Check Point researchers disclosed ransomware ecosystem showed signs of consolidation in the first quarter of 2026 after a period of heavy fragmentation. The top 10 ransomware groups accounted for 71% of all victims recorded during the quarter, marking a sharp reversal from the fragmented landscape observed in the third quarter of 2025. The findings suggest that ransomware activity is once again concentrating around a smaller number of dominant operators.
The research found that ransomware activity volumes remained historically high, even as overall growth began to stabilize. A total of 2,122 victims were posted on data leak sites (DLS) during the first quarter of this year, making it the second-highest first quarter ever recorded for ransomware victim disclosures. The report identified Qilin as prominent ransomware operation for the third consecutive quarter. The group posted 338 victims during the first quarter of this year, maintaining its leading position within the global ransomware landscape.
Check Point described The Gentlemen as the breakout ransomware group of the quarter. The operation rose to third place globally after increasing its victim count from 40 in Q4 2025 to 166 in Q1 2026. Meanwhile, LockBit appeared to stage a significant comeback with its LockBit 5.0 operation. The group posted 163 victims during Q1 2026, allowing it to climb to fourth place among the most active ransomware operators globally.
“During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims,” according to a Check Point blog post. “This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims, but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025. Monthly volumes within Q1 were consistently stable. In January, there were 732 recorded victims, 684 in February, and 706 in March, reflecting sustained operating rate of an average of 707 victims per month in the first quarter of this year.”
The post added that the headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in the first quarter of 2025. However, this comparison is misleading as the first quarter of 2025 numbers were heavily inflated by Cl0p’s Cleo mass-exploitation campaign, which contributed approximately 390 victims in a single burst. If we exclude Cl0p from both periods, there were 1,894 victims in the first quarter of 2025 versus 1,995 in the first quarter of 2026, an actual YoY increase of 5.3%. The underlying growth trend in ransomware operations persists, even as the most dramatic spikes subside.
Ransomware ecosystem underwent a significant structural shift in the first quarter of this year, reversing two years of fragmentation. After active groups peaked at 85 in the third quarter of last year and the top 10’s share of victims fell to 57%, consolidation took hold: the top 10 groups now account for 71.1% of all victims, the highest concentration since the first quarter of 2024, while total active groups dropped from 85 to 71. Although 21 new groups emerged, most posted fewer than 10 victims and couldn’t fill the void left by disappearing mid-tier operators. Groups like Qilin, Akira, The Gentlemen, and LockBit collectively claimed 41% of all victims, with Qilin alone outpacing the bottom 50 groups combined.
This consolidation reflects a familiar post-disruption pattern: law enforcement actions scatter affiliates, and the survivors absorb the displaced talent and grow stronger. The shift also changes the ecosystem’s character in meaningful ways. Dominant RaaS operators have reputational incentives to maintain reliable decryption tools, since victim payments depend on trust in recovery. The fragmented landscape of 2025, by contrast, was filled with transient operators who had no such incentive, exemplified by Obscura, whose encryption bug permanently destroys files over 1 GB regardless of payment.
For defenders, consolidation raises the stakes, as larger ransomware operations tend to be more organized, more operationally consistent, and more resilient to disruption.
Comparing the data between the fourth quarter of 2025 and the first quarter of 2026 reveals which ransomware groups are successfully absorbing the affiliate talent pool and which are struggling to capitalize on the shifting threat landscape.
The Gentlemen recorded the most dramatic increase in activity, surging by 315% from 40 claimed victims in the fourth quarter of 2025 to 166 in the first quarter of 2026, making the group one of the defining ransomware stories of the quarter. LockBit 5.0 also rebounded sharply, with activity rising by 106% from 79 victims to 163. Nightspire, a closed-group ransomware operation known for its OneDrive cloud encryption capability, expanded by 183%, increasing from 29 victims to 82 and sustaining momentum across two consecutive quarters. Meanwhile, Play recorded a 64% increase in activity, climbing from 74 victims to 121.
Several established groups experienced steep declines during the same period. SafePay activity fell by 77%, dropping from 97 victims to 22. The centralized, non-RaaS operation saw its data leak site remain inactive from mid-March through early April 2026 for reasons that remain unclear. Devman declined by 70%, falling from 82 victims to 25 after its operator, ‘Tramp,’ a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026. All three of the group’s data leak sites went offline by early February. Sinobi also lost momentum, declining by 42% from 139 victims to 80. After posting 56 victims in January alone, the group’s activity dropped sharply to just seven victims in March, with no new postings recorded in April at the time of publication.
