The ransomware landscape experienced significant consolidation in the first quarter of 2026, with a few dominant groups accounting for the majority of attacks. This marks a departure from the previously fragmented ecosystem observed in late 2025.
According to Check Point Research, the top ten ransomware groups were responsible for 71% of all victims listed on data leak sites during Q1 2026. This is a notable shift from Q3 2025, when 85 active ransomware and extortion groups were recorded, indicating a highly decentralized environment at that time. The total number of victims posted on data leak sites reached 2,122 in Q1 2026, making it the second-highest first-quarter total on record.
Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims. The Gentlemen emerged as a significant player, increasing their victim count from 40 in Q4 2025 to 166 in Q1 2026, securing the third spot globally. LockBit 5.0 also made a notable comeback, posting 163 victims and climbing to fourth place.
The rise of The Gentlemen is particularly noteworthy. Founded by an individual operating under the handle ‘hastalamuerte,’ who previously left Qilin after a payment dispute, The Gentlemen has rapidly expanded its operations. The group offers a 90% affiliate share, higher than the traditional 80% offered by groups like LockBit. Their ransomware supports multiple environments, including Windows, Linux, NAS, BSD, and ESXi, and features a silent mode designed to evade common detection methods.
Hyflock, another emerging ransomware-as-a-service program, differentiates itself by offering fully integrated tooling. Its platform includes features such as initial-access purchasing, automated negotiation rooms, AI-based victim data analysis, and a red team available to assist affiliates during intrusions. The encryptor is claimed to run at approximately twice the speed of LockBit 3.0, though independent benchmarks are not available.
Law enforcement actions, such as Operation Cronos in February 2024, which targeted LockBit’s infrastructure, have led to the dispersion of skilled affiliates. These individuals have since regrouped, launching their own operations and contributing to the current consolidation in the ransomware ecosystem.
Despite the reduction in the number of active groups, the overall volume of ransomware attacks remains high. The consolidation around a few dominant players suggests that these groups have absorbed the talent and resources of smaller, less established operators, leading to more sophisticated and impactful attacks.
For organizations, this evolving threat landscape underscores the importance of robust cybersecurity measures. The concentration of attacks among a few powerful groups means that the potential impact of individual incidents is greater. Businesses must remain vigilant, continuously updating their security protocols and educating employees about the latest threats to mitigate the risk of ransomware attacks.
