2,318 confirmed ransomware victims across 3 months. 270 active groups. 15 sectors targeted. The ransomware ecosystem is accelerating, this is what Q1 2026 looked like.
2,318total victims
270active groups
15sectors targeted
20+countries affected
+18.5%Jan–Mar growth
Key intelligence highlights
Qilin dominated Q1 with 370 victims (16% market share), absorbing talent from dissolved Black Basta syndicate
Black Basta internal chat leak in February 2026 precipitated the group's dissolution, spawning CipherForce and redistributing affiliates
ShinyHunters conducted aggressive EU cloud breach campaign: 344GB exfiltrated from a major EU government institution
TeamPCP executed multi-ecosystem supply chain attack across GitHub, npm, PyPI, and Docker Hub
CipherForce partnered with TeamPCP to breach 36+ automotive manufacturers via IDOR vulnerabilities
Technology (268 victims) and Manufacturing (255 victims) were the most targeted sectors
United States accounted for 41% of all victims (957); Europe collectively 18.3% (424 victims)