New data from GuidePoint Security highlights a ransomware landscape that is no longer spiking but settling into a sustained, elevated baseline. Findings from the GuidePoint Research and Intelligence Team show that activity in the first quarter of 2026 remained steady both quarter-over-quarter and year-over-year, confirming that the surge seen in late 2025 has effectively reset expectations for what constitutes normal attack volume.
In its report titled ‘Ransomware and Cyber Threat Insights,’ the GuidePoint Research and Intelligence Team (GRIT) identified that the first quarter of 2026 saw a consistent volume of ransomware activity relative to both Q4 2025 (quarter-over-quarter (QoQ)) and Q1 2025 (year-over-year (YoY)). After a spike in activity at the end of 2025, victim numbers have remained level, neither increasing nor decreasing substantially. Though the number of active groups operating also remained steady QoQ and YoY.
“This quarter also saw a slight reordering in the most active ransomware groups observed, with The Gentlemen rising to become the second most active group based on their public claims of 182 distinct victims,” according to the report. “This marks a stark increase in operational activity for the group, which claimed only 35 victims and placed 16th in Q4 2025. Conversely, we observed decreased operational activity from prior frontrunners, Qilin and Akira. Although Qilin remained the most active observed group with 361 victims, this still reflected a 25% decrease from its peak of 484 victims in Q4 2025. Akira’s observed activity similarly declined from 226 in Q4 2025 to 176 in Q1 2026, a 22% decrease. This decrease in Akira’s observed activity is likely a result of outlier performances in Q3 and Q4 2025, attributed to exploitation of vulnerabilities in SonicWall SSL VPN appliances.”
Additionally, GuidePoint continues to see the effects of Clop’s (aka Cl0p) Oracle E-Business Suite mass exploitation campaign. “The group continued to claim victims in Q1 2026, despite the exfiltration having occurred during the later months of 2025. This continues Clop’s historical habit of drawing out victim posts for several months after mass extortion campaigns.”
While this quarter’s ransomware activity remained consistent, the overall cyber threat landscape remained anything but. Kinetic operations in the Middle East have also led to increased cyber operations attributed to Iran-aligned ‘hacktivist’ groups, including Handala. Although the impacts from these operations have, in some cases, been exaggerated, we explore their fallout and ties to the Iranian state in this quarter’s report.
The U.S. dominated as the primary ransomware target, accounting for 51% of victims (1,084 incidents), far ahead of the U.K. and Canada, which tied for second at 4% each (88 incidents apiece). This concentration reflects threat actors’ continued prioritization of large, digitally dense economies with extensive attack surfaces. France ranked fourth with 78 incidents (3.65%), followed by Germany with 70 (3.28%), Italy with 65 (3.05%), Brazil with 45 (2.11%), and India with 43 (2.01%).
Thailand entered the top 10 for the first time since GuidePoint began tracking victim data in 2022, indicating an increased level of ransomware impacts in another developing economy. Brazil and India remain consistent towards the bottom of the top 10, reflecting continued operational impacts against these developing economies. Spain and Thailand rounded out the top ten at 36 (1.69%) and 33 (1.55%) incidents, respectively.
Sector-level data reveals a notable shift. Manufacturing remains the most impacted industry, but the construction sector has emerged as a growing hotspot. It recorded 131 ransomware victims in the first quarter, marking a 44% increase year over year and pushing it into the top five most targeted industries. The rise suggests that attackers are broadening their focus to industries that may lack mature cybersecurity defenses but still hold valuable operational and financial data.
At the same time, ransomware tactics are evolving. Threat actors are increasingly abandoning traditional encryption-based attacks in favor of data theft and extortion-only operations. This shift reduces operational complexity for attackers while maintaining pressure on victims through the threat of data exposure, signaling a more efficient and adaptive threat model.
The group landscape is also changing quickly. The emergence of new RaaS (ransomware-as-a-service) players is reshaping activity levels. The group known as The Gentlemen, which appeared in August 2025, expanded rapidly from 35 victims in the fourth quarter of 2025 to 182 in the first quarter of 2026, making it the second most active group. In contrast, established groups such as Qilin and Akira saw their activity decline by 25% and 22%, respectively, indicating a redistribution of influence rather than an overall slowdown.
Qilin, which first appeared in 2024, rose to much greater prominence by the end of 2025 by publicly claiming the highest number of victims amongst all ransomware groups we observed. While Qilin’s open recruitment model for affiliates likely allows the group’s affiliates to attack in greater numbers, it suffers from higher rates of non-payment relative to payment when compared to other ransomware groups, including Akira. As a result, while Qilin remains the most prolific group by observed victim volume, they are far from the most ‘profitable.’
The Gentlemen, a relative newcomer to the ransomware ecosystem, first appeared in the second half of 2025. They rose quickly to claim the second-highest number of victims in Q1 2026 after an unimpressive early performance in Q4 2025. While The Gentlemen may be a newer group, this pattern of rapid growth very likely indicates the participation of experienced affiliates and operators behind the moniker.
GuidePoint mentioned that Akira is one of the longest-operating RaaS groups among current active ransomware operations, having first emerged in 2023. Akira had its most ‘successful’ quarter of ransomware in Q4 2025. The group was unable to match it in Q1 2026. Akira’s victim count from Q4 2025 (226) dropped 22% in Q1 2026 to 176 victims, likely reflecting the declining utility or efficacy of exploiting SonicWall SSL VPN vulnerabilities its affiliates depended upon in late 2025.
