GuidePoint Security: Ransomware Activity Stays High Amid New Threat Groups

GuidePoint Security, the cybersecurity advisor and services partner organizations rely on to protect what matters most, released the GuidePoint Research and Intelligence Team’s (GRIT) Q1 2026 Ransomware and Cyber Threat Insights Report. The report reveals that ransomware activity remained high yet stable throughout the first quarter of 2026, marked by sustained attack volumes, notable shifts in threat actor behavior and the continued emergence of new criminal groups.

Recommended: RAG vs Fine-Tuning vs Agents: Choosing the Right AI Approach

Threat actors are adapting quickly—refining tactics, targeting new industries and scaling operations in ways that make this a persistent challenge for organizations of all sizes.

Victim post rates averaged approximately 150-200 per week—holding steady both quarter-over-quarter (QoQ) and year-over-year (YoY)—signaling that high-volume ransomware activity has become the new normal. Beneath the consistent headline numbers, however, the composition of the threat landscape is changing: new groups are scaling rapidly, established players are losing momentum and extortion-only operations are growing in prevalence.

“What we’re seeing is a ransomware ecosystem that has stabilized at a high level, but continues to evolve,” said Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security. “Threat actors are adapting quickly refining tactics, targeting new industries and scaling operations in ways that make this a persistent challenge for organizations of all sizes.”

Key findings from the report include:

• Ransomware activity remains elevated. After a late 2025 surge, ransomware volume in Q1 held steady both QoQ and YoY, signaling that elevated attack levels have become the new normal.
• The United States is the leading ransomware target. 51% of observed ransomware victims in Q1 2026 were based in the United States, followed by the United Kingdom (4%) and Canada (4%).
• Ransomware activity intensifies in the construction sector. While manufacturing remained the most impacted industry, the construction industry joined the top 5 most impacted industries with 131 ransomware victims in Q1 2026—a 44% increase year-over-year.
• Data extortion-only attacks are increasing. Threat actors are bypassing encryption in favor of data theft and extortion-only operations, reflecting an evolution in ransomware tactics.
• New threat groups are rapidly gaining ground. The Gentlemen, a RaaS group which emerged in August 2025, surged from 35 victims in Q4 2025 to 182 in Q1 2026, becoming the second most active group. Meanwhile, activity from established groups Qilin and Akira declined by 25% and 22%, respectively.

“From a global lens, modern cyber threats are becoming a reflection of geopolitical tensions, with ransomware actors and ‘hacktivist’ proxies increasingly adopting each other’s tactics,” Timothy added. “This evolution focuses on high-impact, tactical disruptions paired with sophisticated psychological operations to exaggerate capabilities or even weaponize historical breaches to disrupt threat assessment and response. Organizations should continually assess their specific risk exposure, regional involvement and supply chain dependencies when determining appropriate defensive postures.”

Recommended: AI-Powered DevOps: From CI/CD to Continuous Intelligence

The report also examines the lingering impact of large-scale exploitation campaigns from late 2025, the lag between intrusion activity and public victim disclosures and the growing adoption of extortion-only operations across the ransomware ecosystem.

The GRIT Q1 2026 Ransomware & Cyber Threat Insights Report is based on data obtained from publicly available resources, vendor threat research, internal incident response case data and open-source intelligence collected from illicit forums and marketplaces.

Write to us [⁠wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.