The Gentlemen Ransomware Tops Qilin: 94 Victims [2026] | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


A new name topped the ransomware leaderboard in June 2026. A group calling itself The Gentlemen claimed 94 victims over the month, enough to knock Qilin out of first place after a five-month run at the top. The reshuffle is more than a curiosity for threat-intel analysts. It lands inside a month that saw total ransomware victims climb to 707 companies across 87 countries, a 9% jump from May, according to tracking firm Breachsense. Ransomware statistics for 2026 now point to a threat landscape that is getting busier and more fragmented at the same time, with new gangs rising and falling in the space of weeks rather than years.

This piece breaks down what happened in June, what the numbers mean for defenders and insurers, and why the ransomware-as-a-service model keeps producing new “number one” groups instead of settling around a stable cast of players. It also looks at the entry points gangs used to get in, the shrinking share of victims who pay, and what the shakeup could mean for the rest of 2026.

Google · Preferred Sources

Don’t miss new tech stories on Google

Add Tech Insider once in the Google app and our stories appear in your news suggestions.

Add Now

The Gentlemen Overtake Qilin as June’s Most Active Ransomware Group

Qilin had held the top spot on ransomware leak-site trackers for five straight months heading into June 2026, a rare stretch of dominance in a market where affiliate groups typically churn every few weeks. That streak ended when The Gentlemen posted 94 claimed victims for the month, the highest single-group total tracked in June and enough to push Qilin down to third place with 71 victims. A second newcomer, DeadLock, jumped straight to second place with 81 claimed victims, meaning two of the month’s three most active groups were barely on anyone’s radar a few months earlier.

Leaderboard churn like this is normal in the ransomware-as-a-service economy, where the “brand” running a leak site can dissolve, rebrand, or lose affiliates to a rival operation almost overnight. What stands out about June is the scale of the shift: three groups combined for 246 claimed victims, more than a third of the month’s total, while the other 60-plus tracked gangs split the remaining activity. That concentration says something about how a small number of well-resourced affiliate crews can now move the needle on global ransomware tracking data within a single reporting cycle.

Ransomware by the Numbers: 707 Victims Across 87 Countries

Breachsense’s June count of 707 ransomware victims, spread across 63 distinct groups and 87 countries, was up 9% from May’s 646. The United States remained the single most-targeted country by a wide margin, consistent with prior months and with the country’s outsized share of mid-market and enterprise targets that can plausibly pay a ransom. At least one other tracking group put the June disclosure count at 721, a gap researchers attribute to differences in when leak-site postings get indexed rather than a fundamentally different picture of the month.

Both figures likely understate the real scope. Victims who quietly pay before a gang posts them to a public shame site never show up in leak-site-based ransomware statistics at all, and researchers who track this space routinely caveat that public counts are a floor, not a ceiling. Even with that undercount built in, the direction of travel matters: ransomware now accounts for 48% of all data breaches tracked globally, according to Verizon’s 2026 Data Breach Investigations Report, making it the single largest breach category by a wide margin over phishing, stolen credentials, or misconfiguration.

June 2026 Ransomware Leaderboard

The table below summarizes how the month’s activity broke down by group, based on Breachsense’s leak-site tracking. The “other tracked groups” row is a combined figure covering the roughly 60 remaining gangs active in June, none of which individually cracked more than a handful of claimed victims.

RankGroupJune 2026 VictimsStatus
1The Gentlemen94New No. 1, first appearance atop the leaderboard
2DeadLock81New entrant, jumped straight to No. 2
3Qilin71Dropped from No. 1 after a five-month reign
4-63Other tracked groups (combined)461Includes Nova, FulcrumSec, Lalia, and roughly 57 others
Total707Across 87 countries, per Breachsense

Who Are The Gentlemen?

The Gentlemen’s climb to the top of June’s ransomware statistics is notable mainly for its speed. Unlike Qilin, which built its position gradually over a five-month stretch, The Gentlemen posted the largest single-month victim count tracked in June on what appears to be a comparatively short operating history. That pattern fits a broader trend in the ransomware-as-a-service market, where a new leak site can attract experienced affiliates from a disbanded or disrupted rival crew and reach scale within weeks rather than building a reputation from zero.

