The Rise of the Oligopoly: How Qilin, LockBit, and The Gentlemen Dominate the 2026 Ransomware Landscape

The ransomware landscape is undergoing a period of significant consolidation as major syndicates reassert their dominance. After two years characterized by fragmentation and the emergence of myriad minor actors, the cybercriminal underworld is swiftly reverting to an oligopolistic model wherein a few elite operators orchestrate the vast majority of incursions. During the inaugural quarter of 2026, the ten most prolific groups were responsible for a staggering 71% of all documented encryption-based assaults.

Analysts from Check Point Research determined that between January and March 2026, the data of 2,122 victims surfaced on various leak portals. While this figure represents a slight decline from the record-breaking fourth quarter of 2025—which saw 2,416 reported incidents—it remains the second-highest first-quarter tally in historical records.

For the third consecutive quarter, Qilin maintained its position as the most aggressive entity, disclosing data from 338 victims. Akira secured the second position, while the quarter’s most notable revelation was the ascension of The Gentlemen. Virtually unknown as recently as the autumn of 2025, the group has surged to third place globally, escalating its offensive volume from 40 to 166 incidents in a single trimester.

Furthermore, the resurgence of LockBit has commanded significant analytical attention. Following the disruption of its infrastructure in 2024, many declared the project defunct; however, the deployment of LockBit 5.0 has facilitated a rapid recovery. The syndicate reported 163 victims this quarter, climbing to the fourth position among the world’s most active extortionists.

A defining characteristic of 2026 has been the contraction of the competitive field. The number of active operators dwindled from 85 in the third quarter of 2025 to 71 at present. Fourteen groups vanished entirely, while the majority of newcomers failed to secure even ten victims. This vacuum was promptly filled by established titans, who successfully cannibalized the infrastructure and affiliates of their weakened rivals.

The authors of the report posit that law enforcement pressure inadvertently fosters market concentration. When infrastructure is dismantled or arrests are made, marginalized participants exit the market, leaving resilient, large-scale projects to absorb their influence. This dynamic has fortified Qilin, Akira, The Gentlemen, and LockBit, which collectively accounted for nearly half of all quarterly attacks.

The Gentlemen is distinguished as the most formidable new entry in recent months. The project was conceived by a former Qilin affiliate operating under the pseudonym Hastalamuerte, reportedly following a dispute over an unpaid commission of approximately $48,000. Leveraging prior expertise with Qilin, Embargo, LockBit, and Medusa, the operators deployed refined toolsets to launch large-scale offensives from their inception.

The primary strategic advantage for The Gentlemen lies in their vast arsenal of compromised FortiGate devices. The group reportedly commands approximately 14,700 systems breached via the CVE-2024-55591 vulnerability in FortiOS and FortiProxy, alongside nearly a thousand active VPN credentials. This extensive cache of pre-established access enables them to execute incursions with far greater velocity than conventional affiliates.

The group also exhibits an unorthodox geographic focus. While the United States typically accounts for nearly half of global ransomware victims, only 13.3% of The Gentlemen’s targets were American. Instead, their primary focus shifted toward Thailand, Brazil, and India—a distribution that aligns with the location of the vulnerable FortiGate devices they secured beforehand.

Similarly, LockBit has recalibrated its target selection. Prior to its infrastructure being compromised, over half of its victims were located in the U.S.; in 2026, this figure plummeted to 21%. The syndicate has instead intensified its efforts in Italy, Brazil, and Turkey, likely in an attempt to mitigate the risk of further retribution from American law enforcement agencies.

While the U.S. continues to lead global statistics, Thailand has made its inaugural appearance in the top ten most targeted nations, with over half of its incidents attributed to The Gentlemen. In certain regions, a single group dictates the statistical narrative: LockBit dominates Mexico, while Cl0p accounts for the majority of Australian breaches through the widespread exploitation of an Oracle EBS vulnerability.

Sectorally, industrial manufacturing, consumer goods, and professional services remain the most afflicted. However, strategic nuances persist among the operators: Akira targets manufacturing and supply-chain entities where downtime is prohibitively expensive, thereby increasing the likelihood of a settlement. Conversely, Anubis frequently targets healthcare and critical infrastructure.

Ultimately, the ransomware market has entered a mature phase. Major operators have become technologically more sophisticated, globally more agile, and increasingly resilient to systemic shocks. Concurrently, as ransom yields decline to historic lows, smaller entities find it increasingly difficult to compete with the titans of the industry.