187 government organizations were hit with ransomware in the first six months of 2026 — an average of one government body having its services restricted by encryption every single day, according to new analysis.
187 incidents in six months: daily disruption to public services
Researchers at Comparitech recorded 187 ransomware incidents that targeted government entities between January and June 2026, a figure published on July 16. That total represents a 13% increase over the 165 incidents recorded during the second half of 2025. Comparitech’s arithmetic — 187 incidents across 182 days — yields an average of one ransomware event affecting a government organization each day in the period under study.
Comparitech noted that just over half of those incidents (89) were publicly confirmed by the victim organizations. The report frames the increase not merely as volume but as operational risk: encryption of systems can restrict services for weeks and produce extensive data breaches, increasing pressure on public bodies to resolve incidents rapidly.
Why governments draw ransomware activity
Comparitech’s analysis highlights two core incentives for attackers: disruption to public services and the volume of sensitive personal data that government organizations hold. “From weeks-long disruptions due to system encryption to extensive data breaches, governments are the ideal target for hackers,” said Rebecca Moody, head of data research at Comparitech. That leverage, the report argues, raises the likelihood a victim will pay for a decryption key rather than undertake a longer independent restoration.
Geography: the US accounted for 31% of incidents
The United States was the single largest national target in the dataset, accounting for 31% of recorded ransomware attacks against government agencies during the six-month period. Every other country named in the report contributed a single-digit percentage: Germany 7%, Spain 4% and Italy 4%. Comparitech suggests the disparity between the US and other countries is likely linked to population differences among nations in the dataset.
Ransom demands and notable outliers
The mean ransom demand to government agencies during the period was $100,000, a level the report interprets as attackers calibrating demands so they remain payable — particularly to organizations funded by taxpayers. But the dataset also contains outliers. The most significant example recorded by Comparitech was a $3.1m ransom demand made to the Land and Agricultural Development Bank of South Africa after an attack in January 2026. That organization refused to pay, and systems were only restored in April.
Threat actors named and defensive recommendations
Comparitech attributed many incidents to known ransomware groups. The most common attackers in the January–June window were The Gentlemen (10% of incidents), Qilin (9%) and LockBit (7%). The report also notes that ransomware groups frequently exploit well-publicized cybersecurity vulnerabilities.
On defenses, Comparitech’s Rebecca Moody urged a proactive posture. “Keeping systems up to date, patching vulnerabilities as soon as they're flagged, carrying out regular backups, and making sure employees are regularly trained and are on high alert at all times are crucial to mitigating the risks of attacks,” she said.
What this means for technologists, policymakers, and affected government agencies
- Technologists and security teams: The report signals that patch management, backups and employee training are core priorities; the mean $100,000 demand and the $3.1m outlier underscore why recovery plans and immutable backups should be reviewed against scenarios where ransom payment is refused.
- Policymakers and regulators: The daily cadence of incidents and the public-service disruptions described by Comparitech will likely sharpen attention on resilience standards for publicly funded organizations and on mechanisms for disclosure and cross-jurisdictional support when incidents occur.
- Affected government agencies and procurement leaders: With just over half of incidents publicly confirmed, agencies should expect heightened scrutiny after an incident and may need to balance restoration speed, forensic investigation and the public interest when deciding whether to disclose and how to recover systems.
The Comparitech tally — 187 attacks in six months, a one-per-day average, a mean demand of $100,000 and named groups such as The Gentlemen, Qilin and LockBit — presents a compact but stark snapshot: ransomware against government organizations is rising in frequency and remains financially calibrated to pressure public-sector victims. The data leaves a practical question for public-sector leaders and their security teams: will investment and operational changes match the daily rhythm of these attacks?




