Ransomware Landscape: Major Groups and Sector Targeting Trends

Executive Summary

Ransomware activity remained near record highs into Q1 2026, with 2,122 victims documented in that quarter alone, with 71% tied to the top ten groups, led by Qilin, The Gentlemen, and LockBit. The ecosystem has fractured from a handful of mega-syndicates into a denser field of agile, well-resourced operators whose combined output is proving harder to suppress than any single predecessor. The economic and operational pressure this creates translates directly into financial risk, insurance exposure, and supply-chain fragility well beyond the immediate victim. Corporate strategists and risk managers who treat ransomware as a point-in-time IT problem are systematically underestimating a structural hazard.

The Economics Of Fragmentation: Why Takedowns Are Not Winning

Law enforcement has scored genuine successes against major groups, Operation Endgame disrupted the SocGholish and EvilCorp-linked infrastructure in a joint action involving the NHCTU, Royal Canadian Mounted Police, Germany's BKA, and the FBI, with Europol and Eurojust coordination. Yet the market response to disruption consistently confounds simple deterrence logic. Even as global law enforcement and coordinated disruption campaigns continued targeting major ransomware syndicates, the threat ecosystem adapted, producing not a collapse of operations but a wave of fragmentation.

The economics are structural. When a dominant operator is taken down, its affiliates, trained, motivated, and holding access inventory, disperse into competing platforms or launch independent operations. RansomHub emerged in February 2024 following the disappearance of ALPHV/BlackCat, quickly becoming a dominant RaaS group by recruiting former members from Conti, REvil, and Scattered Spider. The interplay between law enforcement disruption and criminal market dynamics creates a replacement-rate problem: the pipeline of new operators is refilling faster than attrition removes established ones.

Attack volume climbed approximately 58% while payment rates dropped to record lows, active gang count rose roughly 40%, and total damage continued climbing toward $57 billion annually. These trends are mutually reinforcing: as organizations become more resistant to payment, operators compensate by increasing volume, which in turn raises aggregate damages even as individual payment rates fall. The World Economic Forum's Global Cybersecurity Outlook 2026 noted that fraud and phishing have overtaken ransomware as the top concern of CEOs, while CISOs continue to rank ransomware as their primary risk, a divergence that signals a dangerous gap between board-level attention and operational threat reality.

How Sector Targeting Decisions Are Made, And Why They Are Not Random

The distribution of ransomware victims across sectors reflects deliberate target-selection logic, not random spraying. Critical infrastructure organizations, healthcare providers, manufacturing companies, and professional services firms are frequently impacted because attackers calculate that operational disruption in these sectors increases the likelihood that organizations will consider paying. Three variables drive the selection: the monetary value or sensitivity of data held, the operational consequences of downtime, and the availability of pre-positioned access acquired through initial access brokers.

In a notable shift, Sophos's 2024 critical infrastructure report found that for the first time, energy, oil/gas, and utilities organizations reported a higher propensity to pay than to use backups. The sector's median payment was $2.5 million, with 48% paying the original demand, the highest full-payment rate across all surveyed sectors. This pressure translates directly into financial risk for any business with energy supply-chain dependencies, since a ransomed utility or pipeline operator imposes cascading cost and operational disruption on downstream industrial users. Both the economic and security dimensions of this exposure require attention from corporate strategists who may not be monitoring their third-party energy infrastructure providers.

Healthcare's vulnerability is structurally different. Hospitals and clinics hold patient records and clinical systems that cannot go offline, making them ideal extortion targets. The FBI reported 238 ransomware incidents targeting US healthcare alone in 2024, per IC3 data. The February 2026 spike, healthcare doubling in a single month per Breachsense tracking, is consistent with operators testing sector-specific leverage at scale. This spills into the regulatory and liability domain: a ransomed healthcare provider faces simultaneous operational disruption, data-breach notification obligations, and insurance coverage gaps, compounding the financial impact well beyond the ransom itself.

