Ransomware attacks continue to evolve in both technique and impact, reflecting the growing sophistication of cyber-criminal operations. In the early days, attackers primarily focused on encrypting an organization’s data and demanding payment in exchange for the decryption key.
Over time, this model shifted toward data exfiltration, where hackers not only lock systems but also steal sensitive information. This evolution gave rise to double extortion—threatening to leak stolen data—and even triple extortion tactics, where attackers may pressure victims through additional means such as targeting customers or partners.
A recent revelation suggests that the true scale of ransomware activity is far greater than what is publicly known. According to new findings, only one in nine ransomware incidents is disclosed, leaving the majority either undetected or intentionally unreported. Organizations often choose silence to avoid reputational damage, regulatory scrutiny, or loss of customer trust, which in turn allows attackers to operate with reduced visibility.
Data compiled by cybersecurity firm BlackFog, which specializes in anti-data exfiltration solutions, highlights the extent of this hidden threat landscape. The study examined ransomware activity between January and March 2026 across 97 countries. During this period, thousands of attacks were recorded, yet more than 2,160 incidents went unidentified, underscoring significant gaps in detection and reporting mechanisms.
Financially, the impact is becoming increasingly severe. In the first quarter of 2026 alone, the average ransom demand exceeded $1 million, signaling a shift toward high-value targets and more aggressive negotiation tactics. Businesses across 39 countries were affected, with the logistics sector emerging as the most targeted industry. Healthcare organizations and government entities followed closely, reflecting attackers’ preference for sectors where operational disruption can have critical consequences.
In terms of threat actors, the Qilin ransomware group emerged as the most active, carrying out 22 known attacks during the period. ShinyHunters followed with 16 incidents, while the INC ransomware group accounted for 11 attacks. However, the picture becomes even more concerning when looking at undisclosed activity.
BlackFog reports that Qilin was also responsible for a significant portion of hidden attacks, leading with 339 cases. Other groups, such as “The Gentlemen” and Akira, were also heavily involved, with approximately 200 and 190 undisclosed incidents respectively.
These findings highlight a critical issue: ransomware is not only growing in frequency and complexity but is also vastly under-reported, making it harder for organizations and authorities to fully grasp and combat the threat.
Join our LinkedIn group Information Security Community!
