The Top 10 Ransomware Groups of 2026, Ranked by Activity, Impact, and Tradecraft

Ransomware didn’t slow down in 2026. It got more crowded. The first quarter alone produced somewhere between 2,059 and 2,570 publicly claimed victims depending on which tracker you trust, spread across roughly 70 to 89 active extortion brands. The ecosystem is fragmenting faster than law enforcement can take it apart: the FBI seized the RAMP forum in late January, affiliates scattered to successor platforms like ReHub, and a single group — Qilin — still posted 131 victims in March, its highest single month on record.

Raw volume only tells part of the story. The groups worth watching this year are the ones that combine scale, technical polish, and the kind of operational discipline that keeps showing up in incident reports. What follows is a ranking that weighs all three. Two caveats before the list. First, “impact” here means confirmed operational and human consequences, not dollar figures — most ransom payment data is self-reported and unreliable. Second, victim counts reflect only organizations named on leak sites, meaning those that refused to pay or didn’t pay fast enough. The true attack volume is higher, often by a significant margin.

1. Qilin — The Volume Leader That Won’t Stop Hitting Hospitals

Qilin is the most active ransomware operation on the planet, and it has been for more than a year. GuidePoint Research logged 361 Qilin victims in Q1 2026, down 25% from a peak of 484 in Q4 2025 but still roughly double the next closest group. Breachsense tracked 342 Qilin victims across Q1 on leak sites alone, including 131 in March — three consecutive months above 100 victims, which the firm notes is unprecedented in its tracking history.

The group operates a permissive ransomware-as-a-service (RaaS) model — a franchise arrangement where core developers maintain the malware and leak site while affiliates conduct intrusions for a cut of the ransom. Qilin’s recruiting is aggressive, including open banner ads on dark web forums, and the group absorbed experienced operators from RansomHub and LockBit after those operations faltered in 2024 and 2025. The Rust-based encryptor is capable but not exceptional; Qilin’s edge is scale, speed, and an explicit willingness to hit targets other groups avoid.

That willingness produced the most consequential ransomware incident of the past two years. Qilin’s June 2024 attack on Synnovis, an NHS pathology provider in southeast London, contributed to a patient’s death at King’s College Hospital when delayed blood test results became one of several factors in a complex clinical case. Roughly 170 patients were harmed, more than 1,100 cancer treatments were delayed, and an 18-month recovery effort ended in November 2025 with Synnovis refusing the reported $50 million ransom. South London and Maudsley NHS Foundation Trust was still operating without fully restored pathology systems as of January 2026, relying on paper processes for 161,560 delayed reports. Qilin told The Register the attack was deliberate, framing its target selection as politically motivated — a claim most analysts treat with skepticism given the group’s broader victimology.

2. The Gentlemen — The Newcomer That Moves Like a Veteran

The Gentlemen appeared in August 2025, posted 35 victims in Q4, and then did something new operations almost never do: they scaled. GuidePoint counted 182 Gentlemen victims in Q1 2026, making them the second-most active group globally. Check Point Research, which gained access to a live affiliate-controlled command server, pegs the total at over 320 victims since emergence, with a botnet of more than 1,570 likely corporate hosts — a figure that exceeds the group’s own public claims.

Two things explain the speed. First, a 90/10 affiliate revenue split, compared to the 80/20 industry standard, which drew experienced operators from competing RaaS programs. Second, tradecraft that Trend Micro described in a September 2025 analysis as “tailoring tactics against specific security vendors” — the kind of environment-aware reconnaissance that takes years to develop. Initial access is almost always through internet-facing devices: VPNs, firewalls, SSL VPN gateways. Once inside, affiliates move to full-network encryption within hours, often using SystemBC proxy malware for persistence and exfiltration. The rapid rise and the polish both suggest a rebrand of experienced operators rather than a genuinely new crew.

Manufacturing and technology lead the victim list, with healthcare a growing third target. The Gentlemen don’t observe the informal restraint other groups apply to critical services, which in 2026 has become a distinguishing feature of a tier of operations — less a philosophy, more a willingness to take the heat that comes with it.

3. Akira — Fast, Disciplined, and Overly Dependent on One Vendor

Akira has been operational since 2023 and remains one of the longest-running active RaaS programs. The group logged 176 victims in Q1 2026, a 22% drop from its Q4 2025 peak of 226. Halcyon’s analysis notes Akira’s defining capability: rapid compromise, with some incidents escalating from initial foothold to full encryption in under an hour, often without detection.

The Q4 2025 surge and the Q1 2026 decline are the same story. Akira’s affiliates leaned heavily on vulnerabilities in SonicWall SSL VPN appliances throughout late 2025, and the pool of unpatched devices shrank faster than the group could diversify its access methods. Expect Akira to reconstitute around a different access vector in the next quarter or two — the operational discipline is there, only the exploit chain needs replacing. Akira also runs, by most accounts, a more reliable decryptor than many of its competitors, which translates into a higher payment rate than higher-volume groups like Qilin.

