Check Point Research, the threat-intelligence arm of Check Point Software, opened its Q1 2026 State of Ransomware report with a single observation that overturns the prevailing read on the ecosystem. After two years in which the number of active ransomware groups grew from 51 to a peak of 85, the trend has reversed: 71% of the 2,122 victims posted on data leak sites in Q1 came from just ten operators. Ransomware Q1 2026 is no longer a story of proliferation. It is a story of which survivors absorbed the displaced affiliates after the law-enforcement disruptions of 2024-2025, and what they brought with them.
- Qilin, the Russia-nexus ransomware-as-a-service program tracked since 2022, held first place for the third consecutive quarter at 338 victims, outposting the combined output of the bottom 50 groups.
- The Gentlemen, founded in late 2025 by a former Qilin affiliate, jumped from 40 victims in Q4 2025 to 166 in Q1 2026 (a 315% increase) on the back of a pre-staged stockpile of roughly 14,700 compromised FortiGate devices.
- LockBit 5.0, the rebuild that followed the 2024 Operation Cronos takedown, posted 163 victims and shifted its target mix away from the United States from a historic 50%-plus share down to 21.2%.
- Fourteen Q4 2025 groups disappeared in the quarter; 21 new names appeared, but most posted fewer than ten victims, so the supply-side churn favored the incumbents.
Ransomware Q1 2026 by the Numbers: 2,122 Victims, 71% Concentrated
The headline metric, 2,122 victims across more than 70 data leak sites, is a 12.2% decline from the all-time Q4 2025 record of 2,416 but remains the second-highest Q1 on record and sits 117% above Q1 2024. Check Point’s analysts argue the year-over-year comparison to Q1 2025 (a 7.1% nominal decline) is misleading because Cl0p, the Russia-aligned operation behind the 2024-2025 Cleo mass-exploitation campaign, contributed roughly 390 victims in a single burst that quarter. Strip Cl0p out of both periods and Q1 2026 lands at 1,995 victims against 1,894 in Q1 2025, a 5.3% genuine year-over-year increase. The monthly distribution within Q1 was flat (732 in January, 684 in February, 706 in March), which signals an operational tempo rather than a campaign-driven spike.
The structural finding is the concentration shift. The top-10 share of all DLS-posted victims climbed from 57% in Q3 2025 to 71.1% in Q1 2026, the highest concentration since Q1 2024. The active-group count fell from 85 to 71. Qilin, Akira, The Gentlemen, and LockBit together claimed 41% of all victims. Twenty-one new names appeared in the quarter, but most posted under ten victims and failed to convert the disappearance of mid-tier operators into market share. The displaced affiliate pool flowed up the ladder, not laterally.
Why Consolidation Makes Each Survivor More Dangerous than the Fragmented Field
The intuitive read is that fewer groups should mean fewer incidents. The Check Point data argues the opposite. Larger ransomware-as-a-service brands invest in operational consistency, including functional decryption, because their business model depends on the perception that paying produces recovery. Fragmentation in 2025 produced dozens of transient operators with no such incentive, and Obscura (cited in the report as a worked failure) shipped an encryption bug that renders files over 1 GB permanently unrecoverable regardless of payment. Consolidation removes that variant of “criminal but at least technically competent enough to honor the deal” failure mode. It also concentrates incident-response demand on a smaller, more capable adversary set.
What the report frames as a market-structure story is operationally a pre-positioned-access story. The Gentlemen is the load-bearing example. The group is run by Hastalamuerte, an experienced affiliate who worked with Embargo, LockBit, and Medusa before joining Qilin, and left after a dispute over an unpaid commission of roughly $48,000. The 14,700-device FortiGate stockpile (primarily exploited via CVE-2024-55591, a critical authentication bypass in FortiOS and FortiProxy patched in early 2025) plus 969 validated brute-forced FortiGate VPN credentials predates the group’s September 2025 launch. Publishing 38 victims in the first weeks of operation is not a feat of real-time tradecraft; it is the redemption of an inventory built during the affiliate years. What Check Point under-emphasizes here is that the geographic-distribution outlier (only 13.3% of The Gentlemen’s victims sit in the United States, against the 49.6% ecosystem baseline, while Thailand at 10.8% and Brazil at 6.0% feature heavily) is a downstream artifact of where the stockpile happens to sit. The targeting “strategy” is the inventory map.
Three Moves to Defend Against a Consolidated Ransomware Q1 2026 Ecosystem
The sequencing inverts a fragmentation-era playbook: stockpile-aware patch validation before threat-intelligence consumption, before incident-response retainer scope. The consolidated adversary set rewards depth over breadth.
Audit FortiGate and other edge-device patch status against the 14,700-device pre-exploited population. Patching CVE-2024-55591 in 2025 does not retire the access the attackers extracted before the patch landed. Pull device-uptime telemetry, validate that any FortiGate exposed before the patch window has had its admin credentials rotated and its configuration audited for persistence, and treat the device as compromised-until-proven-clean rather than patched-and-done.
Re-baseline geographic threat models against the LockBit 5.0 and Gentlemen distributions. Italian, Brazilian, Turkish, Thai, and Indian operations whose risk models were calibrated to the historic 50%-plus US-victim baseline are now first-tier targets. Update incident-response retainer scope, language coverage on tabletop exercises, and law-enforcement liaison plans accordingly. The 30-percentage-point drop in LockBit’s US share is the actionable signal, not the rebrand-versus-comeback debate.
Subscribe to data-leak-site monitoring keyed to the top-10 operators rather than the long tail. Seventy-one percent of victim postings now come from ten brands, and the displaced-affiliate pattern means most “new” groups either disappear within a quarter or fold into an incumbent. Spend the threat-intel budget on Qilin, Akira, The Gentlemen, LockBit, DragonForce, Play, Nightspire, and the rest of the top-10 sustained operators where the volume actually concentrates. Check Point’s own assessment that ransomware Q1 2026 turned on consolidation rather than volume is the analytic frame the rest of the year’s defensive planning should inherit, with Qilin’s 338-victim quarter as the floor against which any further consolidation gets measured.
Join our LinkedIn group Information Security Community!