Public reporting on The Gentlemen’s specific tooling, negotiation tactics, and target selection is still thin this early into its run, which is typical for a group only a few months removed from its first confirmed postings. Security researchers tracking the group are watching two things closely: whether its victim count holds up in July, which would suggest a durable affiliate base rather than a one-month spike, and whether it follows the now-standard double-extortion playbook of encrypting files while also threatening to leak stolen data, the model that has dominated ransomware since 2023.

DeadLock’s Sudden Jump to No. 2

DeadLock’s arrival at 81 claimed victims is arguably the more surprising story inside June’s ransomware numbers, since a brand-new operation landing in second place on its first major tracked month is unusual even by ransomware-as-a-service standards. Groups that debut with high victim counts typically do so because they absorbed affiliates and infrastructure from an operation that shut down, got seized by law enforcement, or fractured after an internal dispute over ransom-splitting, a pattern security researchers have documented repeatedly since LockBit’s disruption in 2024.

Whether DeadLock represents a genuinely new crew or a rebrand of an existing one is the kind of question that typically takes trackers several months and considerable malware-sample analysis to answer with confidence. What is already clear from the June numbers is that DeadLock and The Gentlemen combined outpaced Qilin, the group that had defined the top of the leaderboard for the prior five months, by a wide margin.

Why Qilin Slipped After a Five-Month Reign

Qilin’s five-month run at the top of global ransomware leaderboards was long by the standards of a market that has seen leadership change hands repeatedly since LockBit’s takedown and ALPHV/BlackCat’s exit scam both reshaped the field in 2024. Losing the top spot with 71 victims in June is not evidence that Qilin is winding down. Seventy-one victims in a single month is still a large operation by historical standards, and groups that fall to second or third place frequently regain ground within a quarter or two.

The more likely explanation, consistent with how this market has behaved before, is simple competition for affiliates. Ransomware-as-a-service operators compete for the same pool of skilled intrusion specialists, and a rival offering a better cut of ransom proceeds, more reliable leak-site infrastructure, or faster payout processing can pull talent away within weeks. If The Gentlemen or DeadLock offered better terms, some of Qilin’s volume simply moved to a new banner rather than disappearing from the ecosystem.

Inside June’s Biggest Claimed Hits

Aggregate leaderboard numbers tell part of the story. The individual incidents disclosed in June show what these attacks look like on the ground, from data volume stolen to the size of ransom demands.

Threat ActorVictimData Claimed StolenRansom DemandDate
FulcrumSecNovo Nordisk1.3 TB, including clinical trial data and AI models$25 millionJune 2026
NovaNSW Rural Fire Service (Australia)300 GBNot publicly disclosedJune 2026
Lalia (new strain)Unspecified Windows environmentsNot disclosedNot disclosedJune 2026
Unidentified actorsCisco Unified CM deployments (CVE-2026-20230)Access vector, breach scope not confirmedN/AJune 23, 2026

FulcrumSec’s $25 Million Demand on Novo Nordisk

The month’s largest confirmed extortion demand came from a group calling itself FulcrumSec, which claimed to have stolen 1.3 terabytes of data from pharmaceutical giant Novo Nordisk, including clinical trial records and proprietary AI models, before demanding $25 million. Pharmaceutical companies sit near the top of the target list for data-theft-focused extortion crews precisely because clinical trial data and drug-development models carry value well beyond a single ransom payment, whether through resale to competitors, use in insider trading, or leverage in a second extortion attempt down the line.

Nova Ransomware Hits Australia’s NSW Rural Fire Service

A separate group, Nova, claimed responsibility for stealing 300 GB of data from the New South Wales Rural Fire Service, a public emergency-response agency. Attacks on emergency services and other public-sector bodies tend to draw outsized attention relative to their financial upside for attackers, since these organizations often have thinner security budgets than private enterprises but generate the kind of public pressure that increases the odds a government will negotiate or accelerate its incident response.

