Ransomware Activity Stabilizes at Elevated Levels in Q1 2026, Shifting Tactics and Targets
The first quarter of 2026 marked a period of sustained ransomware activity, with attack volumes remaining steady compared to both the previous quarter and the same period in 2025, according to GuidePoint Security’s Ransomware and Cyber Threat Insights report. After a late-2025 surge, the threat landscape has settled into a "new normal," with no significant spikes or declines in victim counts or active ransomware groups.
Key Trends in Ransomware Activity
The most active ransomware group, Qilin, claimed 361 victims a 25% drop from its Q4 2025 peak of 484. Meanwhile, The Gentlemen, a relative newcomer that ranked 16th in Q4 2025 with just 35 victims, surged to 182 victims, becoming the second-most active group. Akira, another long-standing player, saw a 22% decline in activity (from 226 to 176 victims), likely due to the waning effectiveness of its exploitation of SonicWall SSL VPN vulnerabilities.
Clop continued its prolonged extortion campaign, posting victims in Q1 2026 from breaches that occurred in late 2025 a tactic consistent with its history of stretching out disclosures over months.
Geographic and Sector Shifts
The U.S. remained the top target, accounting for 51% of all ransomware victims (1,084 incidents), followed by the U.K. and Canada (4% each, 88 incidents). Thailand entered the top 10 for the first time, signaling growing ransomware impacts in developing economies. Brazil and India also remained frequent targets, reflecting persistent threats to emerging markets.
While manufacturing remained the most targeted sector, construction saw a 44% year-over-year increase, pushing it into the top five. This shift suggests attackers are expanding into industries with weaker cybersecurity defenses but valuable operational data.
Evolving Tactics: Extortion Over Encryption
Ransomware groups are increasingly abandoning traditional encryption-based attacks in favor of data theft and extortion-only operations. This approach reduces operational complexity while maintaining pressure on victims through the threat of public data leaks.
Emerging and Declining Threat Groups
- NightSpire, a financially motivated group operating since 2025, claimed 74 victims in Q1 2026 alone, primarily targeting SMBs with unpatched FortiOS/FortiProxy vulnerabilities (CVE-2024-55591). The group relies on living-off-the-land tools (PowerShell, PsExec, WMI) to evade detection.
- Scattered Spider, LAPSUS$, and ShinyHunters rebranded under the unified banner "Scattered LAPSUS$ Hunters" in August 2025, though the move reflected overlapping membership rather than a true merger. The group remains highly efficient, compressing attack timelines to 24–48 hours and has been linked to over $66 million in extortion demands since 2022.
- Akira, one of the longest-operating RaaS groups (active since 2023), saw its victim count drop after peaking in Q4 2025, likely due to declining exploitation of SonicWall flaws.
AI Supply Chain Attack Highlights New Risks
In February 2026, VirusTotal reported the first large-scale supply chain attack on an AI platform, targeting OpenClaw’s skills marketplace. Attackers published 314 malicious "skills" automation tools disguised as legitimate software that delivered information-stealing malware. The incident underscored the growing risks of agentic AI systems, which rely on instruction-based (rather than code-based) extensions, making traditional malware detection less effective.
Outlook: Stability with Potential Disruptions
While Q1 2026 saw no major shifts in overall ransomware volume, GuidePoint warned that periods of stability have historically been short-lived. The report noted that law enforcement actions, internal conflicts, or new group formations could disrupt the current equilibrium. Additionally, a mid-year "summer slowdown" a recurring dip in victim claims between Q2 and Q3 may temporarily reduce activity before potential resurgences later in the year.
