Ransomware activity took a dip in the first quarter of 2026, with only 2,283 incidents recorded—a 21.5% decrease from the record-breaking surge seen in late 2025. Despite this slowdown, things are still unpredictable on the threat side. Attackers are increasingly targeting the lower middle market, with small and medium-sized businesses (SMBs) accounting for the vast majority of victims.

Our analysis of 246 unique leaked conversations between ransomware groups and victim companies from 2020 to 2026 reveals a professionalized approach to extortion. These exchanges are surprisingly transactional, with the initial ransom often serving as a high starting point for negotiation. The median discount for those who paid was 57%, but the flexibility of these groups can be extreme: some attackers were willing to drop their price by as much as 96.2% just to secure a quick payout.

What is ransomware?

Ransomware is a malicious software that restricts access to a computer system or data by encrypting files or locking systems, holding them hostage in exchange for a payout. It usually enters systems via email phishing, social engineering, malvertising, and exploit kits. Once in, cybercriminals threaten to publish a company’s data if the ransom isn’t paid on time.

The problem is, paying doesn't guarantee safety. Attackers could resell stolen data later, or in rarer cases, refuse to hand over the decryption key altogether. While these scenarios are less common, there are no guarantees.

Unpacking ransomware statistics: why did ransomware attacks dip?

While the 2,283 ransomware incidents reported between January and March of 2026 represent a 21.5% decrease from the previous quarter’s peak, the drop is less significant when viewed in a year-over-year context. Compared with Q1 2025, when the Cl0p Leaks group reemerged and pushed attack numbers to 2,498, activity in Q1 2026 slowed by only 8.6%.

“Ransomware activity surged in Q4 2025, most likely due to attackers exploiting end-of-year cybersecurity gaps caused by reduced human resources in organizations,” says Vakaris Noreika, a Cybersecurity Expert at NordStellar. “In Q1 2026, established ransomware groups like Sinobi and Cl0p Leaks experienced a sharp decline, most likely due to law enforcement operations. However, other actors filled the gap, notably the Gentlemen group, which was quiet last quarter but is now the second‑most active ransomware group so far this year.”

Rather than viewing this slowdown as a permanent decline, companies should view it as a tactical pause. As one group retreats, another often takes its place. So, maintaining your current security investments is more effective than reducing your efforts during these temporary dips in activity.

Leaked ransomware negotiations expose threat actors’ tactics

The ransomware negotiation exchanges have become surprisingly transactional, often resembling a typical customer support or sales interaction. While 25.6% of these negotiations ended in a ransom payment, the ransom amounts demanded were highly flexible. The median discount for those who paid was 57%, with some attackers willing to drop their price by as much as 96.2%. This suggests that, for many ransomware groups, the initial demand is merely the beginning of a calculated sales cycle.

For example, tension intensified in one of the most aggressive negotiations analyzed after the victim company mentioned law enforcement. Yet, even with the involvement of authorities, the initial demand of $150,000 was eventually settled at $120,000—a 20% discount.

“Attackers often have a ‘discount phase’ early on—they’ll reduce the initial demand by 25%–70% if companies engage quickly. This is a sales tactic,” says Mantas Sabeckis, a Senior Threat Intelligence Researcher at Nord Security.

Additionally, these negotiation messages show how the RaaS model has turned cybercrime into a structured business. Sabeckis notes that attackers now frequently upsell their services: while a standalone decryption tool is the most common offering (21.6%), they also pitch data removal and other security services as separate, add-on purchases.

Main targets of ransomware in Q1 2026

In this section, let’s take a closer look at the targets and break them down by country, industry, and business size.

By country

US businesses took the most brutal hit with 914 attacks, as ransomware activity remained nearly the same as in Q4 2025, showing a slight 2% decline from 932 the previous quarter.

Canada was the second-most-affected country, with 86 cases—a 20% decrease from the 108 cases recorded in Q4 2025. In contrast, the United Kingdom moved from fourth to third position as incidents increased by 27%, from 62 to 79. Germany maintained its ranking with a modest 6% increase to 68 attacks, while France entered the top 5 with 52 reported incidents.

