Check Point Research's Q1 2026 ransomware report documents 2,122 victims across 70+ active data leak sites, the second-highest Q1 on record. The most significant structural shift is ecosystem consolidation: after two years of fragmentation, the top 10 groups now account for 71.1% of all victims. Qilin, Akira, The Gentlemen, and LockBit together claimed 41% of all victims. The Gentlemen emerged as a major new player, leveraging a stockpile of ~14,700 pre-compromised FortiGate devices and deliberately avoiding US targets. LockBit returned with version 5.0, showing a dramatic geographic shift away from US victims (down to 21.2% from historically 50%+). The report also highlights that country-level statistics are often shaped by a single actor's specific access inventory rather than broad threat landscape shifts, and that ransomware payment rates have fallen to historic lows despite rising victim counts.
Table of contents
Key FindingsRansomware in Q1 2026: Consolidation at ScaleActor Spotlight: The Gentlemen – The Breakout Story of Q1 2026LockBit 5.0: Making a ComebackDragonForce: The Cartel Model Under PressureGeographic Distribution of Victims – Q1 2026Ransomware Attacks by Industry – Q1 2026ConclusionSort: