Ransomware attacks accelerated sharply in the first quarter of 2026, with total data-leak site posts climbing 22% year-over-year to 2,638 – up from 2,161 in Q1 2025.
ReliaQuest reported Monday that ransomware attacks in 2026 were defined by speed, fragmentation, and a new wave of fraudulent extortion techniques that put pressure on enterprises without ever deploying a single encryptor.
The most dramatic shift in Q1 2026 came from ransomware-as-a-service (RaaS) group The Gentlemen, which posted 179 victim listings — a 588% jump from just 26 in Q4 2025.
The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged in mid-2025, according to a profile of the threat actor by Check Point Research. The group offers affiliates a generous 90/10 profit split in an attempt to attract experienced operators and lure established ransomware groups like RansomHub and ALPHV.
[Related: Is ‘The Pitt’ Ransomware Attack Realistic? One CISO Says Yes]
ReliaQuest said The Gentlemen group vaulted past ransomware group Akira when it comes to the data-leak site leaderboard.
Fake Extortion Sites Add New Pressure
Established RaaS groups Akira and Qilin maintained high victim volumes despite quarter-over-quarter declines. But Q1 also introduced a new threat category: fraudulent leak sites built to extort enterprises through reputational pressure alone.
0APT launched a dark-web leak site in January 2026 and immediately posted more than 200 organizations as ransomware victims. Security researchers determined the supposed breach data was largely exaggerated or fabricated. The scheme required no actual hacking. Companies that found their name on the site faced immediate pressure to pay simply to avoid the reputational fallout of a public breach claim.
A second actor, ALP-001, appears to be an initial access broker pivoting from selling stolen network credentials into direct extortion, papering its leak site with publicly exposed data to simulate a genuine breach.
No confirmed ransom payments to the 0APT site have been publicly reported, but security researchers warn the scheme doesn’t need to succeed often to be profitable. The reputational and regulatory pressure of a public breach listing alone is enough to force costly internal investigations, even when no actual intrusion occurred.
ShinyHunters Proves Encryption Is Optional
Extortion group ShinyHunters listed only 34 victims this quarter but delivered outsized damage. The group targets employees on personal mobile phones, impersonates IT help-desk staff with spoofed caller IDs, and directs targets to fake Okta login domains to harvest credentials.
ReliaQuest has tracked roughly 500 phishing domains tied to ShinyHunters activity. Once inside, the group moves through single sign-on access into Salesforce and SharePoint, exfiltrating data through legitimate APIs — no ransomware required.
The Defender Takeaway
ReliaQuest advises defenders prioritize blocking the recurring behaviors that consistently drive ransomware impact: exposed VPN and RDP access, abuse of administrative protocols for lateral movement, identity compromise, and defense evasion.
Illustration by Alghozy on Unsplash
