April this year opened with 748 ransomware attacks recorded around the world, according to NCC Group. That was 7% lower than March, but, the company said activity across 2026 has stayed at a much higher level than much of 2025.
The report traced much of that activity to the growth of ransomware as a service (or RaaS). That model lets experienced cyber criminals rent out malware and infrastructure as well as to access tools to affiliates who then go for the attacks themselves. The arrangement looks more like a franchise system than the lone hacker stereotype that dominated cyber crime news a decade ago.
Who And What Are These Groups Targetting?
Industrials accounted for 28% of all attacks recorded in April, which would make factories, manufacturers and logistics operators the biggest target group. North America accounted for 43% of incidents, followed by Europe at 28%. Qilin is still the most active ransomware operation, responsible for 14% of attacks during the month.
Early April also brought a steady stream of public incidents. On 1 April, Qilin added German political party Die Linke to its leak site and claimed to have stolen 1.5TB of internal information. Five days later, Winona County in Minnesota suffered a ransomware attack that forced systems offline. That same day, The Gentlemen claimed responsibility for an attack on Adaptavist Group Ltd. Adaptavist later confirmed unauthorised access, although it disputed claims involving customer and production data.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said, “The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure and repeatable intrusion methods to accelerate attacks at scale. Techniques such as covert tunnelling and rapid domain wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs.”
Why Are New Ransomware Brands Coming Up So Fast?
The biggest topic in NCC Group’s April report had to do with The Gentlemen, a ransomware group first observed in July 2025 that has already become one of the busiest names in cyber crime. April alone saw 73 victims attributed to the group, bringing its 2026 total to 231.
Researchers said the group already shows the technical maturity usually associated with long established operations. The Gentlemen supports attacks across Windows, Linux, NAS systems, BSD and VMware ESXi environments, giving affiliates the ability to target large enterprise networks rather than single systems.
The report also spoke on how newer ransomware groups now build around shared infrastructure instead of developing everything internally. The Gentlemen’s affiliates increasingly use a malware tool called SystemBC, which creates hidden SOCKS5 proxy tunnels through infected machines. That allows attackers to move quietly through networks and mask command and control traffic.
A Check Point DFIR investigation connected one SystemBC command server to a botnet containing more than 1,570 victims, mainly corporate environments. NCC Group said that discovery showed how ransomware crews now operate on an industrial scale, with access brokers, malware developers and affiliates all working within the same commercial ecosystem.
The report said many attacks now begin long before encryption starts. Affiliates gain access through stolen credentials or exposed internet services, move across networks, set up covert tunnels, harvest credentials and then spread ransomware through Group Policy Objects inside Windows domains.
Matt Hull said, “Developments around AI models such as Claude Mythos suggest AI assisted vulnerability discovery and exploitation could further compress attacker timelines in the future. However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments.”
What Happened When AI Entered The Ransomware Conversation?
On 7 April, Anthropic announced Claude Mythos Preview, a large language model built for advanced cybersecurity research. The company claimed the model could identify vulnerabilities and autonomously develop exploit chains.
The announcement immediately had the cybersecurity sector debating and talking. According to the report, Anthropic said the model identified decades old vulnerabilities, including a 27 year old OpenBSD flaw and a 16 year old FFmpeg bug. The UK AI Security Institute also said Claude Mythos became the first AI model to complete an end to end simulated corporate network attack challenge.
NCC Group took a more measured view; the company said restricted access and controlled lab testing made it difficult to judge how the model would perform against real enterprise security systems. The report also questioned the economics behind large scale AI assisted vulnerability research, noting that AI companies continue operating at large losses while infrastructure and energy costs stay high.
What Should Organisations Do To Stay Safe?
Matt Hull said, “Regardless, organisations can no longer rely on reactive security measures alone. Continuous attack surface management, strong identity controls and rapid detection of suspicious behaviour are becoming essential to reducing cyber risk.”
The business opportunity clearly already exists for ransomware groups. April’s report showed just how fast new names can establish themselves when shared malware, rented infrastructure and affiliate programmes lower the barriers to entry.
One year ago, few security teams had heard of The Gentlemen. Now, only a couple of months into the year, it already accounted for 10% of global ransomware activity recorded by NCC Group.
Click Here For The Original Source.
