Ransomware ecosystem in Q1 2026: market concentrates around major actors

In the first quarter of 2026, Check Point Research tracked more than 70 data leak sites where information on 2,122 new victims was published — a 117% increase over Q1 2024. The overall trend of rising ransomware activity continues.

To begin with, here are the key statistics:

📌 The number of active ransomware groups has started to decline after two years of market fragmentation — of the 85 groups at the Q3 2025 peak, 14 have ceased to exist. Meanwhile, 21 new names appeared, but most newcomers claimed fewer than 10 victims.
📌 The top 10 groups accounted for 71.1% of all publications on data leak sites — the highest concentration since Q1 2024, when the ecosystem included far fewer active groups.
📌 The US remains the main target of ransomware attacks — 49.6% of all known victims. Canada ranks second (4%), followed by the UK (4%).
📌 The most targeted industries are business services (35%), consumer services (14%), and industrial manufacturing (11%).

As the number of active actors declines, the largest groups have started consolidating the market even more aggressively. Qilin, Akira, The Gentlemen, and LockBit together accounted for 41% of all victims during the quarter. Qilin alone published more victims than the bottom 50 groups combined.

It is emphasized that the business model of major groups relies on their reputation: victims must believe that after payment they will indeed be able to restore their data. Market fragmentation in 2025 led to the emergence of many groups uninterested in maintaining decryption support or long-term credibility — a good example being the de facto wiper VECT 2.0, which we wrote about earlier.

Several of the fastest-growing groups stand out:

🔹 The Gentlemen has increased its activity by 315% compared to Q4 2025 — from 40 to 166 reported victims — taking third place globally. One of the group's key assets is believed to be a database of approximately 14,700 pre-compromised FortiGate devices. The geographical distribution is also notable: only 13.3% of victims are located in the US, while Thailand, Brazil, and India appear significantly more frequently than the ecosystem average.

🔹 LockBit returned to the top after its infrastructure was dismantled in 2024. In Q1 2026, the group claimed 163 victims (+106% quarter-on-quarter), and the new LockBit 5.0 version was officially introduced on the RAMP forum in September 2025. The share of U.S. victims among LockBit's targets (21.2%) is notably below the market average; Italy, Brazil, and Turkey are also among its main targets. We previously reported on LockBit's attempts to regain its former position by lowering entry fees.

Despite the growth in the number of victims, revenues from such operations continue to decline. Decrease in profits may gradually push out groups unable to reach sufficient scale or maturity to remain viable. As a result, the ecosystem is likely to concentrate around a limited number of dominant groups — those that are more technically mature, geographically diversified, and resilient to external pressure. To strengthen protection, such operators may shift their activities away from jurisdictions most actively involved in international takedown operations, a trend already observable in the case of LockBit.