Summary Points
- Ransomware activity is now concentrated among fewer, more capable groups, increasing the severity and operational impact of each attack.
- Attackers, including The Gentlemen, exploit existing network access points rather than new intrusions, enabling large-scale, swift campaigns.
- AI is accelerating the attack cycle, making breaches more damaging and requiring organizations to proactively strengthen defenses and limit lateral movement.
Threat Overview, Attack Techniques, and Targets
Check Point Research reports that ransomware activity has become more consolidated around fewer groups in early 2026. This change means that fewer ransomware groups are responsible for most attacks. The report states that the top 10 groups now account for 71% of all victims. Qilin was the most active group for three consecutive quarters, with 338 victims. The Gentlemen experienced rapid growth, increasing from 40 victims to 166 within one quarter. LockBit also returned to higher activity levels with 163 victims.
One notable shift is that ransomware operators are using existing access points instead of searching for new ones. This allows them to launch large-scale attacks quickly, often using compromised networks already in place. Thailand was identified as one of the ten most-targeted countries for the first time. The group’s expansion in Asia and Latin America helped push Thailand onto this list. The Gentlemen, linked to Thailand, made up nearly 11% of all victims in that country. The group’s focus on existing access points makes it easier to target different regions based on already compromised networks.
Impact, Security Implications, and Remediation Guidance
The increase in concentrated ransomware groups means attacks could have a greater impact on organizations. Since fewer groups are responsible for most incidents, their capabilities are often stronger, making breaches more damaging. Additionally, the use of existing access points allows attackers to scale attacks efficiently.
The report highlights that ransomware activity remains high, despite some recent fluctuations. The geographic shift of attacks, such as LockBit expanding beyond the U.S., broadens the threat landscape. Sectors like manufacturing, healthcare, and industrial companies continue to be frequent targets because they often have complex environments and important operations.
To reduce the risk of ransomware attacks, organizations should focus on closing access gaps and strengthening controls around identities and networks. Limiting lateral movement within networks is also critical. If you need specific remediation guidance, it is recommended to consult your security vendor or relevant authorities for tailored advice.
Expand Your Tech Knowledge
Learn how the Internet of Things (IoT) is transforming everyday life.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
