BlackFog, the ransomware prevention and anti data exfiltration (ADX) solutions provider, has revealed findings from its analysis of global ransomware activity from January – March 2026 covering both publicly disclosed and undisclosed attacks.
The findings reveal that the true scale of the threat remains vastly underreported with only one in nine ransomware attacks publicly disclosed. In total 2,160 undisclosed ransomware attacks were identified during the quarter, representing a 2% increase in attacks year-on-year, with victims spread across 97 countries.
Meanwhile, 264 publicly disclosed attacks were recorded. Although this figure is a 15% decrease compared to the same period the previous year, the findings show that ransomware remains a persistent and highly active threat.
Key findings
Ransomware activity in Q1 2026 continued to demonstrate both the scale and diversity of modern attacks. In terms of disclosed attacks for this period, the analysis reveals:
- The average ransom demand exceeded $1M ($1,028,214)
- Organizations across 39 countries were impacted
- Attacks on the logistics sector surged 200% YoY
- Healthcare was the most targeted sector, accounting for 72 attacks (27%)
- Government entities experienced 32 attacks (12%), followed by technology at 28 attacks (11%)
Fragmented ransomware groups
The report highlights a fragmented ransomware landscape. Among publicly disclosed attacks, Qilin was the most active variant, responsible for 22 attacks (8%). ShinyHunters followed with 16 attacks (6%), and INC accounted for 11 attacks (4%). Notably, 38% of all publicly disclosed ransomware incidents were not attributed to any known group.
In terms of undisclosed attacks, Qilin again led with 339 attacks (16%), followed by The Gentlemen with 200 (9%) and Akira with 190 (9%). In total,79 ransomware groups claimed victims during the three-month period.
The gentlemen: A growing force in the ransomware landscape
During this quarter, The Gentlemen quickly established itself as one of the most active ransomware groups, ranking second by volume of attacks. Since its emergence in 2025 through to the end of Q1 2026, the group has claimed 273 attacks, reflecting a rapid scale-up in operations and a broader trend of new entrants operating with a high level of maturity from the outset.
Emerging threats enabling data exfiltration
The focus for attackers remains on credential theft, maintaining persistent access, and data exfiltration, with exfiltration rates staying critically high in Q1 at 96%. The average volume of data stolen per undisclosed incident reached 743GB, with victims given an average of just 7.7 days to meet ransom demands.
Threat actors are also leveraging AI to streamline and scale data theft. Campaigns such as LotAI demonstrate how AI tools can be used to automate data collection and exfiltration. Platforms like ClawdBot and OpenClaw further highlight how AI-driven infrastructure can aggregate, process and manage stolen data more efficiently.
Commenting on the findings, Dr. Darren Williams, Founder and CEO of BlackFog, said: “A 15% year-on-year decline in reported attacks may suggest progress, but the reality is very different. Ransomware remains a persistent and highly active threat, with attackers increasingly using AI to automate data theft at scale. With data exfiltration now occurring in 96% of attacks, the question for every organisation is no longer whether their data is at risk – but whether they can stop it leaving their systems before damage is done.”
Methodology
This report was generated in part from data collected by the BlackFog Console over the specific report period January – March 2026. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymised information about data movement across hundreds of organisations and should be used to assess risk associated with cybercrime.
Industry classifications are based upon the ICB classification for Supersector used by the New York Stock Exchange (NYSE).
All recorded events are based upon data exfiltration from the device endpoint across all major platforms.
