Ransomware ecosystem grows, but ‘four-headed monster’ dominates | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Dive Brief:

  • Ransomware activity grew slightly between the first and second quarters of 2026 but significantly year over year, and there were more hacker groups active during April, May and June than in any previous quarter, researchers said on Thursday.
  • Cybercrime actors claimed breaches of 2,279 victims in Q2 2026, a 7% increase over Q1 2026 but a 43% year-over-year increase compared with Q2 2025, GuidePoint Security said in a quarterly report.
  • The Qilin ransomware gang led the quarter, accounting for 13% of attacks, but the relatively new group The Gentlemen has grown quickly and now accounts for almost as much activity, GuidePoint said.

Dive Insight:

While the ransomware ecosystem continues to grow, both in terms of attacks and actors, the activity is not widely dispersed. “The five most prolific groups in Q2 2026 collectively claimed more than 40% of all recorded attacks,” GuidePoint analysts wrote. “We continue to see records broken in the volume of distinct named ransomware groups, but the most prolific at the top continue to consume a highly disproportionate share of victims.”

Qilin, The Gentlemen, Akira and DragonForce compromise what GuidePoint calls the “four-headed monster” of high-volume ransomware groups. The lack of a “singular monolithic figure” could make the ransomware community more resilient to law-enforcement takedowns, the security firm said, because there are now “multiple franchises poised to absorb displaced affiliates if another were to disappear overnight.”

The U.S. accounted for the plurality of ransomware victims in Q2, with 40%, but Germany wasn’t far behind, with 32%. GuidePoint said it was notable that the U.S. share of incidents had dropped from previous quarters, when roughly half of victims were American organizations. “This increased focus on the other countries coincides with an activity increase by The Gentlemen, Qilin, and LockBit,” analysts wrote. “Each of these claimed the most victims outside of the U.S’s borders during Q2 2026.”

These groups are increasingly using AI in their attacks, but GuidePoint found that they’re not doing so in exotic or even sophisticated ways.

“The prevailing concern that AI will enable a new class of catastrophic AI-native attacks remains largely unrealized,” GuidePoint researchers said. Instead, threat actors are using AI as a productivity tool that “lowers the cost of repeatable tasks that were already being done by human operators.”

In two case studies discussed in the report, AI helped cybercrime gangs do things they might have been able to do on their own, but with significantly less effort.

In one attack, the data-extortion group FulcrumSec used a large language model (LLM) to analyze a massive trove of stolen data and identify users present in multiple databases. “Due to the complexity of the database schema, this analysis of a victim’s data would have been implausible without either deep internal knowledge of the victim’s databases architecture, a substantial period of focused human attention, or AI assistance,” GuidePoint said.

The analysis — combined with AI-generated English-language negotiation messages — “helped the group anchor their position and drive negotiations from their side,” GuidePoint researchers wrote, “in effect saying: ‘We know what we have taken, here it is, and this is why we have set the ransom at this amount.’” In doing so, the researchers added, “FulcrumSec established a firm negotiating stance from which they had little incentive to diverge.”

In another attack, the DragonForce group used LLMs to compose convincing claims that increased the pressure on their victim. “The group has claimed to have legal counsel on staff,” GuidePoint said — a claim that, while “almost certainly false,” is meant to frighten victims into thinking the hackers understand victims’ legal and reputational risks.

“For criminal purposes, it doesn’t matter if the claim is true; it only matters if it sounds plausible,” GuidePoint researchers wrote. “If there’s one thing LLMs are good at, it’s making a wide range of statements sound plausible.”

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW