Ransomware Market Consolidates Around Qilin, LockBit 5.0, The Gentlemen, and Hyflock

The ransomware market is becoming more concentrated again in 2026, with Qilin, LockBit 5.0, The Gentlemen, and newer affiliate programs such as Hyflock drawing attention from threat researchers and defenders.

According to Check Point Research, ransomware leak sites listed 2,122 new victims in the first quarter of 2026. That made it the second-highest first-quarter total on record, even after years of police operations, arrests, sanctions, and infrastructure seizures aimed at major ransomware groups.

The shift is not only about volume. A new Flare report says ransomware operators claiming experience with LockBit and Qilin are launching or promoting rival ransomware-as-a-service programs, carrying knowledge of affiliate management, negotiation systems, encryption tooling, and victim pressure tactics into new brands.

The trend matters because modern ransomware groups now operate more like criminal platforms than single hacking crews. Microsoft said The Gentlemen ransomware combines strong encryption with aggressive lateral movement, increasing the risk of rapid network-wide impact after attackers gain access.

Ransomware Activity Remained High in Q1 2026

The State of Ransomware Q1 2026 report found that the top 10 ransomware groups accounted for 71.1% of all victims listed on data leak sites during the quarter. Qilin led the quarter with 338 listed victims, while LockBit 5.0 returned to fourth place with 163.

LockBit’s return is notable because law enforcement severely disrupted the group in 2024. The U.S. Justice Department later charged alleged LockBit developer and administrator Dmitry Khoroshev, saying the group attacked more than 2,500 victims and extracted at least $500 million in ransom payments.

The same Justice Department announcement helps explain why LockBit still matters. The group’s affiliate model created a large pool of experienced criminal contractors who could move to other brands after disruptions, leaks, sanctions, or internal disputes.

That is the context for Hyflock and The Gentlemen. The Flare analysis said Hyflock appeared in a May 14, 2026 recruitment thread, while The Gentlemen ran a major recruitment campaign the next day and secured a BreachForums partnership on May 16.

Group	Reported role in 2026	Why defenders are watching
Qilin	Most active group in Q1 2026 by leak-site victim count	Strong affiliate recruitment and high victim volume
LockBit 5.0	Returned to the top ransomware rankings after earlier disruption	Still has brand recognition and experienced affiliates
The Gentlemen	Fast-growing ransomware-as-a-service operation	Multi-platform tooling, affiliate recruitment, and rapid growth
Hyflock	Newer self-promoted ransomware-as-a-service program	Claims integrated tooling, AI-based analysis, and LockBit and Qilin experience

The Gentlemen Has Become a Major RaaS Threat

A Check Point DFIR report described The Gentlemen as a ransomware-as-a-service operation that emerged around mid-2025 and quickly attracted affiliates. Researchers said the group had publicly claimed more than 320 victims, with most of that activity taking place in early 2026.

The Microsoft Security Blog said the group is tracked as Storm-2697 and uses double extortion tactics, meaning attackers encrypt data and also steal sensitive files to increase pressure on victims.

The same Check Point Research report found that The Gentlemen offers lockers for Windows, Linux, NAS, BSD, and ESXi environments. That makes the group relevant to enterprise networks where file servers, virtual machines, and storage systems often sit outside standard endpoint monitoring.

• The Gentlemen is linked to a fast-growing affiliate model.
• The group advertises multi-platform ransomware payloads.
• Researchers have observed SystemBC and Cobalt Strike in related intrusion activity.
• The group uses double extortion to pressure victims beyond encryption.
• Its growth shows how quickly ransomware brands can scale when experienced affiliates join.

Hyflock Shows How New Ransomware Brands Compete for Affiliates

Hyflock is still less established than Qilin, LockBit, or The Gentlemen, but its recruitment pitch shows how new ransomware programs are trying to stand out. The operator claimed prior experience with LockBit and Qilin, although that claim remains self-reported.

The Hyflock pitch reportedly focused on an integrated criminal panel that combines access purchasing, negotiation rooms, affiliate revenue sharing, and victim data analysis. It also claimed that its encryptor is much faster than LockBit 3.0, but no independent benchmark currently proves that claim.

The most important point for defenders is not the marketing claim about speed. It is the direction of the market. Ransomware operators are trying to lower the skill needed for affiliates by packaging access, deployment support, negotiation tools, and victim analysis inside one criminal service.

Ransomware trend	Defender impact
Higher affiliate revenue shares	Skilled intruders have more incentive to join newer programs
Integrated access marketplaces	Attackers can move faster from credential theft to ransomware deployment
AI-based victim data analysis claims	Stolen financial and business data may help attackers set ransom demands
Multi-platform lockers	Linux, NAS, and ESXi systems need stronger monitoring

Industrial and Enterprise Networks Face Higher Pressure

Dragos identified 1,020 ransomware incidents affecting industrial organizations in Q1 2026, based on public victim disclosures and ransomware leak-site activity. Manufacturing remained the most affected sector, followed by industrial control system-related organizations and transportation.

The Dragos Q1 analysis also said Qilin, Akira, The Gentlemen, LockBit 5.0, and Play were among the top ransomware operations affecting industrial organizations. Researchers did not find ransomware built specifically to manipulate industrial control protocols, but attacks on IT systems can still disrupt production, logistics, engineering, and operations.

This is why defenders should treat ransomware as an enterprise risk, not only as a malware problem. Many attacks start with stolen credentials, exposed remote access systems, vulnerable edge devices, or access broker listings before ransomware runs.

What Security Teams Should Watch Now

The Verizon 2025 DBIR found that 54% of ransomware victims had domains appear in credential dumps, such as infostealer logs or marketplace postings, before the attack. That makes exposed credential monitoring one of the earliest warning signals.

The same Verizon report supports a broader defensive lesson: organizations need to detect and contain intrusions before encryption begins. Once attackers reach domain admin paths, file servers, backups, and virtualization systems, the recovery window shrinks fast.

• Monitor for stolen corporate credentials in infostealer logs and access broker markets.
• Audit VPN, firewall, RDP, Citrix, and remote management access.
• Review Group Policy changes and unusual domain-wide administrative activity.
• Keep backup credentials isolated from domain administrator accounts.
• Add monitoring to Linux, NAS, and ESXi systems, not only Windows endpoints.
• Look for rapid file-write behavior instead of relying only on file extension changes.
• Test recovery plans for identity, backup, and virtualization compromise scenarios.

Ransomware groups are adapting after takedowns rather than disappearing. The market now rewards operators who can recruit affiliates, automate parts of the attack chain, and support attacks across hybrid enterprise environments.

For defenders, the priority is clear. Focus on credential exposure, early intrusion detection, remote access hardening, and backup isolation before ransomware payloads run. The groups gaining ground in 2026 are competing on speed and scale, so security programs need to reduce the time between first suspicious access and containment.

FAQ