New Report Highlights Sustained Attack Volumes, Shifting Threat Actor Dynamics and Increased Targeting of New Industries

GuidePoint Security, the cybersecurity advisor and services partner organizations rely on to protect what matters most, today released the GuidePoint Research and Intelligence Team's (GRIT) Q1 2026 Ransomware and Cyber Threat Insights Report. The report reveals that ransomware activity remained high yet stable throughout the first quarter of 2026, marked by sustained attack volumes, notable shifts in threat actor behavior and the continued emergence of new criminal groups.

Victim post rates averaged approximately 150-200 per week—holding steady both quarter-over-quarter (QoQ) and year-over-year (YoY)—signaling that high-volume ransomware activity has become the new normal. Beneath the consistent headline numbers, however, the composition of the threat landscape is changing: new groups are scaling rapidly, established players are losing momentum and extortion-only operations are growing in prevalence.

“What we’re seeing is a ransomware ecosystem that has stabilized at a high level, but continues to evolve,” said Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security. “Threat actors are adapting quickly—refining tactics, targeting new industries and scaling operations in ways that make this a persistent challenge for organizations of all sizes.”

Key findings from the report include:

• Ransomware activity remains elevated. After a late 2025 surge, ransomware volume in Q1 held steady both QoQ and YoY, signaling that elevated attack levels have become the new normal.
• The United States is the leading ransomware target. 51% of observed ransomware victims in Q1 2026 were based in the United States, followed by the United Kingdom (4%) and Canada (4%).
• Ransomware activity intensifies in the construction sector. While manufacturing remained the most impacted industry, the construction industry joined the top 5 most impacted industries with 131 ransomware victims in Q1 2026—a 44% increase year-over-year.
• Data extortion-only attacks are increasing. Threat actors are bypassing encryption in favor of data theft and extortion-only operations, reflecting an evolution in ransomware tactics.
• New threat groups are rapidly gaining ground. The Gentlemen, a RaaS group which emerged in August 2025, surged from 35 victims in Q4 2025 to 182 in Q1 2026, becoming the second most active group. Meanwhile, activity from established groups Qilin and Akira declined by 25% and 22%, respectively.

“From a global lens, modern cyber threats are becoming a reflection of geopolitical tensions, with ransomware actors and ‘hacktivist’ proxies increasingly adopting each other’s tactics," Timothy added. "This evolution focuses on high-impact, tactical disruptions paired with sophisticated psychological operations to exaggerate capabilities or even weaponize historical breaches to disrupt threat assessment and response. Organizations should continually assess their specific risk exposure, regional involvement and supply chain dependencies when determining appropriate defensive postures.”

The report also examines the lingering impact of large-scale exploitation campaigns from late 2025, the lag between intrusion activity and public victim disclosures and the growing adoption of extortion-only operations across the ransomware ecosystem.

The GRIT Q1 2026 Ransomware & Cyber Threat Insights Report is based on data obtained from publicly available resources, vendor threat research, internal incident response case data and open-source intelligence collected from illicit forums and marketplaces.

For more information:

• Download the GRIT Q1 2026 Ransomware & Cyber Threat Insights Report
• Register for GRIT’s upcoming webinar
• Read our blog
• Explore more GRIT reports and other resources

About GuidePoint Security

GuidePoint Security helps organizations overcome the most complex cybersecurity challenges, mature their security posture, minimize risk and ensure compliance. As a trusted cybersecurity advisor and partner, GuidePoint keeps people, data, and operations safe. We deliver tailored cybersecurity services and offerings that adapt and scale to safeguard the nation’s leading organizations today, while preparing them to confidently face tomorrow's cyber challenges. More than 6,000 organizations of all sizes and across every industry, as well as over half of U.S. cabinet-level agencies, rely on GuidePoint to strengthen their defenses and reduce risk.

Stronger Together. Protecting What’s Next. Learn more at guidepointsecurity.com.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260415918254/en/

Threat actors are adapting quickly—refining tactics, targeting new industries and scaling operations in ways that make this a persistent challenge for organizations of all sizes.