The ransomware ecosystem has matured into a highly adaptive, service-oriented criminal economy defined less by technical exploitation and more by psychological, operational, and supply-chain leverage, with ransomware activity remaining elevated entering 2026 and concentration continuing on professional services, manufacturing, and information technology.

Technique Evolution: From Encryption-First To Extortion-First

The technical architecture of ransomware operations is shifting in ways that complicate defensive frameworks. MITRE ATT&CK technique T1486 (Data Encrypted for Impact) remains the defining capability, but it is increasingly deployed late in a dwell sequence that prioritizes data exfiltration and leverage-building. The threat landscape shows a clear shift toward browser-centric and user-mediated access, brokered initial access models, and long-lived loaders that preserve optionality rather than immediately deploying encryption, with extortion strategies increasingly prioritizing human and regulatory pressure over technical disruption.

DragonForce's 2025 attack on a major company, documented by Infosecurity Magazine, illustrates the evolution. The group gained initial access by exploiting a vulnerability in an SQL or MSSQL server (T1583.004 / T1587.004), deployed Backdoor.Turn for persistence, combined this with BYOVD (Bring Your Own Vulnerable Driver) techniques to disable endpoint detection, and only then executed encryption. Infosecurity Magazine researchers noted that "the deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today."

The Gentlemen's tooling represents a further step. The Gentlemen ransomware has advanced features including a self-spreading worm mode and cross-platform targeting across Windows, Linux, and ESXi environments. ESET's analysis, triggered after The Gentlemen's own servers were breached by an unknown actor in May 2026, revealed that the platform had given affiliates access to advanced EDR-killing tools capable of disabling many enterprise endpoint detection products, MITRE T1562 territory that previously required nation-state-grade tooling. The cyber security implications for financial systems that rely on EDR as a primary compensating control are significant: this capability proliferation means that a defense posture calibrated against 2024 threat actors may already be inadequate.

Qilin affiliates, per PurpleOps tracking as of June 2026, have been exploiting CVE-2026-50751, described as a critical authentication bypass vulnerability in Check Point Access VPNs, consistent with T1588.006 (Vulnerabilities) and T1190 (Exploit Public-Facing Application). In a single 24-hour window in June 2026, Qilin claimed 18 victims across manufacturing and energy sectors. This operational tempo is consistent with what Google's M-Trends 2026 report characterized as a compression of time-to-exploit following vulnerability disclosure.

The Financial Architecture Of Modern Ransomware Risk

IBM's Cost of a Data Breach 2025 report found the average cost of a ransomware breach reached $5.08 million, higher than the overall average data breach cost of $4.44 million, reflecting the operational disruption component unique to ransomware. That figure understates the tail risk. The 2025 Marks & Spencer attack cost an estimated £300 million in disrupted online sales and operational damage, per CSO Online analysis. The Jaguar Land Rover breach, also documented by CSO Online, halted manufacturing for five weeks and inflicted £1.9 billion in damages, dragging UK GDP below its quarterly forecast, a vivid example of how cyber security implications for financial systems propagate into macroeconomic indicators.

For every dollar paid in ransom, the broader ransomware ecosystem generates roughly $70 in total economic harm — a cross-source calculation drawn from Chainalysis, IBM, and Cybersecurity Ventures data that reframes the entire policy debate. Payment refusal may be the tactically correct decision for individual organizations, but it does not reduce aggregate systemic harm.

Willis's analysis of 5,500 cyber insurance claims found that while cyber attacks are growing more severe, companies with coverage are largely getting claims paid, covering more than 95% of average data breach losses and 90% of direct corporate losses, per Asian Business Review reporting. However, the gap between demand and payout creates a misleading picture for boards: collected ransom payments are declining, a trend attributable partly to increased pressure on organizations to maintain cyber insurance compliance and adhere to sector-specific regulations. The insurance market is reshaping behavior, but not always reducing risk, organizations that rely on insurance as a substitute for resilience investment may be mispricing their exposure.

IBM data shows organizations involving law enforcement in ransomware incidents save an average of $990,000 per breach, an 18% cost reduction that costs nothing to implement. This finding from IBM's 2025 Cost of Data Breach report suggests that under-reporting ransomware events to avoid reputational damage is a financially irrational decision, though behavioral incentives do not always track rational ones.

