Ransomware is not slowing down, folks. If anything, the whole thing is getting weirder, louder, and much harder for companies to handle.
A new report from ReliaQuest says ransomware posts on data-leak sites hit 2,638 in Q1 2026. That is up 22 percent from 2,161 in Q1 2025. In other words, the criminals are still very busy, and businesses are still very much in the crosshairs.
But the scary part is not just the number of victims. It is the chaos around the attacks.
The familiar names are still causing trouble. Akira and Qilin remain active, and both continue to put up big victim counts. But ReliaQuest says a group called The Gentlemen suddenly jumped into the top tier, with activity rising 588 percent quarter over quarter. That is a wild climb, going from 26 posts in Q4 2025 to 179 in Q1 2026.
That kind of growth usually makes you wonder what changed. A new exploit? A big campaign? Some flashy malware update? ReliaQuest says there was no single obvious trigger. Instead, The Gentlemen appears to have built a working operation with capable affiliates, repeatable tactics, and a generous 90/10 profit split for partners. Apparently, even ransomware gangs have to compete for talent now. Wonderful.
The group claims to offer ransomware for Windows, Linux, NAS, and BSD systems, along with a separate ESXi encryptor. That Linux bit matters, because criminals are not just chasing Windows desktops anymore. Servers, virtualization platforms, and storage boxes are where the juicy stuff lives.
Then there is the fake leak problem.
ReliaQuest points to 0APT and ALP-001 as examples of newer leak-site actors using questionable or possibly fabricated breach claims to pressure large companies. That may sound less serious than a real breach, but it still creates a mess. Once a company is named on a leak site, someone has to investigate. Lawyers get involved. Executives start asking questions. PR teams panic. Customers may start calling.
Even a fake claim can become expensive.
That is the rotten genius of this scam-style extortion. The attacker does not always need to prove much. They just need to create enough fear to force a response.
ShinyHunters is another reminder that modern extortion does not always require old-school ransomware. ReliaQuest says the group listed only 34 organizations in Q1, but still caused outsized impact by focusing on identity, SaaS platforms, and mobile-heavy social engineering.
Instead of dropping encryptors, attackers may call employees on personal phones, pretend to be IT support, and push them toward fake Okta-style login pages. Once credentials are captured, they can reset passwords, enroll new MFA devices, and move into SaaS tools like Salesforce and SharePoint. From there, data can be stolen through normal-looking APIs and bulk downloads.
No scary ransom note needed. No blinking red malware alert. Just stolen access and a lot of sensitive data leaving through trusted systems.
That is probably the most important lesson from the report. Ransomware is no longer just about locking files. It is about leverage. Sometimes that means encryption. Sometimes it means stolen SaaS data. Sometimes it means a shady leak-site post that may not even be real.
ReliaQuest also says active data-leak sites reached a record high of 91 in Q1 2026. That means more noise, more claims, and more pressure on defenders to separate real incidents from garbage. Unfortunately, the clock is not on their side. Groups like Akira can move laterally in minutes, which gives security teams very little breathing room.
Professional, scientific, and technical services remained the most targeted sector for the fourth straight quarter. Law firms are an especially nasty target because they hold privileged communications, tax records, financial documents, and sensitive case materials. If one shared provider or cloud repository gets popped, the damage can spread beyond a single firm.
The U.S. remains the biggest target, which is not shocking. Big market, lots of companies, plenty of money, and a whole lot of systems to attack. India also saw increased activity, which matters because many global companies depend on India-based suppliers, subsidiaries, manufacturing operations, and outsourced IT teams.
For defenders, the takeaway is brutally simple. Stop obsessing over which gang name is hot this quarter and focus on the behaviors that keep showing up. Exposed VPNs. RDP abuse. Stolen credentials. MFA tampering. Lateral movement through admin tools. Suspicious SaaS exports. Big file transfers. Security tools getting disabled.
The criminal branding changes. The tricks underneath are often familiar.
Ransomware in 2026 is not just bigger. It is messier. Some groups are skilled. Some appear to be bluffing. Some skip encryption entirely. But all of them are feeding the same ugly machine, and companies that treat ransomware as yesterday’s problem are going to have a very bad time.
Support independent tech journalism
NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.
Support NERDS.xyz