Check Point Research Publishes Q1 2026 Ransomware Report: Attacks Accelerate and Impact Expands Amidst Group Consolidation

Check Point Research (CPR), the threat intelligence division of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader in cybersecurity solutions, has published its Q1 2026 Ransomware Report.

Continuing from last year, ransomware activity remained at record levels in Q1 2026, with the total number of attacks hovering near an all-time high. However, significant changes are evident in the ransomware ecosystem. After a period of decentralization over the past two years, activity has shifted towards a few dominant groups such as Qilin, The Gentlemen, and LockBit, indicating a trend of reorganization and consolidation. While the number of actors has decreased, the combination of improved attacker capabilities and the use of AI has dramatically increased the potential impact of individual incidents. As a result, ransomware attacks have become more destructive, recurrent, and financially damaging for victims.

**Key Findings of Q1 2026:**

**2,122 organizations victimized by ransomware extortion:** This represents the second-highest Q1 figure ever reported on Data Leak Sites (DLS), indicating that ransomware is no longer a temporary surge but a persistent threat. Activity remains at an alarming high level, forcing organizations into continuous defense.

**Top 10 ransomware groups dominate 71% of all victims:** A significant reversal from the ecosystem decentralization observed in 2025, a smaller number of groups now lead the majority of attacks. This trend signifies increased consistency, scale, and professionalism in attacks, broadening the potential damage when organizations are compromised.

**Qilin remains the most active group for the third consecutive quarter, involved in 338 incidents this quarter:** Meanwhile, The Gentlemen saw a rapid surge, increasing by 315% from 40 incidents in Q4 2025 to 166 incidents in Q1 2026, making it the fastest-growing group this quarter. Mature ransomware organizations exhibit high resilience, making it difficult to disrupt their operations. Furthermore, securing infiltration routes in advance allows emerging groups to quickly rise as significant threats, even under law enforcement pressure.

**LockBit resumes activity, involved in 163 incidents:** This quarter, LockBit has returned as one of the world's leading ransomware groups after a period of dormancy following past takedowns. Law enforcement actions only result in temporary slowdowns, not complete eradication. Surviving members regroup, adapt to circumstances, and resume operations with new strategies and names.

**The United States remains the epicenter of ransomware victimization:** 49.6% of global ransomware victims are concentrated in the US, making it the most targeted country.

**Figure 1: Total monthly reported ransomware victims on DLS (January 2024 – March 2026)**

**Geographical distribution of victims suggests: "Accessibility" takes precedence over "Attack Intent"**

Ransomware targeting is influenced not only by industry-specific priorities but also significantly by "accessibility." CPR's research indicates that the distribution of victim organizations is concentrated not just in traditionally valued industry sectors, but more so in areas where exploitable infrastructure, exposed VPNs, or pre-secured access routes exist.

This "accessibility-first" situation shifts ransomware risk from "organizations attackers want to target" to "organizations where infiltration footholds already exist." Even industries traditionally not considered "highly profitable" can become prime targets if they harbor unaddressed vulnerabilities or exposures.

Nearly half (49.6%) of reported victims are concentrated in the US, consistent with the scale of corporate operations in the country. The overwhelming majority of targets are Western developed countries.

Thailand, accounting for 10.8% of victims linked to a single major ransomware group (The Gentlemen), ranks among the top targeted countries for the first time.

Play concentrates 85.1% of its activity on US-based organizations, demonstrating how individual groups can focus intensely on specific countries.

Attackers target locations that are easier to access, and the premise of geographical safety no longer holds true. As access routes become geographically dispersed, global ransomware risks...