2026年第一季度勒索软件状况：大规模整合

Insights into fewer groups driving Ransomware in Q1 2026:Consolidation at Scale010101010101From Fragmentationto Consolidation020202020202Notable Surgesand Decline030303030303Actor Spotlight: The Gentlemen —The Breakout Story of Q1 2026040404040404Geographic Distributionof Victims070707070707LockBit 5.0:Making a Comeback050505050505Ransomware Attacksby Industry080808080808DragonForce: The CartelModel Under Pressure060606060606Conclusion090909090909 Ransomware activity remained elevated in Q1 2026, continuing the trendestablished According to the State of Ransomware Q1 2026 report from Check Point Research, overall attackvolume stayed near historic highs. At the same time, the structure of the ransomware ecosystemchanged materially. After two years of increasing fragmentation, activity isconsolidatingaround The top 10 ransomware groups accounted for71% of all victims, reversing the fragmentedlandscape seen throughout much of 2025. 2,122 organizations were listed onransomware data leak sites in Q1 2026,making it the second-highest Q1 on record. The Gentlemenemergedas the breakoutgroup, increasing activity from 40 victims inQ4 2025 to 166 in Q1 2026. Qilinremainedthe most active ransomwareoperation for the third consecutive quarter, Taken together, these figures show thatransomware volume has stabilized at ahigh baseline, while operational power is LockBitconfirmed its comeback, posting163 victims and re-entering the global top Ransomware in Q1 2026:Consolidation at Scale010101010101 During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) thatcollectively listed 2,122 new victims. This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024(977 victims) and is keeping in line with the elevated baseline established through 2025. Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims,684 in February, and 706 in March. This reflects a sustained operating rate of an average of 707 The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q12025. However, this comparison is misleading as the Q1 2025 numbers were heavily inflated by Cl0p’sCleo mass-exploitation campaign which contributed approximately 390 victims in a single burst. Ifwe exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, anactual YoY increase of 5.3%. The underlying growth trend in ransomware operations persists, even as From fragmentationto consolidation020202020202 The most significant structural development seen in Q1 2026 is not the volume of attacksbut the consolidation of the different operatorsconducting them. After two years of steadyfragmentation, during which the number of Groups such as Qilin, Akira, The Gentlemen, andLockBit, who together claimed 41% of all victimsin Q1, capitalized on the instability of theircompetitors. In Q1 2026, Qilin alone posted more In Q1 2026, the top 10 groups accounted for71.1% of all DLS-posted victims, which is thehighest concentration since Q1 2024 when theecosystem was far smaller. The number of activegroups shrank from 85 to 71. Fourteen groupsthat were active in Q4 2025 disappeared entirely, This dynamic carries implications beyondstatistics. The consolidation of the ecosystemaround fewer, more dominant operatorschanges its character. Larger RaaS brandsinvest in operational consistency, includingfunctional decryption tools, because theirbusiness model depends on the perceptionthat victim payment results in data recovery.In contrast, the ransomware fragmentation This is a common pattern repeated throughoutthe ecosystem’s history: law enforcement actionsdisrupt the ransomware market, affiliatesscatter, and survivors who avoid disruption Notable surgesand declines030303030303 Comparing the data between Q4 2025 and Q1 2026 reveals which groups are absorbing the affiliatetalent pool, and which are failing to take advantage of it. Nightspire, a closed-group operation withOneDrive cloud encryption capability, expandedby 183% from 29 victims to 82, sustaining The Gentlemen grew by 315%, going from40 claimed victims to 166, making them thebiggest story of Q1 2026, covered in detail Play posted a 64% increase, going from 74victims to 121. LockBit 5.0 activity increased by 106%, from79 victims to 163. Devman declined by 70%, from 82 victims to 25.The ransomware’s operator "Tramp", a formerConti and Black Basta affiliate, was added toInterpol's wanted list in January 2026. All three SafePay fell by 77%, going from 97 victimsto 22. SafePay is a centralized, non-RaaSoperation whose DLS was marked inactivefrom mid-March 2026 through early April for Sinobi dropped by 42%, from 139 victimsto 80. After a strong January (56 victims),activity collapsed to just 7 victims in March.As of the time of this publication, no 040404040404Actor Spotlight: The Gentleme