The State of Ransomware – Q1 2026

Q1 2026 ransomware intelligence: 2,122 victims posted to data-leak sites as the ecosystem reconsolidated around fewer, more capable operators—Qilin, Akira, The Gentlemen and LockBit together claiming 41% of victims. Key developments include The Gentlemen’s rapid rise fueled by a 14,700-device FortiGate access stockpile (CVE-2024-55591), LockBit 5.0’s comeback with multi-platform capabilities, notable geographic shifts away from the US, and evidence that large-scale mass-exploitation campaigns (e.g., Cl0p/Oracle EBS) continue to shape country- and industry-level statistics.