The State of Ransomware – Q1 2026
In Q1 2026, the ransomware ecosystem experienced significant consolidation, with top groups like Qilin, Akira, The Gentlemen, and LockBit 5.0 dominating the landscape. Notably, The Gentlemen leveraged a massive stockpile of pre-exploited FortiGate devices (CVE-2024-55591) to rapidly scale operations, while LockBit 5.0 returned with multi-platform capabilities and a strategic shift away from US targets to evade law enforcement.
Source:
Check Point
Detection / HunterGoogle
What Happened
In the first quarter of 2026, ransomware attacks stabilized at historically high levels, but the attacks are now being carried out by a smaller, more dominant group of cybercriminals. Organizations using FortiGate VPNs and Oracle software are particularly at risk due to specific vulnerabilities being heavily exploited by these groups. This matters because these larger ransomware operations are highly capable, well-resourced, and are actively shifting their focus globally to avoid US law enforcement. Organizations should immediately patch known vulnerabilities, especially in internet-facing devices like VPNs, and ensure robust backup and recovery plans are in place.
Key Takeaways
- The ransomware ecosystem is consolidating, with the top 10 groups accounting for 71% of Q1 2026 victims.
- Qilin remains the most dominant operation, while 'The Gentlemen' emerged as a breakout group reaching third place globally.
- The Gentlemen utilizes a massive stockpile of 14,700 pre-exploited FortiGate devices (CVE-2024-55591) to target primarily non-US entities.
- LockBit 5.0 has made a significant comeback, introducing multi-platform support and strategically shifting targeting away from the US.
- Mass exploitation campaigns, such as Cl0p's targeting of Oracle EBS (CVE-2025-61882), heavily skew geographic and industry victim distributions.
Affected Systems
- FortiGate devices (FortiOS/FortiProxy)
- Oracle EBS
- Windows
- Linux
- ESXi
- OneDrive (Cloud Storage)
Vulnerabilities (CVEs)
- CVE-2024-55591 (Critical authentication bypass in FortiOS/FortiProxy)
- CVE-2025-61882 (Oracle EBS vulnerability)
Attack Chain
Threat actors acquire initial access through stockpiles of pre-exploited edge devices (e.g., FortiGate via CVE-2024-55591) or brute-forced VPN credentials. Other groups utilize mass exploitation of enterprise software (e.g., Oracle EBS via CVE-2025-61882). Once inside the network, actors deploy multi-platform ransomware payloads targeting Windows, Linux, and ESXi environments to encrypt files, sometimes utilizing randomized extensions or cloud encryption capabilities like Nightspire's OneDrive encryption. Finally, victims are extorted via data leak sites under a consolidated Ransomware-as-a-Service (RaaS) or cartel model.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides strategic threat intelligence and vulnerability context but does not include specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Medium — EDR solutions will have high visibility into the ransomware execution phase on endpoints, but may lack visibility into the initial exploitation of edge devices like FortiGate appliances. Network Visibility: Medium — Network sensors can detect exploitation attempts against known CVEs (CVE-2024-55591, CVE-2025-61882) and potential data exfiltration to data leak sites. Detection Difficulty: Moderate — While ransomware execution is generally noisy and detectable, identifying the initial access via zero-day or N-day exploits on edge devices before lateral movement occurs remains challenging.
Required Log Sources
- VPN authentication logs
- Firewall traffic logs
- Endpoint process execution logs
- Cloud storage access logs (OneDrive)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unusual authentication patterns or brute-force attempts against FortiGate VPN interfaces, which may indicate targeting by groups like The Gentlemen. | VPN authentication logs | Initial Access | Low |
| Monitor for mass exploitation attempts targeting Oracle EBS vulnerabilities (CVE-2025-61882) originating from single or clustered external IPs. | WAF/Web Server logs | Initial Access | Low |
| Search for rapid, high-volume file modifications or encryption events in cloud storage environments like OneDrive, indicative of Nightspire's cloud encryption capabilities. | Cloud Audit Logs | Impact | Medium |
Control Gaps
- Lack of EDR deployment on edge network devices (e.g., FortiGate)
- Delayed patching of critical vulnerabilities on public-facing infrastructure
Key Behavioral Indicators
- Randomized 16-character file extensions (LockBit 5.0)
- Mass file modifications in OneDrive
- Exploitation payloads targeting FortiOS/FortiProxy authentication
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Patch FortiGate devices against CVE-2024-55591 immediately.
- Apply security updates for Oracle EBS to mitigate CVE-2025-61882.
- Reset credentials for any VPN accounts showing signs of brute-force activity.
Infrastructure Hardening
- Implement multi-factor authentication (MFA) on all VPN and external access points.
- Segment network architecture to limit lateral movement from edge devices.
- Ensure robust, offline, and immutable backups are maintained and regularly tested.
User Protection
- Deploy EDR solutions across all compatible endpoints and servers, including Windows, Linux, and ESXi environments.
Security Awareness
- Educate incident response teams on the shifting tactics of consolidated ransomware groups, including multi-platform threats and cloud encryption.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1110.001 - Brute Force: Password Guessing
- T1486 - Data Encrypted for Impact
- T1485 - Data Destruction
- T1565.001 - Data Manipulation: Stored Data Manipulation