By industry

Manufacturing remains the primary target with 323 attacks this quarter, despite a 16% decrease from the 386 incidents recorded in Q4 2025. Information technology and construction swapped positions: IT now holds second place with 152 attacks, while construction moved to third with 147. However, manufacturing continues to face the highest volume of threats, experiencing more than double the incidents of the second-most targeted industry, despite the slight dip in its numbers.

Professional, scientific, and technical services saw a slight decline, dropping from 147 to 145 attacks. Meanwhile, the healthcare sector remained stable with 112 attacks, compared to 111 in the previous quarter.

By business size

Small to medium-sized businesses with revenues between $5M and $25M remain the primary targets, accounting for 127 attacks this quarter. While this represents a decrease from the 229 incidents recorded in Q4 2025, this segment continues to face the highest volume of threats.

This targeting pattern is even more evident when looking at employee count. Small businesses with 11–200 employees accounted for the largest share of ransomware victims this quarter, with a combined total of 930 attacks. The only business size category to show growth in incidents was the 51–200 employee tier, where incidents rose slightly from 474 to 483.

The data confirms that threat actors still favor the lower middle market, mirroring the ransomware trends seen throughout 2025. While organizations with revenues exceeding $1B saw the sharpest drop in attacks—falling from 60 to 23 ransomware incidents—you can see that mid-market firms and smaller businesses remain under sustained pressure.

The Gentlemen ransomware group emerges in the top 5

Qilin remains the dominant ransomware group despite a 27% decline in ransomware attacks—from 489 to 356. Meanwhile, the Gentlemen group emerged as the second-most active threat actor, launching 207 attacks after not appearing in the top 5 last quarter. Akira and INC Ransom maintained their positions, though both saw decreased activity, with drops of 41% and 8%, respectively.

Notably, Sinobi disappeared from the rankings altogether while Cl0p slowed operations by 36%. These shifts suggest that successful law enforcement interventions or strategic changes are forcing established groups to scale back, even as new actors move in to fill the gap.

Building a ransomware-resistant business

Even with the dip in ransomware attacks this quarter, the persistence of these threats remains high. Therefore, maintaining your current security investments is far more effective than scaling back during these temporary lulls. To build long-term resilience, Noreika advises prioritizing basic security hygiene. This includes updating and patching systems and applications, using multi-factor authentication, and implementing strict password policies. It is also essential to enforce a zero-trust framework to prevent malware from spreading across your network.

“For early threat prevention and detection, intelligence is key—it enables businesses to patch critical vulnerabilities and detect indicators of compromise as soon as possible,” says Noreika. “Data leaked onto the dark web may expose credentials or sensitive details that attackers can exploit to gain unauthorized access. An early alert allows organizations to reset passwords, revoke access keys, disable compromised accounts, and support faster incident response.”

Noreika also emphasizes that having a ransomware incident response plan is crucial for limiting a breach. Coupled with a recovery strategy and regular data backups, these steps help you minimize operational downtime and quickly regain control if an incident occurs.

Methodology

We continuously monitor over 200 blogs run by ransomware groups. The available ransomware data on these blogs typically includes the names of the attacked companies, descriptions of the incidents, and sometimes samples of the stolen files proving the attacks’ legitimacy. These groups publish their victims’ names as a tactic to pressure them into paying the ransom. They often add a countdown timer, after which they threaten to leak the stolen data if the ransom is not paid.

Once a company is identified from a ransomware listing, we conduct further research to gather firmographic data. While the reported totals—2,283 in Q1 2026—are accurate, the specific industry, company size, and country breakdowns may differ slightly due to smaller sample sizes. We use various publicly accessible business data sources to identify general organizational attributes, such as industry, geographic region, size, and revenue bracket, using the company names and domains.

For our research on leaked ransomware negotiations, NordStellar analyzed a vast dataset of leaked negotiation transcripts spanning from 2020 to 2026. This dataset included 256 negotiations and 11,599 individual messages. With an average of 47 messages per negotiation, the study provides insight into the persistence and complexity of these dialogues. Our analysis examined communication tactics from the perspectives of both victims and ransomware groups. This approach allows us to decode the rigid structure and mechanics behind modern ransom demands.

Legal disclaimer

This report is for informational purposes only and does not constitute legal, financial, or cybersecurity advice. The information is provided “as is,” and Nord Security makes no representations or warranties regarding its accuracy, completeness, or timeliness.

