The most prolific ransomware gangs are expanding their influence, according to the latest data from Check Point, with three dominant operators responsible for 40% of all incidents last month.
The cyber firm’s latest threat briefing shows that while the ransomware scene remains fragmented, with a total of 47 different groups behind March’s spate of attacks, a small number of high-output groups have broken from the pack with tailored capabilities for specific targets.
Qilin was responsible for 20% of all published attacks last month, with the group having fast become one of the most established ransomware-as-a-service (RaaS) operations since emerging in 2022 under the name Agenda.
Notably, Qilin’s activity was almost twice that of Akira, another RaaS group, which accounted for 12% of last month’s attacks and has increasingly focused on business services and industrial manufacturing.
According to data from CybelAngel, Akira posted 84 victims in March 2026 alone, more than doubling February’s count, with operators observed executing full killchain attacks in as little as one hour.
Finally, the third most prolific operator, Dragonforce (8%), is another RaaS group operating a “cartel” model allowing its affiliates to run independently atop shared infrastructure.
Check Point found that DragonForce saw a sharp uptick in activity in March after absorbing former RansomHub affiliates and launching high‑profile social‑engineering attacks, with the group rapidly catching up to more established operators as it builds its affiliate ecosystem.
According to Check Point, while the momentum of these groups drove a 7% increase in ransom attacks compared to February, activity within the broader threat landscape has fallen sharply from last year’s peaks.
Recommended reading
March saw 672 publicly recorded ransomware attacks, an 8% decrease year over year, with the average number of weekly cyber-attacks in general falling 5% compared to the same period last year.
However, that still amounts to nearly 2,000 weekly attacks per organisation, with critical sectors like financial services (+2%), energy and utilities (+3%), IT (+4%), and software (+8%), all seeing upticks while other sectors cooled.
Ransomware gangs continued to focus on high‑value sectors, with business services making up 35% of all publicly recorded victims last month, ahead of consumer goods and services (14%), industrial manufacturing (13%), and financial services (5%).
Check Point said that this focus reflects attackers’ prioritising industries where disruption gives them the greatest leverage and can be readily monetised.
Related
Click Here For The Original Source.
