time during the analysis window. The lower end of this list reflects the ongoing low barrier to entry in the RaaS economy, with several names likely representing affiliates from defunct operations operating under new banners.
12. Industry Targeting Shift
The flat volume conceals a meaningful sector rotation. Healthcare, financial services, and business services are up year-over-year. Manufacturing, consumer services, and transportation are down. The pattern is consistent with operators shifting toward higher-leverage targets where regulatory exposure (HIPAA, PCI-DSS) and operational urgency increase the probability of payment.
Healthcare is the standout. 133 victims in roughly 96 days works out to 1.4 healthcare organizations posted per day on average. We assess this trend as durable through the rest of 2026, given the structural drivers of legacy infrastructure, ransomware-induced operational disruption, and the value of patient data on extortion timelines.
13. Recent Notable Victims
Two operational patterns stand out. TheGentlemen posted five NA victims in a single day (6 May), consistent with batch publication and likely reflecting a mass exploitation event or a backlog dump. SilentRansomGroup posted three law firms in two days, indicating deliberate sector targeting rather than opportunistic compromise. Law firm targeting carries elevated extortion leverage through client privilege exposure and is worth tracking as a distinct trend line.
14. Infrastructure Attribution
Augur has predicted several network ranges associated with the most active groups in this report. These CIDRs reflect hosting and operational infrastructure observed across recent campaigns, useful for blocklist enrichment and proactive monitoring. Groups are listed in the same order as the Most Active Threat Groups table.
Note: Several ranges appear across multiple groups, suggesting shared bulletproof hosting providers or affiliate overlap. 79.124.58.0/24 is used by RansomHub, Medusa, and Play. 95.181.173.0/24 is used by both Play and Medusa. 5.188.86.0/24 (Cl0p) and 194.87.31.0/24 (Medusa) also appear in the Middle East report under Babuk-family and Qilin operations, indicating cross-region infrastructure reuse. The TA505 sub-cluster reflects historic Cl0p operator infrastructure tracked separately for attribution continuity. Qilin and RansomHub CIDRs are reused from the Middle East report; IncRansom and LockBit 3.0 are listed without infrastructure data.
15. Outlook
We forecast NA ransomware volume to reach 4,700 to 5,100 victims for full-year 2026, with confidence weighted toward the upper end of that range. The Q4 seasonal pattern alone will produce a 1,300 to 1,400 victim quarter, and any return of Cl0p to mass-exploitation mode on the back of a new file-transfer or managed-service vulnerability would push the figure higher. The base case assumes no comparable mass-exploitation event, in which case Q2 and Q3 2026 each fall in the 1,000 to 1,100 victim range, consistent with the post-campaign baseline.
We assess Qilin as the most likely operator to exceed 1,000 NA victims in calendar 2026, on track to become the first single-operator brand to do so in this region. Akira is positioned to track roughly 200 victims behind Qilin in second place. DragonForce’s current 322 percent year-over-year growth rate is not sustainable at scale, and we expect it to plateau in the 400 to 500 victim range by year's end, but the operator is the clearest single-actor critical-infrastructure threat in the dataset and warrants priority watchlisting for that reason rather than volume.
The post-RansomHub vacuum will not be cleanly filled. We expect the displaced affiliate pool to remain distributed across at least five operators through 2026, with TheGentlemen, CoinbaseCartel, and Insomnia maturing into top-tier brands, while a corresponding number of smaller operators consolidate or disappear. The aggregate effect is that ecosystem fragmentation will continue to increase. The practical detection implication is that infrastructure-based attribution becomes more valuable than brand-based attribution, since the brand layer is now genuinely fluid.
Healthcare targeting is structural and will not slow. We expect the 1.4 victim-per-day cadence observed in the Iran-conflict period to be the new baseline, with episodic spikes around healthcare-targeted exploit windows. Law firm targeting is the new pattern most likely to expand. If SilentRansomGroup’s May 2026 burst represents a sustained operator focus rather than a one-time campaign, we expect at least two additional operators to develop dedicated legal-sector playbooks within the next six months. The economic case for legal targeting is unusually strong, given the combination of privileged client data, regulatory exposure under state-level data breach laws, and the reputational consequences of public disclosure for client retention.
Cl0p’s next mass-exploitation cycle is the single largest forecasting uncertainty in this outlook. The operator has demonstrated three previous campaign cycles (MOVEit 2023, GoAnywhere 2024, Cleo 2025) at roughly 12 to 18-month intervals. We assess the probability of a fourth Cl0p mass-exploitation event in calendar 2026 at moderate-to-high, and recommend that file-transfer, managed-service, and supply-chain software exposure be treated as a priority risk category in NA organizations’ vulnerability management programs through year-end.
For questions or additional analysis, contact: research@augursecurity.com
