Ransomware stayed stubbornly high in the first quarter of 2026, even as the cast of attackers shifted. Researchers counted 2,135 publicly posted victims in Q1, down from 2,287 in Q4 2025 but up from 2,063 in Q1 2025. The number of active groups barely moved, edging down to 68 from 69 in both comparison periods.
The ransomware numbers come from a GuidePoint ransomware and cyberthreat insights report released Wednesday (registration gate). GuidePoint says the market remains durable even as individual players fade.
Ransomware attack volumes dipped from the late-2025 peak, but only slightly. The bigger shift came in who drove the attacks. The ransomware group Gentlemen jumped from 35 claimed victims in Q4 to 182 in Q1, making it the second-most active group of the quarter. Qilin still led with 361 victims, though that was down 25% from 484 in Q4. Akira fell to 176 from 226, a 22% drop.
(See Related: Is ‘The Pitt’ Ransomware Attack Realistic? One CISO Says Yes)
The United States remained the main target, with 1,084 victims, or 50.77% of the total. The United Kingdom and Canada followed with 88 victims each. By sector, manufacturing remained the most-hit industry, while construction climbed to fourth place with 131 victims, up 12% from Q4 and 44% from a year earlier.
That mix of victims matters more than the modest quarter-to-quarter decline, researchers said. Takedowns, arrests and internal blowups may disrupt individual brands, but they have not slowed the larger ransomware machine. As one crew fades, another takes its place, GuidePoint said, often with familiar tradecraft and a new name. The Gentlemen’s jump from 35 victims to 182 is the clearest sign of that churn.
GuidePoint also said some actors continue to shift toward data theft and extortion-only attacks, relying less on encryption while keeping pressure on victims to pay. That lowers the attackers’ workload without giving up much leverage. Victims can still face the release of contracts, customer records, engineering drawings, bids and legal files even when systems stay online.
The rise in ransomware incidents targeting companies in the construction sector makes that shift easier to see. GuidePoint said connected contractors and project partners can expose a much wider web of organizations, including firms tied to government work. The report found 22 distinct threat actors hit construction companies in Q1, with no single group accounting for more than 20% of victims. That points to a broad targeting pattern, not a one-off spike tied to one gang.
The first-quarter numbers do not point to a ransomware slowdown. They point to a market that keeps absorbing disruption and moving on. Victim totals eased from the late-2025 peak, but the pipeline of active groups, new entrants and sector-level exposure remained intact. For defenders, that means the pressure is no longer episodic. It is structural.
Photo by GuerrillaBuzz on Unsplash