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
"id": "FORSON1776335417",
"linkid": "fortinet, sonicwall",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['manufacturing',
'construction',
'technology',
'various'],
'location': ['U.S.',
'U.K.',
'Canada',
'Thailand',
'Brazil',
'India'],
'size': ['small to large enterprises'],
'type': ['manufacturing',
'construction',
'SMBs',
'AI platforms']}],
'attack_vector': ['exploitation of vulnerabilities',
'living-off-the-land tools',
'malicious AI skills'],
'data_breach': {'data_encryption': ['partial (ransomware attacks)',
'none (extortion-only attacks)'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'operational data',
'proprietary information']},
'date_publicly_disclosed': '2026-04-01',
'description': 'The first quarter of 2026 marked a period of sustained '
'ransomware activity, with attack volumes remaining steady '
'compared to both the previous quarter and the same period in '
'2025. Key trends include shifts in ransomware group activity, '
'geographic and sector targeting, evolving extortion tactics, '
'and emerging threats like AI supply chain attacks.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'data leaks',
'data_compromised': 'data theft and extortion; personally '
'identifiable information (PII) at risk',
'financial_loss': '> $66 million (Scattered LAPSUS$ Hunters since '
'2022)',
'identity_theft_risk': 'high (due to PII exposure)',
'operational_impact': 'operational disruptions in targeted sectors '
'(e.g., manufacturing, construction)',
'systems_affected': ['FortiOS/FortiProxy',
'SonicWall SSL VPN',
'OpenClaw AI skills marketplace']},
'initial_access_broker': {'entry_point': ['unpatched vulnerabilities (e.g., '
'CVE-2024-55591)',
'malicious AI skills'],
'high_value_targets': ['SMBs',
'manufacturing',
'construction']},
'investigation_status': 'ongoing',
'lessons_learned': 'Ransomware groups are shifting toward extortion-only '
'attacks, reducing reliance on encryption. Emerging '
'threats include AI supply chain attacks and exploitation '
'of unpatched vulnerabilities in SMBs. Geographic and '
'sector targeting is expanding to include developing '
'economies and industries with weaker defenses.',
'motivation': ['financial gain', 'data theft', 'extortion'],
'post_incident_analysis': {'corrective_actions': ['immediate patching of '
'known vulnerabilities',
'enhanced monitoring for '
'suspicious activity',
'stricter third-party risk '
'management for AI tools',
'improved incident response '
'planning for '
'extortion-only attacks'],
'root_causes': ['unpatched vulnerabilities (e.g., '
'FortiOS/FortiProxy, SonicWall SSL '
'VPN)',
'weak cybersecurity defenses in '
'targeted sectors (e.g., '
'construction, SMBs)',
'lack of vetting for third-party '
'AI skills',
'use of living-off-the-land tools '
'to evade detection']},
'ransomware': {'data_encryption': ['partial (traditional ransomware)',
'none (extortion-only attacks)'],
'data_exfiltration': True,
'ransom_demanded': '> $66 million (Scattered LAPSUS$ Hunters '
'since 2022)',
'ransomware_strain': ['Qilin', 'Akira', 'Clop', 'NightSpire']},
'recommendations': ['Patch known vulnerabilities (e.g., FortiOS/FortiProxy, '
'SonicWall SSL VPN) immediately.',
'Enhance monitoring for living-off-the-land tools '
'(PowerShell, PsExec, WMI).',
'Implement stricter vetting for third-party AI skills and '
'automation tools.',
'Prepare for extortion-only attacks by securing sensitive '
'data and improving incident response plans.',
'Monitor ransomware group activity for shifts in tactics '
'or targeting.'],
'references': [{'date_accessed': '2026-04-01',
'source': 'GuidePoint Security’s *Ransomware and Cyber Threat '
'Insights* report'},
{'date_accessed': '2026-02-01',
'source': 'VirusTotal report on OpenClaw AI skills '
'marketplace attack'}],
'threat_actor': ['Qilin',
'The Gentlemen',
'Akira',
'Clop',
'NightSpire',
'Scattered LAPSUS$ Hunters'],
'title': 'Ransomware Activity Stabilizes at Elevated Levels in Q1 2026, '
'Shifting Tactics and Targets',
'type': ['ransomware', 'data extortion', 'supply chain attack'],
'vulnerability_exploited': ['CVE-2024-55591 (FortiOS/FortiProxy)',
'SonicWall SSL VPN vulnerabilities']}