How Gangs Get In: Initial Access Trends in 2026

Behind nearly every entry in June’s ransomware statistics sits an initial access method, and 2026’s pattern looks a lot like 2025’s: unpatched, internet-facing infrastructure remains the easiest way in. Cisco disclosed that its Unified Communications Manager platform was actively exploited via CVE-2026-20230 on June 23, 2026, a flaw that enabled unauthenticated remote access. That same week, defenders were also dealing with fallout from a separate, unauthenticated remote-code-execution flaw in Windows Server’s Netlogon service, tracked as CVE-2026-41089, which specifically threatens domain controllers, the highest-value targets on most corporate networks.

Unpatched Edge Devices Remain the Top Entry Point

VPN gateways, unified communications platforms, domain controllers, and other edge infrastructure keep showing up as the first foothold in ransomware intrusions because they are, by design, reachable from the open internet and often run software that lags several patch cycles behind. Once an affiliate crew gets a working exploit for a flaw like CVE-2026-20230, it can scan for vulnerable, internet-facing instances at scale and automate the initial-access step across hundreds of potential targets before a human ever gets involved. That automation is a big part of why monthly ransomware figures can swing as sharply as June’s 9% jump: a single reliable exploit against widely deployed software can feed several different affiliate groups at once.

The Payment Picture: Why 69% of Victims Are Refusing to Pay

One of the more encouraging threads in 2026’s ransomware statistics is the payment rate. Verizon’s 2026 DBIR found that 69% of ransomware victims did not pay, continuing a multi-year decline in the share of organizations that hand over money after an attack. That shift reflects a combination of factors that have been building for several years: wider adoption of offline and immutable backups, cyber-insurance policies that increasingly discourage or restrict payment, law-enforcement guidance against funding criminal operations, and a growing recognition that paying does not reliably guarantee data deletion or prevent a second extortion attempt.

The falling payment rate also helps explain why data-theft-only extortion, without file encryption, has become more common. If a victim can restore from backup and shrug off the encryption threat, a gang’s only remaining leverage is the stolen data itself, which is why incidents like the FulcrumSec-Novo Nordisk case lean so heavily on the size and sensitivity of what was taken rather than on downtime alone. Blockchain analytics firm Chainalysis has tracked a similar pattern in its crypto crime research, documenting how total ransomware payment volume has struggled to grow even in years when attack counts rose, as more victims refuse to negotiate at all.

US victims who do experience an attack still have a formal reporting channel regardless of whether they pay: the FBI’s Internet Crime Complaint Center takes ransomware reports directly and feeds them into broader federal threat-tracking efforts, though, as with leak-site counts, actual incident volume is widely assumed to exceed what gets formally reported.

Market Impact: Insurance, Budgets, and the Cost of Staying Public

A 9% month-over-month rise in claimed victims, on top of ransomware’s 48% share of all breaches, keeps pressure on two budget lines at once: cyber insurance and internal security spending. Insurers have spent the past several underwriting cycles tightening requirements before they will write or renew a policy, commonly asking for evidence of multifactor authentication on remote access, offline backups, and endpoint detection coverage. Months like June, where a handful of new groups can each claim dozens of victims, give underwriters fresh loss data to justify keeping those requirements strict rather than easing them.

Ransom-negotiation firm Coveware, which publishes quarterly data on average and median ransom payments, has long argued that falling payment rates and shrinking average payouts are connected: as fewer victims pay, gangs holding out for large sums have less leverage, which pushes negotiated amounts down even in cases that do end in payment. For enterprise security teams, the leaderboard churn documented in this month’s ransomware data complicates a specific budgeting problem: threat-intelligence programs built around tracking a known, stable set of adversaries have to account for groups like The Gentlemen and DeadLock appearing from a near-standing start. Detection engineering, incident-response playbooks, and tabletop exercises tuned to last year’s top three groups can go stale within a single quarter, pushing security teams toward behavior-based detection that catches ransomware techniques regardless of which brand is running the leak site.