Geographic distribution of ransomware victims in the first quarter of 2026 largely followed patterns established in previous quarters, with the U.S. accounting for 49.6% of all reported victims and Western developed economies continuing to dominate the target landscape.
The most notable shift was Thailand’s entry into the top 10 most-targeted countries for the first time, driven almost entirely by The Gentlemen, for which Thai organizations represented 10.8% of total victims. Taiwan also saw a sharp increase, rising from eight victims to 26, while South Korea dropped out of the rankings entirely. The change suggests that Qilin’s financial sector campaign against roughly 30 South Korean organizations in the third quarter of 2025 was an isolated operation rather than the start of a sustained regional targeting strategy.
A closer examination of the top 20 ransomware groups shows that ecosystem-wide averages conceal sharply different geographic targeting models. Measuring each actor against the 49.6% US baseline reveals several distinct patterns.
One category consists of groups with an overwhelming focus on US victims, often exceeding 75% of total activity. Play attributed 85.1% of its victims to the U.S., reflecting the group’s closed operational structure, Russia-linked lineage, and centralized target selection model. Sinobi directed 76.2% of attacks toward US-based mid-market manufacturing and construction firms. Genesis demonstrated the most concentrated US targeting profile, with 27 of 29 confirmed victims located in the country. The group’s simultaneous focus on healthcare, which accounted for 20.7% of victims, stands out as an emerging actor with no publicly documented affiliate program.
At the opposite end of the spectrum are groups deliberately minimizing exposure to US targets. Tengu recorded only 11.4% of victims in the U.S., making it the most geographically diversified actor among the top 20 groups. Its activity was distributed across countries, including Indonesia, Mexico, India, and Italy. LockBit also sharply reduced its US concentration to 21.5%, reflecting what appears to be a deliberate diversification strategy following sustained law enforcement disruption.
A third pattern is shaped less by strategic regional targeting and more by the geographic footprint of exploited technologies. Cl0p’s unusually high victim concentrations in Canada and Australia aligned closely with the installed base of software affected by its EBS exploitation campaign tied to CVE-2025-61882. Similarly, The Gentlemen showed only 13.3% of victims in the U.S. because its operations tracked the geographic spread of an estimated 14,700-device FortiGate access stockpile, with concentrations in Thailand, Brazil, and India.
Sector targeting among top ransomware groups reflects three distinct strategies rather than random opportunism. Cl0p’s heavy concentration in business services traces directly to the Oracle EBS user base exploited in its first quarter of 2026 campaign, where mass exploitation of enterprise software produces industry distributions that mirror where that software is deployed, not any deliberate preference for the sector.
Akira, by contrast, pursues an economically optimized model, heavily targeting consumer goods and industrial manufacturing, sectors with high downtime costs, complex IT/OT environments, and strong incentives to pay. With $244 million in total proceeds, Akira’s targeting is deliberate, applying the Conti lineage playbook to maximize return per incident. Anubis stands apart entirely, showing an unusual willingness to target healthcare and critical infrastructure at rates well above baseline, a risk tolerance that separates it from nearly every other top-20 operator.
In conclusion, the Check Point report identified that in the first quarter of 2026, the ransomware ecosystem entered a new phase. After two years of steady fragmentation, the market is reconsolidating around a smaller number of dominant operators. Qilin, Akira, The Gentlemen, and LockBit together account for 41% of all victims. Domination by the top-10 actors has returned to levels not seen since early 2024.
Noting that the consolidation is not a return to the previous state, Check Point added that the emerging dominant groups are more technically capable, more geographically diversified, and more resilient to disruption than their predecessors. “At the same time, the economic foundations of ransomware are showing signs of stress. Payment rates have fallen to historic lows. Mass data-theft campaigns are generating diminishing returns. The gap between the growing number of DLS-posted victims (2,122 in Q1 2026) and the declining monetization per victim may accelerate the current consolidation squeezing out operators who cannot achieve sufficient scale or sophistication to remain profitable.”
Last week, BlackFog reported that ransomware activity remained structurally elevated, with attacks continuing to operate at high volume while expanding their data-centric focus across both disclosed and undisclosed incidents. The analysis highlights that threat actors are increasingly prioritising data theft and extortion over traditional encryption-only disruption, reflecting a broader shift in how ransomware operations monetise compromise. It also underscores that incidents continue to span multiple sectors and geographies, reinforcing that ransomware is no longer episodic but persistent, industrialised, and embedded across the global threat landscape.