The group’s aesthetic choices are worth noting because they reflect something about how the operators think. The leak site is styled as a retro green-screen terminal, and the group takes its name from the 1988 cyberpunk anime — branding decisions that feel self-aware in a field where most leak sites are indistinguishable corporate dashboards.

4. Cl0p — The Mass-Exploitation Specialists

Cl0p (also written CL0P and Clop) barely registered on victim-count leaderboards for most of 2025. Then, starting in late September, executives at dozens of large organizations began receiving extortion emails. The group had been quietly exploiting CVE-2025-61882, a pre-authentication remote code execution flaw in Oracle E-Business Suite, since August. ReliaQuest counted 116 Cl0p victims in Q4 2025, up from one the previous quarter, and the posts continued into Q1 2026 as the group drew out victim naming over several months.

Cl0p’s pattern is now well-established. Google’s Threat Intelligence Group links the operation’s data leak site to FIN11, and the playbook has repeated across Accellion FTA (CVE-2021-27104), SolarWinds Serv-U (CVE-2021-35211), GoAnywhere MFT (CVE-2023-0669), MOVEit Transfer (CVE-2023-34362), Cleo managed file transfer products, and now Oracle EBS. Identify a widely deployed enterprise platform. Find an unpatched flaw. Exfiltrate en masse. Wait weeks. Extort. The Oracle campaign named Harvard University, The Washington Post, American Airlines subsidiary Envoy Air, Logitech, Cox Enterprises, and GlobalLogic among its confirmed victims, with cybersecurity analysts estimating over 100 companies were impacted in total.

Cl0p does not bother with traditional encryption in most recent campaigns. The operational model is pure extortion based on stolen data — faster, simpler, and harder for defenders to interrupt once exfiltration has occurred.

5. DragonForce — The Cartel with the Retail Problem

DragonForce has been iterating publicly since August 2023, and 2025 was the year the iterations paid off. The group restyled itself as a “cartel,” offering affiliates a white-label ransomware platform with a 20% operator cut — unusually low. Picus Security and Trend Micro both note the codebase is built on leaked LockBit 3.0 and Conti v3 source, with builds for Windows, Linux, ESXi, and NAS targets.

The retail campaign is what put DragonForce on the enterprise threat map. Beginning in April 2025, the group’s affiliates, reportedly overlapping with Scattered Spider, hit a series of UK retailers in close succession: Marks & Spencer, Co-op, and Harrods. M&S was forced to pause all online clothing and home orders for roughly a week, with contactless payments and click-and-collect impacted in stores. Initial access in the M&S case came through social engineering of service desks, consistent with Scattered Spider’s historical tradecraft. CISA’s updated Scattered Spider advisory from July 2025 explicitly names DragonForce as a collaborator.

DragonForce affiliates also use bring your own vulnerable driver (BYOVD) — a defense evasion technique where attackers load a legitimately signed but vulnerable driver to disable endpoint detection and response (EDR) products from kernel level. The group claimed 54 victims in March 2026 per Breachsense, up from 30 in February, and the trajectory is upward. An April 2026 attack on U.S. office equipment dealer CES Imaging Inc. suggests the group is broadening beyond UK retail.

6. LockBit 5.0 — The Comeback That Might Not Be a Comeback

LockBit was the most dominant RaaS operation in the world until the UK’s National Crime Agency dismantled its infrastructure in Operation Cronos in February 2024. In September 2025, the administrator LockBitSupp — publicly identified as Russian national Dmitry Khoroshev — announced LockBit 5.0, codenamed “ChuongDong,” on the RAMP forum. By early December, over 100 victims had been posted to a new Christmas-themed leak site.

Whether this constitutes a real resurgence is genuinely contested. Arete’s January 2026 analysis notes that code overlaps with LockBit 4.0 are extensive, suggesting evolution rather than reinvention. Acronis Threat Research Unit’s February 2026 analysis of the 5.0 samples documents Windows, Linux, and ESXi builds with XChaCha20 and Curve25519 encryption, DLL unhooking, process hollowing, and Event Tracing for Windows (ETW) patching. The group also explicitly advertises support for Proxmox, the open-source hypervisor that many enterprises have adopted since Broadcom‘s VMware licensing changes.

The structural problem for LockBit is sanctions. OFAC sanctioned Khoroshev by name in May 2024, which creates direct legal exposure for any U.S. organization considering payment. Rakesh Krishnan’s December 2025 OSINT work exposed a LockBit 5.0 server at 205.185.116.233 on AS53667 (PONYNET/FranTech Solutions), suggesting the group’s operational security has not meaningfully improved. LockBit 5.0 may survive as a brand. It is unlikely to recover its former scale.

