SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Ransomware attacks near record as groups consolidate
Malware VPNs Ransomware

Ransomware attacks near record as groups consolidate

Wed, 13th May 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

Check Point Research reported that ransomware attacks remained near record levels in the first quarter of 2026, while the market consolidated around a smaller number of operators.

The report counted 2,122 organisations listed on ransomware data leak sites during the quarter, making it the second-highest first quarter on record. Across more than 70 active leak sites tracked by the researchers, the monthly average exceeded 700 victims, with little variation over the three months.

That steady volume came with a sharp shift in the make-up of the ransomware landscape. The top 10 groups accounted for 71% of all victims in the quarter, reversing the more fragmented pattern seen through much of 2025.

Qilin remained the most active operation for the third consecutive quarter, with 338 victims. The Gentlemen rose to third place globally, climbing from 40 victims in the previous quarter to 166, while LockBit posted 163 victims as it returned to the top tier.

Market shift

The findings suggest the ransomware market is no longer expanding through a growing number of small actors. Instead, a narrower group of larger operators is taking a greater share of attacks, a pattern linked to law enforcement pressure, infrastructure disruption and competition among criminal groups.

This concentration changes the risk profile for companies because larger operations tend to be more organised, more consistent and harder to disrupt. Qilin, Akira, The Gentlemen and LockBit together accounted for 41% of all victims.

Although headline year-on-year figures appeared to show a modest decline from the same quarter a year earlier, that comparison was distorted by a mass-exploitation campaign in the earlier period. Excluding that anomaly, attack activity increased from a year earlier.

Access patterns

The report highlighted The Gentlemen as the quarter's main breakout group. Its growth appeared to be driven by a large stock of compromised network entry points, allowing the group to launch attacks quickly and at scale rather than relying on slower opportunistic exploitation.

Its geographic pattern also differed from the broader ransomware market. Only 13% of its publicly extorted victims were based in the United States, compared with an ecosystem average of 49.6%, while activity was clustered in Asia-Pacific and Latin America.

That pattern suggests attackers are increasingly using whatever access is already available rather than selecting targets primarily by market attractiveness. The distribution reflected the location of compromised access points more than a broader shift in the threat landscape.

LockBit also showed a change in approach. After heavy disruption by law enforcement in 2024, the group's activity more than doubled from the previous quarter, but its victims were spread more evenly across Europe, Latin America and other regions instead of being heavily concentrated in the United States.

Researchers said that spread indicated an effort to reduce exposure to aggressive enforcement jurisdictions while maintaining volume. For multinational companies, the shift broadens exposure rather than reducing it.

Sectors hit

Manufacturing, business services, healthcare and industrial sectors remained among the most frequently affected industries. These sectors often combine high downtime sensitivity with complex technology environments, making them recurring targets.

Even so, sector and geography alone did not explain victim selection. In many cases, attacks appeared in industries where exposed virtual private networks, exploitable infrastructure or existing access routes were already in place.

The United States accounted for nearly half of all reported victims, at 49.6%, reflecting its large business base. Thailand entered the list of top-targeted countries for the first time because 10.8% of victims linked to The Gentlemen were based there, while the Play group focused 85.1% of its activity on US organisations.

The report concluded that ransomware risk is increasingly shaped by concentration among a handful of operators and by access already established inside networks. That leaves companies facing a smaller field of adversaries, but ones with greater reach and greater potential impact per incident.

Related stories
HPE Threat Labs spot industrialised cybercrime surge
ManageEngine adds EDR & Zero Trust access to platform
ManageEngine adds EDR & zero trust to Endpoint Central
Exclusive: Yuvraj Pradhan warns legacy VPNs are now a security risk
AI-driven cyber wars to reshape security in 2026
Top stories
Fortinet expands NVIDIA tie-up to secure enterprise AI
Tanium adds four products to NATO assurance catalogue
BlackBerry renews share buyback plan for 26.8 million
Secure Code Warrior launches Bedrock security training
AI now routine in cyber attacks, Google report finds