Cyber Security, Insights, Ransomware

Ransomware groups to watch in 2026: trends, activity and emerging threats

16th March 2026
London skyscrapers

Ransomware continues to be one of the most persistent cyber threats facing organisations across the UK and globally. The UK National Cyber Security Centre (NCSC) consistently identifies ransomware as one of the most serious and disruptive cybercrime threats affecting organisations today.

If you are reading this because you have just experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

While international law-enforcement operations and coordinated disruption efforts have impacted several ransomware groups, the broader cybercrime ecosystem has proven highly resilient. When one operation is disrupted, others often emerge or expand to fill the gap.

Established ransomware gangs continue to conduct large-scale campaigns while new threat actors regularly appear, adopting similar tactics and operating models.

Recent threat intelligence analysis also shows that a relatively small number of ransomware operators are responsible for a large proportion of publicly disclosed ransomware victims, typically those posted on criminal data-leak sites. However, this does not represent the full scale of ransomware incidents, as many attacks are never publicly disclosed.

At the same time, the ransomware ecosystem continues to expand. New groups frequently launch operations using ransomware-as-a-service (RaaS) models, allowing affiliates to deploy ransomware using shared infrastructure and established criminal marketplaces.

Understanding which ransomware groups are currently active and how attack trends are evolving can help organisations better assess their threat landscape and strengthen their cyber security posture.

Ransomware groups driving current activity

Several ransomware groups continue to play a major role in today’s threat landscape through sustained campaigns and established affiliate networks.

LockBit, historically one of the most prolific ransomware operations globally, remains an important example. International law-enforcement action significantly disrupted the group’s infrastructure in 2024, reducing its operational capacity at the time. However, later reporting has indicated attempts by the group to re-establish operations, demonstrating how ransomware ecosystems can recover even after major disruption efforts. Alongside LockBit, other ransomware operators have been responsible for a significant share of publicly disclosed victims in recent reporting.

Qilin has emerged as one of the most active ransomware groups in recent datasets, with some analyses showing substantial year-over-year increases in victim listings. Akira has also maintained consistent activity across multiple sectors, including manufacturing and professional services. Another notable actor is Cl0p, which has been linked to several high-profile cybercrime campaigns exploiting vulnerabilities in widely used enterprise software. Unlike some ransomware groups, Cl0p has frequently conducted large-scale data theft and extortion campaigns, sometimes threatening to leak stolen data without necessarily deploying file-encrypting ransomware.

Many of these groups operate within the wider ransomware-as-a-service ecosystem, where core operators maintain malware, infrastructure and payment systems while affiliates conduct attacks. This model continues to lower barriers to entry for cybercriminal groups and contributes to the rapid emergence of new ransomware actors.

Emerging ransomware groups and threat trends

Alongside established ransomware gangs, several newer groups have shown rapid increases in activity.

Recent threat intelligence reporting indicates that Qilin recorded one of the largest increases in publicly disclosed victims between 2024 and 2025, reflecting a significant expansion in its ransomware operations. Akira has similarly continued to expand its campaigns, targeting organisations across a variety of industries. Another emerging actor is TheGentlemen, a ransomware group that has gained attention for its increasing number of victim claims in a relatively short period.

Emerging ransomware groups frequently adopt well-established attacker techniques, including:

  • data exfiltration from compromised systems
  • lateral movement across internal networks
  • abuse of legitimate remote administration tools
  • credential theft and privilege escalation

The continued appearance of new groups highlights the broader resilience and adaptability of the ransomware ecosystem. Even when one operation is disrupted, other actors often move quickly to fill the gap.

How ransomware attacks are evolving

Ransomware attacks have evolved significantly over recent years. While encryption of systems remains a central component of many attacks, data theft and extortion have become core elements of modern ransomware operations.

Many threat actors now steal sensitive data before deploying ransomware. This stolen information is then used as leverage, with attackers threatening to publish it on criminal leak sites if ransom demands are not met.

In some cases, attackers may focus primarily on data-theft extortion, threatening to release stolen information even if encryption is not deployed.

Initial access methods used in ransomware attacks also remain broadly consistent across many incidents. Common entry points include:

  • phishing and social engineering campaigns
  • exploitation of vulnerabilities in internet-facing systems
  • compromised credentials obtained from previous breaches
  • exposed remote access services such as RDP or VPN infrastructure

Once access is obtained, attackers often conduct lateral movement across internal systems, escalate privileges and identify high-value data before deploying ransomware or initiating extortion.

Cloud environments, software supply chains and managed service providers have also become attractive targets. Compromising these environments can allow attackers to access multiple organisations through a single intrusion.

These tactics enable ransomware actors to maximise disruption while increasing pressure on victims to pay ransom demands.

Targeted industries and critical sectors

Ransomware campaigns affect organisations across many sectors, but some industries are targeted more frequently due to operational pressures or the value of the data they hold.

Critical infrastructure organisations, healthcare providers, manufacturing companies and professional services firms are frequently impacted by ransomware incidents.

In many cases, attackers calculate that operational disruption in these sectors increases the likelihood that organisations will consider paying ransom demands.

Manufacturing environments can be particularly exposed due to the continued use of legacy systems and operational technology (OT) networks that may be difficult to update or patch. Similarly, organisations operating critical services often face strong pressure to maintain operational continuity and protect sensitive data.

As a result, ransomware attacks against these sectors can cause significant operational disruption, financial losses and reputational damage.

Strengthening cyber security against ransomware threats

Although ransomware attacks continue to evolve, many of the techniques used by attackers remain consistent. This means organisations can significantly reduce risk by implementing strong cyber security fundamentals.

Key defensive measures include:

  • strong access management and least-privilege controls
  • regular patching and vulnerability management
  • continuous monitoring for suspicious activity
  • multi-factor authentication across critical systems
  • secure backup and recovery procedures

Monitoring for indicators such as unusual lateral movement or unexpected data transfers can also help organisations detect ransomware activity earlier.

Employee training remains another critical defensive measure. Many ransomware attacks still begin with phishing attempts or other social engineering techniques designed to obtain credentials or deliver malicious payloads.

Equally important is having a well-tested incident response plan. Organisations should ensure clear procedures exist for containment, investigation and communication during a ransomware incident.

Staying ahead of the ransomware threat landscape

The ransomware threat landscape continues to evolve as cybercriminal groups adapt their tactics and new actors enter the ecosystem.

While some historically dominant ransomware groups have been disrupted by law enforcement, newer operators continue to expand their activity and adopt similar operational models.

Maintaining visibility of ransomware trends, threat actor behaviour and emerging attack techniques is therefore essential for organisations seeking to reduce cyber risk.

By combining strong security fundamentals with effective threat intelligence and incident response planning, organisations can strengthen resilience against modern ransomware threats.

If you are concerned about ransomware exposure or unsure whether your current security posture is prepared for modern ransomware tactics, it may be worth reviewing your organisation’s readiness against current threat trends.