7. INC Ransom — The Quietly Consistent Operator

INC Ransom ranks in nearly every Q1 2026 leaderboard but rarely generates headlines. Cyfirma tracked INC Ransom growth from 37 incidents in February to 85 in March — a significant jump in a single month. Bitdefender’s analysis of December 2025 through February 2026 U.S. ransomware activity lists INC as one of seven groups that consecutively ranked in the Top 10 for more than four months, alongside Qilin, Akira, Cl0p, Play, DragonForce, and Sinobi.

The group’s tradecraft is conventional but effective: credential access through infostealer logs, VPN exploitation, and double extortion. There is no signature flourish, no public manifesto, no distinctive aesthetic. That discipline is arguably the tradecraft — INC’s affiliates focus on the fundamentals, avoid the attention-grabbing attacks that draw law enforcement pressure, and continue operating while noisier groups cycle through rebrand after rebrand. Reported cryptographic implementation uses Curve25519 plus AES-128-CTR, which has prompted analysts to track possible infrastructure overlap with the now-defunct Lynx DLS.

8. NightSpire — The In-House Operation

NightSpire is structurally unusual. Most ransomware groups of its scale run affiliate programs; NightSpire, per GuidePoint’s analysis, runs its operations in-house. The group emerged in early 2025 with an exfiltration-only model and evolved into full double extortion by late 2025. It has claimed 175 victims across 28 industries in just over a year, including 74 posted on its leak site in Q1 2026 alone.

The in-house model limits scale but limits exposure. Fewer people know the infrastructure, fewer affiliates can defect or get arrested with operational details, and the group maintains tighter control over target selection. One confirmed NightSpire victim, Japanese electronics manufacturer Nippon Ceramic, was compromised on April 10, 2025 — a data point worth noting because the group’s victim confirmations are otherwise sparse. The growth from exfiltration-only to encryption-plus-exfiltration tracks a broader industry observation that encryption still produces the highest payment conversion rates, despite the operational simplicity of data-theft-only extortion.

9. Play — The Government and Critical Infrastructure Specialist

Play has been operational since 2022 and continues to rank consistently among the top 10 globally. What distinguishes Play is targeting: government agencies, police networks, and critical infrastructure, particularly in Latin America and Europe. The group appears in Bitdefender’s consecutive-quarter Top 10 U.S. list, the FBI’s top ransomware variants list affecting critical infrastructure, and most major quarterly reports for Q1 2026.

Play’s tradecraft is conventional — intermittent encryption to speed up file locking and evade signature detection, .play file extensions, and a negotiation model that does not use a traditional leak site countdown but instead pressures victims through email. The group’s decision to focus on government and infrastructure targets, rather than the higher-payment-rate private sector, is strategically interesting. Whether this reflects ideological alignment, contract work for state actors, or simply access patterns that happen to favor those sectors is unclear in public reporting.

10. ShinyHunters — The Data Broker That Became a Ransomware Group

ShinyHunters is the oddest entry on this list because it is not, historically, a ransomware group. The name has been attached to large-scale data theft and dark-web data sales since 2020, most famously the 2021 AT&T data exposure. In February 2026, Breachsense observed ShinyHunters appearing on ransomware leak sites for the first time with 10 claimed victims, suggesting the group has either added encryption capability to its toolkit or is partnering with existing ransomware affiliates.

The evolution matters beyond ShinyHunters itself. It signals a convergence: data theft operations adding extortion capabilities, ransomware operations shifting toward data-theft-only models, and the boundary between the two blurring into a single “cyber extortion” category. A January 2026 ShinyHunters vishing campaign targeting corporate single sign-on (SSO) accounts indicates where the tradecraft is heading — identity-first compromise, no malware required, followed by extortion based on whatever data the credentials unlock.

What This Ranking Actually Tells You

Three structural patterns define 2026’s ransomware ecosystem, and they matter more than any individual group on this list.

First, fragmentation has accelerated past the point where law enforcement disruption produces meaningful aggregate relief. RAMP’s seizure in January dispersed affiliates to ReHub and other successor forums within weeks. Operation Cronos scattered LockBit affiliates into Qilin and RansomHub; RansomHub’s 2025 collapse scattered them again. The affiliate pool keeps expanding. Second, initial access has consolidated around a small set of techniques: stolen credentials from infostealer logs, unpatched internet-facing appliances (particularly VPNs and firewalls), and social engineering of IT service desks. The MITRE ATT&CK technique set for ransomware initial access in 2026 is narrower than it was in 2023, not broader. Third, the distinction between ransomware and extortion-only operations is effectively gone. Cl0p rarely encrypts. Everest stopped encrypting. ShinyHunters added ransomware-adjacent extortion. The encrypt-or-don’t question is now a tactical choice, not a categorical one.

For defenders, the takeaway is unglamorous. Behavioral monitoring of identity, access, and lateral movement matters more than brand-specific indicator feeds. Credential exposure monitoring matters more than the latest ransomware signature. The groups that scale in 2026 aren’t technically unprecedented — they’re operationally disciplined, with stable infrastructure, functioning affiliate programs, and a willingness to target what other groups won’t. The rest is volume.