New data from BlackFog shows ransomware activity remaining structurally elevated, with attacks continuing to operate at high volume while expanding their data-centric focus across both disclosed and undisclosed incidents. The analysis highlights that threat actors are increasingly prioritising data theft and extortion over traditional encryption-only disruption, reflecting a broader shift in how ransomware operations monetise compromise. It also underscores that incidents continue to span multiple sectors and geographies, reinforcing that ransomware is no longer episodic but persistent, industrialised, and embedded across the global threat landscape.
A total of 264 publicly disclosed ransomware attacks were recorded, representing a 15% decrease compared to the same period the previous year, BlackFog disclosed in its ‘Q1 2026 Ransomware Report.’ Despite this decline, activity remained steady throughout the first quarter, with 91 attacks in January, 83 in February, and 90 in March. Healthcare remained the most targeted sector, accounting for 72 attacks (27%), reflecting the continued focus on organizations with sensitive data and limited tolerance for operational disruption. Government entities experienced 32 attacks (12%), while the technology sector followed with 28 attacks (11%).
The report added that the ransomware landscape remains fragmented, with Qilin emerging as the most active variant, responsible for 22 attacks (8%). Shiny Hunters followed with 16 attacks (6%), and INC accounted for 11 attacks (4%). Notably, 38% of all publicly disclosed ransomware incidents were not attributed to any known group.
Geographically, the U.S. accounted for the majority of incidents, with 161 attacks (61%). Australia reported 14 attacks (5%), while Canada recorded seven attacks (3%). Notably, ransomware activity was not limited to major economies. Smaller nations, including Andorra, Mauritius, Panama, and Namibia, saw organizations impacted, highlighting global reach of modern ransomware operations.
BlackFog recognized that the rate of data exfiltration remained critically high at 96%, holding steady after a spike in 2025. This confirms that threat actors are prioritizing data theft to increase leverage and maximize financial returns.
“A 15% year-on-year decline in reported attacks may suggest progress, but the reality is very different,” Darren Williams, founder and CEO of BlackFog, said in a Wednesday media statement. “Ransomware remains a persistent and highly active threat, with attackers increasingly using AI to automate data theft at scale. With data exfiltration now occurring in 96% of attacks, the question for every organization is no longer whether their data is at risk – but whether they can stop it leaving their systems before damage is done.”
The BlackFog report highlights a fragmented ransomware landscape. Among publicly disclosed attacks, Qilin was the most active variant, responsible for 22 attacks (8%). ShinyHunters followed with 16 attacks (6%), and INC accounted for 11 attacks (4%). Notably, 38% of all publicly disclosed ransomware incidents were not attributed to any known group. In terms of undisclosed attacks, Qilin again led with 339 attacks (16%), followed by The Gentlemen with 200 (9%) and Akira with 190 (9%). In total,79 ransomware groups claimed victims during the three months.
During this quarter, The Gentlemen quickly established itself as one of the most active ransomware groups, ranking second by volume of attacks. Since its emergence in 2025 through to the end of the first quarter of this year, the group has claimed 273 attacks, reflecting a rapid scale-up in operations and a broader trend of new entrants operating with a high level of maturity from the outset.
The group leverages double extortion tactics, combining data exfiltration with encryption to increase pressure on victims. Their operations are global in scope, with a clear focus on mid- to large-sized organizations where disruption and data exposure can drive higher ransom outcomes.
Observed tactics include the abuse of legitimate administrative tools, lateral movement within networks, and efforts to evade detection. This indicates a more targeted approach rather than purely opportunistic attacks. Sector targeting has aligned with high-impact industries such as manufacturing, construction, healthcare, and services. Their continued presence and volume of activity indicate sustained momentum, positioning The Gentlemen as a group to watch as the ransomware landscape continues to evolve.
BlackFog detailed that the focus for attackers remains on credential theft, maintaining persistent access, and data exfiltration, with exfiltration rates staying critically high in Q1 at 96%. The average volume of data stolen per undisclosed incident reached 743GB, with victims given an average of just 7.7 days to meet ransom demands.
Hackers are also leveraging AI to streamline and scale data theft. Campaigns such as LotAI demonstrate how AI tools can be used to automate data collection and exfiltration. Platforms like ClawdBot and OpenClaw further highlight how AI-driven infrastructure can aggregate, process and manage stolen data more efficiently.
BlackFog’s Q1 2026 ransomware report warns that the rapid uptake of generative AI is creating a new class of data exfiltration risk, driven largely by the rise of ‘shadow AI’ across enterprises. The report finds that 86% of employees now use AI tools weekly, with 49% relying on unsanctioned platforms and 51% integrating them into workflows without IT approval, creating uncontrolled pathways for sensitive data to leave the organisation. This exposure is not trivial.
Employees are sharing employee records, research datasets and other high-value information, often through free tools lacking enterprise-grade safeguards, with 58% relying on such tools. At the same time, threat actors are exploiting the same ecosystem, using AI to automate data theft through campaigns such as LotAI, alongside tools like ClawdBot and OpenClaw, accelerating exfiltration and monetisation.
The report also highlights emerging attack vectors such as prompt-poaching schemes and malicious browser extensions that harvest inputs from trusted AI interfaces, turning everyday usage into a direct channel for compromise.