How Today’s Ransomware Era Compares to 2024’s Takedowns

June 2026’s leaderboard reshuffle looks less chaotic when set against the two events that reset the ransomware market in 2024. Law enforcement’s Operation Cronos seized LockBit’s infrastructure and publicly unmasked parts of its operation in February 2024, ending the run of what had been the most prolific ransomware brand for several years. Weeks later, ALPHV/BlackCat staged an exit scam after collecting a large ransom from the Change Healthcare attack, vanishing with affiliate earnings and souring trust in one of the other dominant brands of that era.

Those two disruptions left a leadership vacuum that groups like Qilin spent much of 2024 and 2025 filling. Outlets that track ransomware leak sites as a beat, including The Record, have chronicled that pattern of rapid leadership turnover since the LockBit and ALPHV disruptions, and June’s reshuffle fits squarely inside it. Seen against that backdrop, June 2026 looks less like a crisis and more like the ransomware-as-a-service market continuing to behave the way it has for two years: no single brand holds the top spot for long, affiliates move fast, and a new name can reach the top of monthly ransomware leaderboards within months of its first confirmed activity.

Regulatory Pressure Is Reshaping Disclosure

Part of why monthly ransomware statistics look busier is that more victims are disclosing faster, not necessarily that attack volume alone is climbing at the same pace. Public-company reporting rules that require prompt disclosure of material cybersecurity incidents, alongside the EU’s NIS2 reporting obligations and a growing patchwork of US state breach-notification laws, all push incident timelines toward faster public acknowledgment than was typical five years ago. Agencies including the European Union Agency for Cybersecurity and the National Institute of Standards and Technology have both continued expanding guidance aimed at standardizing how organizations detect, respond to, and report ransomware incidents.

That regulatory push cuts both ways for anyone trying to read monthly ransomware victim counts as a pure attack-volume signal. Faster disclosure means leak-site trackers and public breach registries capture incidents sooner, which can make a month look more active even when the underlying number of attacks is roughly flat. Distinguishing a genuine spike in attacks from a spike in disclosure speed is one of the harder problems facing researchers who publish monthly ransomware tracking data.

What Security Teams Should Do Now

None of the individual tactics behind June’s attacks are new. What changes month to month is which vulnerability or which gang is doing the exploiting, which is exactly why defenders get more value from hardening against known ransomware behavior than from chasing the identity of whichever group currently sits atop the leaderboard. Security teams tracking this month’s ransomware and breach disclosures consistently point to the same short list of priorities: patch internet-facing services on a compressed timeline, enforce multifactor authentication on every remote-access path, keep backups offline and tested, and deploy detection tuned to the behaviors that precede encryption rather than to any single group’s signature.

That last point matters because pre-encryption behavior is remarkably consistent across otherwise unrelated ransomware families. Commands that delete shadow copies, clear event logs, and disable Windows recovery options show up across nearly every major double-extortion campaign, regardless of which brand name is on the ransom note, which makes them a reliable, group-agnostic detection target for security operations teams running tools like the ones covered in Tech Insider’s Wazuh SIEM setup guide.

vssadmin.exe delete shadows /all /quiet
wbadmin.exe delete catalog -quiet
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
wevtutil.exe cl security

Commands like these, commonly observed immediately before file encryption across 2026 double-extortion campaigns, are a higher-value detection target than group-specific indicators because they change far less often than a gang’s name or its malware build.

