ZeroFox Intelligence Assessment - Q1 2026 Ransomware Wrap-up
|by Alpha Team
ZeroFox Intelligence Assessment - Q1 2026 Ransomware Wrap-up
TLP:Clear
Standing Intelligence Requirements
For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:
https://cloud.zerofox.com/intelligence/advisories/14956
Link to Download
View the full report here.
Key Findings
- ZeroFox observed at least 2,059 separate ransomware and digital extortion (R&DE) incidents in Q1 2026, a decrease of approximately 1.5 percent from Q4 2025—which accounted for a record-breaking 2,091 incidents.
- March remained the most active month in Q1 in comparison to previous years, accounting for at least 747 incidents—which is roughly 36 percent of all global ransomware attacks in Q1 2026.
- Regional R&DE targeting patterns in Q1 2026 were largely consistent with those observed during previous months. North America-based organizations were the most targeted by a substantial margin, accounting for approximately 54 percent of all incidents (or at least 1,114 incidents).
- ZeroFox observed that the five most active R&DE collectives in Q1 2026 were almost certainly Qilin, Akira, The Gentlemen, INC Ransom, and Cl0p. This is a change from Q4 2025, with only Qilin, Akira, and Cl0p remaining in the top five from the previous quarter.
Tags: global, tlp:clear, threat actor