Global ransomware activity remained near record highs in the first quarter of 2026, with 2,122 organisations extorted as fewer, more powerful criminal groups tightened their grip on the threat landscape, according to Check Point Research’s State of Ransomware Q1 2026 report released Wednesday.
The figure makes Q1 2026 the second-highest first quarter on record, with more than 700 victims logged per month across more than 70 active ransomware data leak sites. The top 10 ransomware groups accounted for 71% of all victims, reversing the fragmented activity that characterised much of 2025.
Qilin held the top position for the third consecutive quarter, posting 338 victims. LockBit returned to the global top tier with 163 victims after significant law enforcement disruption in 2024, while a newer group called The Gentlemen emerged as the quarter’s breakout actor, jumping from 40 victims in Q4 2025 to 166 in Q1 2026.
The Gentlemen’s rapid rise offers a revealing window into how modern ransomware groups operate. Rather than exploiting targets one by one, the group entered the quarter with a large pre-built inventory of compromised network entry points and launched attacks immediately and at volume. Only 13% of its victims were based in the United States, compared to an ecosystem average of nearly 50%, with activity concentrated instead in Asia-Pacific and Latin America, reflecting where the group already had access rather than where targets were most profitable.
LockBit’s return showed a similar pattern. Historically focused on the United States, the group’s Q1 victims spread more evenly across Europe, Latin America and other regions, suggesting a calculated effort to reduce exposure to aggressive enforcement jurisdictions.
Lorna Hardie, Regional Director for Africa at Check Point Software Technologies, said the shift in attacker behaviour carries direct implications for the continent. “Ransomware is no longer driven by short-term spikes alone,” she said. She warned that attackers now increasingly go where access already exists, not where revenues are highest, making Africa’s public and private sectors, which often carry exposed Virtual Private Network (VPN) access, weak identity protections and limited incident response capacity, a more likely entry point than many organisations assume.
Check Point’s data showed that year-over-year comparisons appeared to show a slight decline from Q1 2025, but that reading is misleading. Last year’s figures were inflated by a single mass-exploitation campaign. When that anomaly is excluded, underlying ransomware activity grew year-over-year.
Manufacturing, business services, healthcare and industrial sectors experienced the most frequent attacks, often because they run complex, exposed infrastructure rather than because attackers targeted those industries by choice. The access-driven model increasingly shapes both sector and geography of impact.
For African organisations, the consolidation trend sharpens the risk picture. Larger, better-resourced ransomware operations are more consistent, more repeatable and more resilient to disruption than the fragmented groups they replace. Hardie urged organisations across the continent to treat exposure management, cloud access control and incident readiness as immediate priorities rather than long-term projects.