5 Predictions for Ransomware Through the Rest of 2026

  • The leaderboard keeps churning. Expect at least one more group to crack the top three by claimed victims before the end of 2026, continuing the pattern set by Qilin, DeadLock, and The Gentlemen.
  • Payment rates keep falling. If backup adoption and insurer requirements continue on their current trajectory, the share of victims refusing to pay could push past 70% within a year or two, accelerating the shift toward data-theft-only extortion.
  • Edge devices stay the top entry point. Unauthenticated remote-code-execution flaws in VPNs, unified communications platforms, and domain controllers will likely keep feeding initial access through the rest of 2026, keeping patch-management timelines under pressure.
  • Disclosure speed keeps rising. Expanding regulatory reporting requirements in the US and EU should keep pushing incident disclosure timelines shorter, which will make raw monthly victim counts look more volatile even in months when actual attack volume is stable.
  • High-value data targets stay in the crosshairs. Pharmaceutical, healthcare, and public-sector organizations, exemplified by the Novo Nordisk and NSW Rural Fire Service incidents, should remain preferred targets given the resale and leverage value of the data they hold.

Related Coverage

For broader coverage of breaking security incidents and patch guidance, see the cybersecurity section on Tech Insider.

Frequently Asked Questions About June 2026 Ransomware Statistics

What is The Gentlemen ransomware group?

The Gentlemen is a ransomware-as-a-service group that claimed 94 victims in June 2026, the highest single-month total of any tracked group that month, which pushed it to first place on leak-site-based ransomware leaderboards ahead of longtime leader Qilin.

How many companies were hit by ransomware in June 2026?

Tracking firm Breachsense counted 707 ransomware victims across 63 groups and 87 countries in June 2026, up 9% from 646 in May. At least one other tracker put the figure slightly higher, at 721, due to differences in disclosure timing.

Why did Qilin lose its top ransomware ranking?

Qilin held the No. 1 spot for five consecutive months before slipping to third place in June 2026 with 71 victims. The likely driver is affiliate competition: rival operations like The Gentlemen and DeadLock may have offered better payout terms or infrastructure, pulling some affiliate volume away from Qilin.

What is DeadLock ransomware?

DeadLock is a ransomware group that debuted at second place on June 2026’s leaderboard with 81 claimed victims. Its rapid rise from a near-standing start is consistent with a pattern seen after major ransomware disruptions, where a new brand absorbs affiliates or infrastructure from a disbanded or disrupted operation.

Are ransomware victims still paying ransoms in 2026?

Fewer are. Verizon’s 2026 DBIR found that 69% of ransomware victims did not pay, a continuation of a multi-year decline driven by wider backup adoption, stricter cyber-insurance requirements, and law-enforcement guidance against funding attackers.

What industries were hit hardest by ransomware in June 2026?

June’s disclosed incidents spanned pharmaceuticals (Novo Nordisk, targeted by FulcrumSec for 1.3 TB of data and a $25 million demand) and public-sector emergency services (Australia’s NSW Rural Fire Service, targeted by Nova for 300 GB of data), reflecting ransomware’s continued focus on organizations holding high-value or highly sensitive data.

How can organizations protect against ransomware in 2026?

Security teams point to the same core defenses regardless of which group is attacking: patch internet-facing systems quickly, require multifactor authentication on all remote access, keep backups offline and regularly tested, and monitor for pre-encryption behaviors like shadow-copy deletion and event-log clearing rather than relying solely on group-specific threat signatures.

Is ransomware getting worse in 2026?

By victim count, yes. June’s 707 tracked victims were up 9% from May, and ransomware accounts for 48% of all breaches per Verizon’s 2026 DBIR. But falling payment rates and faster regulatory disclosure timelines mean rising victim counts do not translate directly into rising financial losses for every organization affected.

Sofia Lindström

Editor-in-Chief

Sofia Lindström is the Editor-in-Chief at Tech Insider, where she leads editorial strategy and oversees coverage across AI, cybersecurity, and enterprise technology. With over a decade in Swedish tech journalism, she previously served as technology editor at Dagens Industri and covered the Nordic startup ecosystem for Breakit. Sofia holds an MSc in Media Technology from KTH Royal Institute of Technology and is a frequent speaker at Web Summit and Slush. She is passionate about making complex technology accessible to business leaders.

View all articles

——————————————————–


Click Here For The Original Source.

.........................

National Cyber Security

FREE
VIEW