Ransomware report
Methodology
We continuously monitor over 200 blogs run by ransomware groups. The available ransomware data on these blogs typically includes the names of the attacked companies, descriptions of the incidents, and sometimes samples of the stolen files proving the attacks’ legitimacy. These groups publish their victims’ names as a tactic to pressure them into paying the ransom. They often add a countdown timer, after which they threaten to leak the stolen data if the ransom is not paid.
Once a company is identified from a ransomware listing, we conduct further research to gather firmographic data. While the reported totals—2,581 in Q2 2026—are accurate, the specific industry, company size, and country breakdowns may differ slightly due to smaller sample sizes. We use various publicly accessible business data sources to identify general organizational attributes, such as industry, geographic region, size, and revenue bracket, using the company names and domains.