Ransomware activity stays high as new groups surge
GuidePoint Security has released its GuidePoint Research and Intelligence Team Q1 2026 Ransomware and Cyber Threat Insights Report, which found that ransomware activity remained high and stable through the first quarter.
Victim post rates averaged about 150 to 200 a week, holding steady both quarter on quarter and year on year. But those stable headline figures masked shifts in the threat landscape, as new groups expanded, established operators lost pace, and extortion-only operations became more common.
The United States was the main target for ransomware groups during the quarter, accounting for 51% of observed victims. The United Kingdom and Canada each accounted for 4%.
Sector data also showed a change in targeting. Manufacturing remained the most affected industry, while construction entered the five most impacted sectors with 131 ransomware victims in the quarter, up 44% from a year earlier.
Threat Shifts
One of the clearest changes was the rise of new groups. The Gentlemen, a ransomware-as-a-service group that emerged in August 2025, grew from 35 victims in the fourth quarter of 2025 to 182 in the first quarter of 2026, making it the second most active group in the period.
At the same time, activity linked to established groups fell. Qilin recorded a 25% decline, while Akira fell 22%.
Attack methods also shifted. Some threat actors are moving away from encryption-led attacks toward data theft followed by demands for payment, a pattern the report described as increasingly common across the ransomware ecosystem.
That trend was part of a broader picture in which public victim disclosures do not always align with the timing of intrusions. The report also examined the lingering effects of large exploitation campaigns from late 2025, which continued to influence activity in the first quarter.
Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security, said the market had settled into a sustained pattern rather than returning to lower levels of activity.
"What we're seeing is a ransomware ecosystem that has stabilized at a high level, but continues to evolve," Timothy said.
"Threat actors are adapting quickly-refining tactics, targeting new industries and scaling operations in ways that make this a persistent challenge for organizations of all sizes."
Geopolitical Overlap
The report also looked beyond ransomware volumes to broader cyber threat patterns, saying modern cyber threats increasingly reflect geopolitical tensions, with ransomware groups and hacktivist proxies borrowing from each other's methods.
That overlap includes disruptive actions combined with efforts to shape perception, including psychological operations and the resurfacing of historical breaches in ways that complicate incident assessment.
Timothy said organisations should assess those risks in light of their own exposure and operating footprint.
"From a global lens, modern cyber threats are becoming a reflection of geopolitical tensions, with ransomware actors and 'hacktivist' proxies increasingly adopting each other's tactics," Timothy said.
"This evolution focuses on high-impact, tactical disruptions paired with sophisticated psychological operations to exaggerate capabilities or even weaponize historical breaches to disrupt threat assessment and response. Organisations should continually assess their specific risk exposure, regional involvement and supply chain dependencies when determining appropriate defensive postures."
The report was based on publicly available sources, vendor threat research, internal incident response case data, and open-source intelligence gathered from illicit forums and marketplaces. Those inputs were used to track victim postings, sector patterns, and changes in criminal group activity across the quarter.
The findings suggest that while the overall volume of ransomware incidents may no longer be rising sharply, the actors involved and the tactics they use remain in flux, particularly in sectors such as construction and in attacks that rely on extortion without encryption.