ACCORDING to Check Point Research, the Q1 2026 ransomware landscape shows a consolidation of activity, with the top 10 groups accounting for 71.1% of all data leak site victims, the highest concentration since Q1 2024. The period saw 2,122 victims listed on data leak sites, down 12.2% from Q4 2025 but still the second-highest Q1 on record, averaging 707 victims per month (732 in January, 684 in February and 706 in March).
Qilin remained the most prominent operator for a third consecutive quarter, posting 338 victims, while The Gentlemen emerged as a breakout story with 166 victims. LockBit 5.0 also rebounded to 163 victims, climbing to fourth place, and Nightspire expanded to 82 victims. The report notes a broader shift toward geographic diversification and operationally capable, reduced-enforcement risk groups, with Thailand entering the top 10 for the first time and The Gentlemen’s FortiGate stockpile shaping their distribution.
Overall, the ecosystem is reconsolidating around fewer, larger operators, even as payment rates fall and mass data-theft campaigns show diminishing returns. 11 May 2026.