Nord Security does not endorse, recommend, or encourage accessing any ransomware groups, threat actors, or engaging in any illegal or criminal activity.

Any reliance on this report is at your own risk. Nord Security, its affiliates, and its authors disclaim all liability for any actions taken or not taken, or for any losses or damages incurred, based on its contents.

Previous research data

Here, you can find key ransomware statistics from previous years. Note that these figures are updated as more incidents are reported, ensuring each quarter reflects the most accurate data available.

Q4: Ransomware activity peaks as 2025 ends with a record-breaking surge

Ransomware activity reached a two-year high in the final quarter of 2025. Our research recorded 2,910 incidents—a 38% increase compared to Q4 2024 and a 49% jump from the previous quarter. This year-end surge suggests that cybercriminals took advantage of the increased pressure from end-of-year production goals and potential oversights in security protocols.

Main ransomware targets

By country: The United States remains the primary target, experiencing a 34% increase with 917 incidents in Q4 alone. Canada was the second-most-affected country, with 107 cases (a 73% increase). Germany followed with 64 cases, the United Kingdom with 62, and France with 54.

By industry: Manufacturing remains the most affected sector with 386 incidents—a 58% increase from the previous quarter. Other significantly impacted sectors include IT (152 incidents) and professional services (147 incidents).

By business size: SMBs remain the prime targets. Specifically, organizations with 51–200 employees and revenues between $5M and $25M experienced the most activity. Attackers prioritize these businesses because they often lack the infrastructure to handle significant downtime or data loss, making them more likely to consider paying a ransom.

Who was responsible for the attacks

Qilin: Holding the number one spot for the second consecutive quarter, this group’s activity more than doubled in Q4, reaching 489 incidents. Their growth is driven by effective affiliate recruitment and a mature negotiation infrastructure.

Akira and INC Ransom: These groups remained major contributors to the high volume of attacks, and that trend has continued throughout the year.

Q3: Ransomware attacks surge by 47% as 2025 activity intensifies

The upward trend in ransomware activity continued through the third quarter of 2025. From January to September, our research detected 6,330 cases exposed on the dark web—a 47% increase compared to the 4,293 cases recorded during the same period in 2024. This growth is driven by a record number of active groups and the continued expansion of the ransomware-as-a-service (RaaS) model.

Main ransomware targets

By country: The United States remains the primary focus for attackers, accounting for 54% (686 incidents) of all traced cases. Canada followed as the second-most affected country, with 62 incidents.

By industry: Manufacturing continues to bear the brunt of attacks with 245 recorded cases. Other highly targeted sectors include IT (103 incidents) and professional services (107 incidents).

By business size: Small to medium-sized businesses (SMBs) are the prime targets. Specifically, organizations with 51–200 employees and revenues between $5M and $25M experienced the most activity, as they often lack the dedicated security budgets and infrastructure of larger enterprises.

Who was responsible for the attacks

Qilin: This Russia-linked group maintained its number one spot from the previous quarter and was the most prolific actor, responsible for 241 incidents.

Akira: Holding the second spot with 190 incidents, this group remains a consistent threat.

INC Ransom: Emerging as a major player this quarter, this group recorded 146 incidents.

Q2: Ransomware attacks spike by 49% in the first half of 2025

The number of ransomware attacks surged by 49% in the first half of 2025 compared to the same period in 2024. A total of 4,198 cases were exposed on the dark web between January and June of that year.

Main ransomware targets

By country: The United States was by far the most targeted country, accounting for 49% (596 incidents) of all attacks. This is likely due to its high concentration of profitable businesses and strict compliance laws that pressure companies to resolve incidents quickly.

By industry: The manufacturing sector has been hit hardest, with 229 recorded cases, often due to decentralized security and reliance on outdated, unpatched systems.

By business size: Small to medium-sized businesses (SMBs) are the prime targets. These organizations often have limited cybersecurity budgets and rely on third-party IT providers, making them more vulnerable.

Who was responsible for the attacks

Qilin: This Russia-linked RaaS group was the most prolific, responsible for 214 incidents.

Safepay: This relatively new group (first detected in late 2024) was the second-most active, responsible for 201 incidents.