Counterarguments

1. The victim-count data overstates operational threat. Ransomware group leak sites are self-reported and selectively curated. Breachsense documented a case in February 2026 in which a group called 0APT claimed 183 victims, only for multiple threat intelligence firms including GuidePoint and Kela to confirm the claims were fabricated. What is reported on dark web leak sites reflects both real attacks and deliberate inflation designed to attract affiliates and intimidate targets. Any assessment that treats raw victim counts as ground truth is moderate-to-high confidence overstating the operational breadth of the ecosystem.

2. Payment decline may indicate genuine deterrence rather than volume compensation. The conventional reading of falling payment rates combined with rising victim counts is that operators compensate through volume. An alternative reading is that the economics of ransomware are becoming genuinely less favorable, and that the Chainalysis finding of a 35% payment decline reflects a structural shift in victim behavior rather than a temporary adjustment. Coveware's February 2026 observation that zero-day downstream mass data extortion campaigns are "losing their bite" supports this reading. If the deterrence thesis is correct, the ecosystem's long-term trajectory may be deflationary rather than expansionary.

3. Sector concentration data reflects access availability, not deliberate targeting. Check Point's Q1 2026 report noted explicitly that The Gentlemen's geographic concentration in APAC and Latin America reflects where the group had established access, not a deliberate strategic choice. This matters analytically: if targeting follows access rather than preference, then sector-specific defensive investments may be less effective than broad improvements in credential hygiene and edge-device patch velocity. An organization that hardens its ERP system while leaving VPN credentials exposed may be defending the wrong perimeter.

Securitization Theory Analysis

Securitizing Actor: The primary securitizing actors are national cybersecurity agencies, CISA, the FBI, the UK's NCSC, Europol, and Eurojust, as well as the White House and allied governments, who have collectively framed ransomware as a threat to critical infrastructure, national economic security, and democratic governance rather than a conventional criminal matter.

Referent Object: Critical infrastructure, healthcare systems, energy grids (CISA:SECTOR:ENERGY), financial networks, and manufacturing supply chains, is the primary referent object. The framing has progressively shifted from protecting individual organizations to protecting the functional integrity of modern economies.

Existential Threat Construction: The threat has been framed through the language of critical infrastructure disruption rather than mere financial crime. Forrester's 2026 forecast, as reported by Nasdaq, specifically names nation-state-adjacent cybercrime from Russia, China, Iran, and North Korea as an expanding existential-adjacent threat. The Sandworm / DynoWiper attack on Poland's power grid in late 2025, documented in Q1 2026 Nasdaq reporting, crossed into infrastructure-destruction territory. The CSO Online analysis of the JLR breach, which dragged UK GDP below quarterly forecast, translated a criminal ransomware event into a macroeconomic security framing.

Target Audience: The consent being sought is multi-layered: from boards and C-suites to accept extraordinary defensive expenditure; from legislatures to authorize mandatory incident reporting and payment restrictions; and from international partners to sustain joint enforcement operations.

Extraordinary Measures: CISA's proposed three-day remediation deadline for critical flaws, the FBI's sustained infiltration and disruption of ransomware infrastructure, and Operation Endgame's cross-jurisdiction takedown actions all represent measures that would not be justified under a purely criminal-law frame. The World Economic Forum's 2026 Cybersecurity Outlook's framing of fraud and ransomware as systemic economic risks, rather than individual corporate events, signals the internalization of this securitized framing at the multilateral policy level.

Classification: SECURITIZED

Process Tracing Analysis

Cause and Outcome: The cause is the RaaS affiliate model's structural expansion; the outcome is the sustained elevation of ransomware victim counts above 600 per month across 2025 and 2026 despite significant law enforcement disruption.