The post assessed that NightSpire is a financially motivated ransomware group that emerged in 2025 and become one of the more aggressive actors in the current threat landscape. Unlike most ransomware operators, the group runs its operations in-house rather than through the affiliate-based RaaS model, limiting its exposure but also constraining its scale. In just over a year, it has claimed 175 victims across 28 industries, posting 74 on its data leak site in Q1 2026 alone.
The group’s targeting is broadly opportunistic, focusing on organizations with exposed external assets and weak security postures, regardless of sector though manufacturing, technology, and construction appear most frequently among known victims. Over 40% of attacks have hit U.S.-based organizations, with secondary concentrations across Western Europe, Asia, the Middle East, and Africa.
NightSpire gains initial access primarily through CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass that grants unauthenticated attackers super-admin privileges, supplemented by RDP brute force and phishing. Once inside, the group moves laterally using living-off-the-land tools such as PowerShell, PsExec, and WMI to evade detection while escalating privileges and mapping environments.
NightSpire poses a credible and sustained threat, particularly to SMBs with unpatched perimeter infrastructure. Its data leak site doubles as a negotiation platform, though operational inconsistencies, such as listing data ‘for sale’ without a functional download mechanism, are characteristic of a still-developing group. Key countermeasures include patching CVE-2024-55591, enforcing MFA on all remote access, deploying EDR tooling, and monitoring for unauthorized use of PowerShell, PsExec, and cloud exfiltration channels such as MEGA.
The data pointed out that Scattered Spider, LAPSUS$, and ShinyHunters have long been treated as distinct cybercrime groups, but the line between them has been blurry for years. In August 2025, the three groups announced they would operate under a combined banner, ‘Scattered LAPSUS$ Hunters.’ While early coverage framed this as a newly formed alliance, closer analysis suggests something less dramatic but more revealing. The move appears to be a rebranding of overlapping membership and ongoing collaboration rather than a formal merger of separate entities.
That distinction matters. For defenders, the announcement did not signal the emergence of a fundamentally new threat but rather confirmed an existing reality. The same individuals who had been operating under the Scattered Spider, ShinyHunters, and LAPSUS$ names began promoting their activities under a unified identity. Their tactics, infrastructure, and targeting patterns remained largely unchanged, reinforcing the idea that branding in cybercrime often masks continuity rather than transformation.
This activity is rooted in what is often referred to as ‘The Com,’ a loosely connected online ecosystem where members collaborate, share tools, and move fluidly between group identities. Scattered Spider, which emerged in May 2022, quickly gained notoriety through the 0ktapus campaign conducted between March and July of that year. The campaign compromised 9,931 accounts across more than 130 organizations using a mix of vishing, SMS phishing, SIM swapping, and MFA fatigue attacks.
What set the group apart was speed. Unlike traditional ransomware operators that may take weeks or months to move from initial access to impact, Scattered Spider has consistently compressed that timeline to as little as 24 to 48 hours. The group has been linked to high-profile incidents, including alleged attacks against MGM Resorts and Caesars Entertainment in September 2023. Since 2022, reporting indicates the group has infiltrated more than 100 organizations and issued over $66 million in documented extortion demands, underscoring its reach and operational efficiency.
GuidePoint noted that in February 2026, VirusTotal reported the first confirmed, large-scale supply chain attack against an agentic AI platform, targeting OpenClaw’s skills marketplace. A threat actor published over 314 malicious skills that delivered information-stealing malware disguised as legitimate automation tools.
In this attack, actors exploited a structural characteristic of AI agent platforms: skills are instruction-based rather than code-based,” the report added. “This allowed attackers to evade traditional malware detection. Users were directed to download and execute external payloads disguised as ‘setup procedures,’ resulting in credential theft, persistent backdoor access, and system compromise. This incident marks a notable shift where agentic AI systems have transitioned from theoretical risks to operational targets.”
The campaign demonstrated that agentic AI adoption without a security-first architecture creates unacceptable risk. With at least 314 malicious skills delivering real malware, it proves this threat is operational, not theoretical. As agentic AI platforms gain enterprise adoption, security teams should require granular access controls, mandatory extension scanning, audit logging, and incident response capabilities.
GuidePoint identified that quantitatively, the first quarter of 2026 can be viewed as ‘business as usual’ in the ransomware ecosystem. Other than some ebbs and flows in activity among distinct ransomware groups, the researchers observed neither substantial increases nor decreases in operational activity QoQ or YoY. This can be explained by a relative lack of new significant disruptive players in the space, as well as potential increasing market saturation leading to reduced ‘spread’ of actors over time.
“However, after several years of tracking the ransomware economy, we have unfortunately learned that periods of relative normalcy have often been short lived,” the report highlighted. “While it is impossible to predict what the rest of the year will bring, history suggests we will likely see the arrival or departure of at least one major threat group – whether by internal infighting, law enforcement disruption, or pressure from other groups.”
It added that “one trend to watch as we enter the middle of the year is the ‘summer slowdown’ in victim claims that nearly always occurs between Q2 and the beginning of Q3. In previous years, even after a frenzied start, we have observed a decrease in victim posts that we have assessed (only slightly tongue-in-cheek) to be the result of summer vacations or mid-year hiatus by threat actors seeking to enjoy the warm weather and take a break from screen time. If 2026 continues this trend, expect to see slightly lower numbers in Q2.”
