Ransomware attacks rose 20% in the first half of 2026

Hackers leaned further into ransomware in the second quarter of 2026, with a surge of new attacks led by two competing ransomware-as-a-service groups.

A new report from NordStellar finds that ransomware incidents were up 20% year over year in the first half of 2026, with 5,275 recorded attacks. The second quarter alone saw 2,581 incidents.

The number of ransomware attacks saw a slight 4% decrease in the second quarter compared to the first three months of the year, but cybersecurity officials say businesses and individuals should still keep their guard up.

“The slight decrease in attacks shouldn’t be a sign to relax just yet,” says NordStellar cybersecurity expert Vakaris Noreika. “Although the number of attacks has been slightly decreasing every quarter this year, we are now seeing a new alarming baseline of about 2,500 attacks per quarter.”

Driving those numbers is a game of one-upmanship by two active ransomware-as-a-service operations: Qilin and The Gentlemen. Qilin has been active since at least 2022 and has grown to be one of the biggest ransomware operations in the world. Among the victims of the Russian-language group are healthcare group Synnovis and the Cleveland Municipal Court.

The Gentlemen was formed by former Qilin members following a split in 2025 and has expanded faster than any known hacker group, attacking hundreds of organizations across more than 66 countries and 20 industries. It was responsible for 284 attacks in the second quarter of this year. That was fewer than the 299 attributed to Qilin but still represented a 39% increase from a year earlier.

NordStellar says the growing influence of the two groups suggests that the ransomware ecosystem is maturing and becoming more stable, which could make it more dangerous.

“Established ransomware groups have refined tools, affiliate networks, and negotiation infrastructures,” says Mantas Sabeckis, senior threat intelligence researcher at Nord Security. “The more sophisticated and established a group becomes, the greater the threat it poses.”

Small and midsize businesses were the primary targets during the first half of the year, accounting for more than 60% of attacks. Large companies with annual revenue of at least $1 billion saw a 74% increase in attacks, from 23 in the first quarter to 40 in the second.

NordStellar’s data does not delve into the methods hackers are using, but a separate report from the SANS Institute, the world’s largest cybersecurity research and training organization, finds that 78% of organizations saw confirmed or suspected AI-enabled attacks in the past year.

A growing number are using that technology for protective purposes as well, with the number of cybersecurity teams actively using AI in their defenses increasing from 50% in 2025 to 78% this year. The report card for AI cybersecurity, however, isn’t exactly a glowing one.

Some 63% of security teams SANS spoke with reported significant shortcomings in how AI detects or responds to threats. That’s an increase of nearly 20% from 2025.

Although AI has yet to become the defensive asset some security experts anticipated, its offensive capabilities appear to be advancing. Earlier this month, cloud security firm Sysdig detailed what it described as the first ransomware campaign operated entirely by a large language model.

Called JadePuffer, the AI-run campaign was able to break into systems much faster than human-based campaigns. In one instance, Sysdig wrote in a report, the AI-driven ransomware tool went from a failed login to a working fix in 31 seconds.

“Jadepuffer is a warning sign,” wrote Sysdig. “It’s a marker of where extortion tradecraft is heading.”

No comments

Read more