Causal Mechanism Chain: Step 1, Core operators develop and maintain malware, leak infrastructure, and payment systems, lowering the technical bar for affiliates. Step 2, Access brokers acquire and sell initial footholds in target networks, decoupling intrusion from encryption. Step 3, Affiliates use pre-purchased access and pre-built tooling to execute attacks at speed; the Gentlemen's pre-positioned access model illustrates the industrialization of this step. Step 4, Law enforcement disruption removes operators but leaves affiliates, tooling, and access inventory intact. Step 5, Displaced affiliates migrate to competing platforms or launch new operations, reconstituting volume within weeks.

Evidence Assessment:

• The affiliate survival-after-takedown pattern passes a hoop test: if affiliates were dependent on operator infrastructure, takedowns would produce sustained rather than temporary volume declines. The rapid emergence of RansomHub after BlackCat's disruption confirms the mechanism.
• The access-broker model decoupling intrusion from encryption is a smoking gun: Google M-Trends 2026 independently corroborates that vulnerability exploitation at edge devices accounts for roughly a third of intrusions, consistent with the brokered-access thesis.
• The Gentlemen's breach of its own servers, revealing the affiliate tooling and revenue structure, provides direct evidence of the platform economics driving rapid growth.

CAUSAL_MECHANISM_STRENGTH: STRONG

Indicators To Watch

Decision Relevance

Scenario A (~60%): Sustained elevated volume with continued ecosystem fragmentation — Attack volumes remain near record highs, new groups emerge to replace disrupted operators, and targeting continues to concentrate on manufacturing, healthcare, and professional services. Recommended action: Prioritize edge-device vulnerability management and treat any VPN or firewall advisory as a P1 event. Engage cyber insurance brokers to audit policy language for ransomware sublimits and extortion-only coverage gaps. Establish a pre-negotiated retainer with an incident response firm rather than sourcing one reactively.

Scenario B (~30%): A major critical infrastructure event triggers mandatory regulatory escalation — A ransomware-driven disruption of a CISA:SECTOR:ENERGY facility or hospital network at sufficient scale prompts emergency regulatory action, mandatory payment bans, or mandatory incident disclosure timelines measured in hours rather than days. Recommended action: Begin mapping your regulatory exposure now, including which jurisdictions and sectoral rules govern your operations. Understand whether your cyber insurance policy covers ransom payments to groups subject to OFAC sanctions designations. Engage legal counsel on disclosure obligations before an incident, not during one.

Scenario C (~10%): A structural deterrence breakthrough reduces ecosystem volume — Sustained law enforcement action targeting affiliate payment rails (not just operator servers) combined with growing payment refusal rates below operators' sustainable revenue floor causes a significant volume contraction. Recommended action: Maintain current defensive posture regardless, the same investments that mitigate ransomware also reduce risk from credential theft, business email compromise, and data exfiltration, which the WEF's 2026 report identifies as the rising CEO-level concern even as ransomware recedes.

Analytical Limitations

• Leak-site victim counts, the primary data source for group-level activity, represent operator-claimed victims and are subject to fabrication, duplication, and strategic inflation, as confirmed in the 0APT case. True incident counts exceed published figures, since many victims settle quietly. Any assessment of relative group activity based solely on leak-site data should be treated as an approximation.
• Ransom payment data drawn from Chainalysis blockchain analysis captures on-chain cryptocurrency flows but misses cash-equivalent or structured settlement payments, meaning total payment volumes may be understated.
• The current analysis reflects data through June 2026; the ransomware ecosystem evolves at a pace where group rankings, sector concentrations, and dominant techniques can shift materially within a single quarter. Assessments should be treated as current-snapshot rather than durable forecasts.
• Attribution of specific attacks to specific groups carries inherent uncertainty. Rebranding, affiliate crossover, and deliberate false-flag indicators mean that publicly attributed attacks may reflect data from a previous group's infrastructure operating under a new name, as Cyble's tracking of Lynx (an INC Ransom offshoot) illustrates.
• Data on the CISA:SECTOR:ENERGY targeting segment remains thin relative to other sectors; energy organizations historically under-report incidents relative to healthcare and financial services, meaning the sector's true exposure is moderate-to-high confidence underrepresented in available data.