When CYFIRMA published its Tracking Ransomware — May 2026 report on June 8, the geography of cyber extortion looked familiar. Of 778 publicly disclosed victims, the United States accounted for 336, trailed by Canada (40), the United Kingdom (39), Germany (29), Spain (23) and Australia (21). One of the world's largest digital economies was conspicuously missing: China does not appear anywhere in the report's ranking of targeted nations (CYFIRMA).
It is tempting to read that absence as a sign that Beijing has solved a problem the West has not. The more defensible reading is the opposite: China's near-invisibility in global ransomware trackers is largely an artifact of how — and to whom — Chinese victims are now legally required to disclose attacks.
Why Western victims show up and Chinese ones don't
Trackers like CYFIRMA's are built almost entirely from public signals: data-leak sites run by ransomware crews, regulatory breach notifications, and press coverage. A US hospital or a German manufacturer surfaces in the dataset because attackers name it on a leak blog to pressure payment, or because securities and breach-notification law forces a public statement. The dataset measures disclosure as much as it measures attacks.
China's disclosure plumbing now points somewhere else entirely. On September 11, 2025, the Cyberspace Administration of China (CAC) issued the National Cybersecurity Incident Reporting Management Measures, effective November 1, 2025. Article 4 of the official text requires ordinary network operators to report a "relatively serious" or worse incident to provincial cyberspace authorities within four hours of becoming aware of it; critical-infrastructure operators face a one-hour clock and central government bodies two hours. Crucially, Article 7 requires that ransomware reports specify "the amount, method, and date of ransom demands" (CAC; Morgan Lewis).
Those disclosures flow to the state, not to the public. A four-hour pipe into a provincial CAC office produces excellent situational awareness for regulators and essentially nothing for the open-source intelligence firms that compile the global victim lists. China's absence from CYFIRMA's table, in other words, is consistent with a country that experiences ransomware and reports it quietly — not one that has escaped it.
The reinforcing layer: an amended Cybersecurity Law
The reporting Measures sit on top of a freshly hardened statute. On October 28, 2025, the Standing Committee of the National People's Congress passed the first amendments to China's Cybersecurity Law since 2017, effective January 1, 2026. The amendment sharply raises penalties: fines of up to RMB 10 million (about US$1.4 million) for critical-infrastructure operators, up to RMB 1 million for cybersecurity-product businesses, and up to RMB 500,000 for ordinary firms, with parallel personal liability for responsible individuals (Reed Smith). Combined with the four-hour clock, the message to a breached Chinese company is unambiguous: report fast, report fully — to us.
The strongest case for the regime
There is a real argument here, and it deserves a fair hearing. Ransomware response is a race; the hours after detection determine whether an intrusion is contained or metastasizes across a supply chain. A mandatory four-hour reporting window forces victims to triage and notify rather than stall, hide, and quietly pay. Requiring the ransom amount, method and deadline gives regulators the raw material to map criminal infrastructure, track cryptocurrency flows, and warn other targets before the same crew strikes again. Western voluntary and public-disclosure models leave gaps — many victims never report at all, and trackers only ever see the cases attackers choose to publicize. A disciplined central reporting regime, in principle, sees more.
Where it goes wrong
The problem is what the regime does not do: inform the ecosystem it is meant to protect. China's framework optimizes for regulator visibility and against public transparency. The four-hour deadline is punishingly tight — many organizations cannot reliably scope an incident that fast, and a hard clock backed by million-yuan fines can perversely incentivize narrow, defensive reporting or quiet ransom settlement to avoid a paper trail. Mandatory ransom-detail disclosure to the state, with no public counterpart, means Chinese victimization data never enters the shared global picture that defenders everywhere rely on.
Proportionate regulation would do both jobs. The US CIRCIA framework and the EU's NIS2 directive also mandate rapid incident reporting on tight timelines, but they pair it with public and aggregate transparency — sector advisories, anonymized breach statistics, and notification rules that let customers and markets price the risk. That is the model worth defending: fast reporting that strengthens collective defense, not a one-way valve that converts a measurable threat into an official secret.
The measurement trap
The deeper risk is interpretive. If analysts and policymakers read China's blank row in the CYFIRMA table as evidence of superior security, they will draw exactly the wrong lessons — crediting opacity with outcomes it has not earned. A threat you cannot see is not a threat you have beaten. China has built one of the world's most aggressive incident-reporting regimes; it has not built a public record that the rest of the world, or its own firms, can learn from. The 778 names in May's report are a window. China simply closed the blinds.