Check Point Research: Qilin Dominates Ransomware Landscape in Q1 2026, Top 10 Groups Claim 71% of Victims

Executive Summary

A Q1 2026 ransomware analysis from Check Point Research indicates a significant consolidation within the ransomware-as-a-service (RaaS) market. After a period of fragmentation, the ecosystem is now dominated by a few major players, with the top 10 most active groups responsible for 71% of all publicly claimed victims. The Qilin ransomware gang has cemented its position as the market leader for the third quarter in a row. The quarter also saw the dramatic rise of a Russian-speaking group called 'The Gentlemen' and a strong resurgence from LockBit 5.0, which has successfully regrouped after law enforcement actions. Although the total number of victims (2,122) posted on data leak sites was down 12.2% from the record-breaking Q4 2025, the activity level remains exceptionally high, signaling a stable and mature criminal market.

Threat Overview

The first quarter of 2026 was defined by the 'big get bigger' trend in the ransomware world.

• Market Leader: Qilin continued its reign, claiming 338 victims and demonstrating consistent operational capabilities.
• Breakout Star: 'The Gentlemen', a Russian-speaking group, surged from 40 victims in the previous quarter to 166, securing the number three spot. Their targeting is notably non-Western, with a focus on regions like APAC and Latin America, possibly due to their access to vulnerable FortiGate devices in those areas or a deliberate strategy to avoid US law enforcement scrutiny.
• The Comeback: LockBit 5.0 made a remarkable recovery after being disrupted by Operation Cronos. The group posted 163 victims, a 106% increase, proving the resilience of its brand and infrastructure.
• Decliners: Other groups struggled. SafePay's activity dropped 77% after its leak site went offline. Devman's operations fell by 70% after its operator was placed on an Interpol wanted list, and Sinobi's postings collapsed by 42%.

This consolidation suggests a market maturation where well-organized, resilient, and operationally secure groups are pushing out smaller or less sophisticated players.

Technical Analysis

The report highlights several key operational characteristics of the top groups:

• Targeting Strategy: While the US remains the most targeted country overall (nearly 50% of victims), groups like 'The Gentlemen' show a deliberate focus on other regions. This may be driven by the availability of initial access from brokers in those regions or a conscious choice to operate in jurisdictions with less risk of law enforcement action.
• Initial Access Vectors: The report reinforces that vulnerable public-facing infrastructure, such as FortiGate VPNs, remains a primary initial access vector for many of these top-tier groups.
• Resilience: LockBit's rebound demonstrates the difficulty of permanently dismantling a major RaaS operation. The brand recognition, affiliate network, and underlying code can be quickly reconstituted under a new version, even after significant law enforcement disruption.

MITRE ATT&CK Techniques (Common across groups)

• T1486 - Data Encrypted for Impact: The core activity of encrypting files for extortion.
• T1657 - Data Exfiltration as a Service: The double-extortion tactic of stealing data before encryption and posting it to a leak site.
• T1190 - Exploit Public-Facing Application: A primary initial access vector, targeting vulnerabilities in devices like FortiGate VPNs.
• T1021.001 - Remote Services: Remote Desktop Protocol: Another common initial access method, often facilitated by Initial Access Brokers.

Impact Assessment

The consolidation of the ransomware market does not imply a reduction in threat. Instead, it suggests that victims are more likely to face highly professional and experienced adversaries. These top-tier groups have refined their playbooks for extortion, negotiation, and technical execution. For a victim organization, this means dealing with an attacker who is more likely to successfully exfiltrate data, effectively deploy encryption, and apply maximum pressure to force a payment. The high, stable number of victims indicates that ransomware remains a highly profitable and sustainable criminal enterprise.

IOCs — Directly from Articles

No specific Indicators of Compromise were provided in the source articles.

Cyber Observables — Hunting Hints

• Leak Site Monitoring: Organizations should proactively monitor known ransomware data leak sites for any mention of their company name, partners, or suppliers.
• Geofencing: For businesses that do not operate in regions heavily targeted by groups like 'The Gentlemen' (e.g., APAC, Latin America), consider geofencing policies to block traffic from those areas if it aligns with business risk.
• VPN Logs: Closely monitor logs from FortiGate and other VPN appliances for signs of brute-force attacks, credential stuffing, or exploitation of known vulnerabilities.

Detection & Response

• Detection:

  • Behavioral Analysis: Deploy EDR and network security tools that focus on detecting ransomware behaviors (e.g., rapid file modification, disabling shadow copies, data exfiltration) rather than just signatures.
  • Threat Intelligence Integration: Use threat intelligence feeds to get early warnings about the TTPs and IOCs associated with dominant groups like Qilin and LockBit 5.0.

• Response:

  • Incident Response Plan: Have a well-defined and practiced incident response plan that specifically addresses a double-extortion ransomware scenario. This plan should include legal, communications, and executive stakeholders.
  • Containment: The first step in response is to isolate compromised systems to prevent the ransomware from spreading further across the network.

Mitigation

• Patch Management: Aggressively patch all internet-facing systems, especially VPNs and firewalls. Many ransomware attacks begin by exploiting old, known vulnerabilities.
• Multi-Factor Authentication (MFA): Enforce MFA on all remote access, privileged accounts, and critical applications to prevent initial access via compromised credentials.
• Immutable Backups: Maintain the 3-2-1 backup rule: three copies of your data, on two different media types, with one copy off-site and immutable. Regularly test your ability to restore from these backups.
• Network Segmentation: Segment the network to limit an attacker's ability to move laterally from an initial point of compromise to critical servers and data stores.