New ZeroFox data from the first quarter of this year paints a picture of a threat landscape that has settled into a sustained high-volume rhythm rather than showing any sign of retreat. The company recorded at least 2,059 ransomware and digital extortion (R&DE) incidents during the period, a marginal 1.5% decline from the record 2,091 incidents logged in the fourth quarter of 2025, a drop too small to signal any meaningful shift in attacker activity. Additionally, the data marked an increase in incidents year-over-year from 2025 and 2024, which saw at least 2,001 and 1,007 incidents, respectively.
In the first quarter of 2026, manufacturing remained the most targeted industry for R&DE, with at least 419 recorded incidents, up slightly from 413 in the fourth quarter of 2025. The sector accounted for nearly 20% of all attacks in the quarter, in line with the roughly 20% share observed in the previous quarter. While the trend is not new, manufacturing has held its position as the most targeted industry since at least 2021, reflecting a sustained focus by threat actors on environments where operational disruption translates quickly into financial and operational pressure.
“January has seen steady rises from 2024-2026, with at least 646 attacks in 2026. February experienced a decrease of approximately 8 percent from 2025, with approximately 666 incidents observed,” ZeroFox detailed in its assessment. “March was the most active Q1 month in comparison to previous years, accounting for at least 747 separate incidents—which is roughly 36 percent of all global ransomware attacks in Q1 2026.”
Regional R&DE targeting patterns in the first quarter of this year remained broadly stable. North America-based organizations were targeted by a clear margin, accounting for about 54% of all incidents, or at least 1,114 attacks. That aligns with the 51% average over the past 12 months, though it marks a notable drop from the 66% recorded in the first quarter of 2025. Europe ranked second, accounting for roughly 22% of incidents, a slight uptick from about 20% in the fourth quarter of last year. Combined, North America and Europe represented 76% of all R&DE activity in the first quarter, down 2% quarter-on-quarter but still in line with patterns seen across 2025.
Geographically, the picture is steady rather than shifting. North America alone absorbed more than half of all incidents, reinforcing a consistent targeting bias toward regions with higher revenue concentration and stronger likelihood of ransom payment.
R&DE collectives typically operate opportunistically, with targeting patterns largely influenced by the availability of network access sold or advertised on deep and dark web forums. These patterns are further shaped by the technical capabilities and operational preferences of individual affiliate actors. Nevertheless, North America remains a consistently attractive region and is almost certainly viewed as a lucrative area for high pay-off potential targets.
“The disproportionate targeting of North America-based entities is likely partly attributed to the geopolitical motivations and ideological beliefs of financially motivated threat collectives fueled by opposition to Western political and social narratves,” ZeroFox disclosed. “North America hosts a wide variety of robust industries that comprise substantial and fast-growing digital attack surfaces. The widespread integration of technologies such as cloud networking services and Internet of Things devices contributes to the accessibility of North American assets.”
With the manufacturing sector once again the most targeted industry in the first quarter of this year, absorbing at least 419 R&DE incidents, a slight increase from the 413 recorded in the fourth quarter of 2025 and close to 20% of all incidents tracked in the quarter. The sector has held that unwanted distinction continuously since at least 2021, driven by its low tolerance for operational downtime and the prevalence of vulnerable OT infrastructure underpinning automation efforts.
Beyond manufacturing, the industry targeting picture remained largely unchanged from the previous quarter. Professional services, construction, retail, and healthcare rounded out the top five most targeted sectors, with attacks on these five industries collectively accounting for roughly 60% of all incidents in the quarter.
ZeroFox identified Qilin, Akira, The Gentlemen, INC Ransom and Cl0p as the most active R&DE collectives in the first quarter of 2026, marking a reshuffle from the fourth quarter of 2025, where only Qilin, Akira and Cl0p retained their positions. Together, these five groups were responsible for about 48% of all global incidents, with a combined total of at least 979 attacks. Qilin and Akira continued to dominate, recording 338 and 197 incidents respectively and accounting for roughly 26% of global activity on their own.
The emergence of The Gentlemen points to how quickly new or rebranded actors can scale within the RaaS (ransomware-as-a-service) ecosystem, while the broader data signals increasing concentration, with a small number of groups driving disproportionate share of attacks. Initially observed last September, the Gentlemen has scaled at an unusually fast pace. After recording 37 R&DE incidents in the third quarter of 2025 and 35 in the fourth quarter of 2025, the group surged to at least 192 attacks in the first quarter of 2026. That jump places it as the third most active collective, responsible for roughly 9% of all incidents in the quarter.
Its targeting patterns diverge from broader trends. North America accounted for about 20% of its victims in the third quarter of 2025, dropped sharply to 2% in the fourth quarter, and rebounded to 13% in the first quarter of 2026, well below the roughly 50% baseline seen across other major groups. Europe emerged as its primary focus, drawing around 32% of attacks, while manufacturing was the most targeted sector at approximately 28%, aligning with wider industry targeting patterns.
Last week, GuidePoint Security data highlighted a ransomware landscape that is no longer spiking but settling into a sustained, elevated baseline. Findings from the GuidePoint Research and Intelligence Team show that activity in the first quarter of 2026 remained steady both quarter-over-quarter and year-over-year, confirming that the surge seen in late 2025 has effectively reset expectations for what constitutes normal attack volume.
Click Here For The Original Source.
