Ransomware in 2026 An Overview of Active and Emerging Threat Groups

January 1, 2026

Ransomware continues to evolve at a pace, with threat actors refining their tooling, targeting strategies, and extortion models.


For organisations, the challenge is no longer just preventing ransomware, but also understanding who the adversaries are, how they operate, and the risks they pose.


Now we're officially in 2026, we have compiled a high-level overview of ransomware gangs currently active or observed across global incident response and threat intelligence reporting.

Established and High-Impact Ransomware Gangs

Qilin

A ransomware-as-a-service (RaaS) operation known for double-extortion tactics, combining encryption with aggressive data-leak pressure.


Akira

Targets Windows and Linux environments, frequently exploiting VPNs and unmanaged credentials. Known for fast lateral movement.


LockBit

One of the most prolific ransomware groups historically. Highly automated, affiliate-driven, and relentlessly opportunistic despite repeated takedowns.


Clop

Specialises in mass exploitation of zero-day vulnerabilities, particularly in file-transfer platforms, focusing on data theft over encryption.


Rhysida

Often targets healthcare, education, and public sector organisations, using double extortion and public shaming tactics.


Medusa

A mature ransomware group known for targeted attacks, data exfiltration, and structured leak site operations.

Established and High-Impact Ransomware Gangs

Devman 2.0 / Devman 3.0

Indicative of active development cycles, suggesting either rebranding or technical evolution to evade detection.


Kill Security 3.0 Ransomware

Versioned naming implies continuous refinement of payloads and evasion techniques.


Dire Wolf v2

A re-engineered variant focusing on improved encryption routines and persistence mechanisms.


Obscura 2.0

A successor strain emphasising stealth, obfuscation, and reduced forensic visibility.


3AM v3

Associated with off-hours execution and rapid impact, often linked to broader criminal ecosystems.

Data-Leak and Extortion-Focused Operations

Ransom House

Primarily focuses on data theft and extortion without always deploying encryption.


World Leaks / Business Data Leaks / Leaknet

Leak-centric brands designed to amplify reputational damage and regulatory pressure.


Coinbase Cartel Ransomware

Uses branding and naming pressure tactics to imply large-scale financial exposure.


DATACARRY

Centred on data exfiltration, resale, and extortion rather than pure operational disruption.

Emerging, Smaller, or Less Publicised Groups

Dragon Force

A developing RaaS group with signs of expanding affiliate recruitment.


INC

Limited public reporting, but observed in targeted attacks against commercial organisations.


Play

Known for hands-on-keyboard attacks and manual privilege escalation.


Lynx

A newer group with focused targeting and selective victim disclosure.


Everest

Combines ransomware deployment with persistent data-leak operations.


Genesis

Often associated with credential abuse and identity-based intrusion paths.


Chaos Ransomware

Sometimes linked to destructive behaviour beyond pure financial extortion.

Niche, Opportunistic, or Short-Lived Operations

Safepay Ransomware

Focused on monetisation via rapid extortion cycles.


Sinobi

Limited activity but notable for reusing known malware components.


Handala

Ideologically motivated branding alongside financially driven attacks.


Anubis Ransomware

Multiple groups have used this name, complicating attribution.


The Gentlemen

Relies heavily on social pressure and public disclosure threats.


Space Bears

A newer entrant with unclear long-term sustainability.

Low-Visibility or Poorly Documented Threat Actors

These groups have limited public reporting but have appeared in threat feeds, leak sites, or underground forums:


  • Blackshrantac
  • Minteye
  • NightSpire Ransomware
  • TridentLocker
  • Crypto24 Ransomware
  • Benzona
  • Nitrogen
  • Securotrop
  • Pear
  • Kazu
  • W.A. Ransomware
  • Termite Ransomware
  • Osiris Project
  • Brotherhood
  • Embargo
  • Radar
  • TENGU ransomware blog
  • Sarcoma
  • Cloak
  • Abyss


Such actors often represent rebrands, splinter groups, or short-term campaigns, but still pose real risk, particularly to organisations with weak access controls or poor detection coverage.

What This Means For You

The ransomware ecosystem is crowded, volatile, and constantly shifting. New names appear weekly, while established gangs rebrand, fragment, or resurface under different identities.


Key takeaways:

  • Ransomware is no longer just malware; it’s an operational business model
  • Data theft and extortion are now as common as encryption
  • Attribution matters less than preparedness, detection, and response capability
  • Organisations without tested incident response plans remain the most exposed

Cybergen’s Perspective

At Cybergen, our incident response and threat intelligence work consistently shows that ransomware success is rarely driven by novel malware alone. The most damaging incidents stem from familiar failures: exposed credentials, excessive privileges, unmonitored access paths, and delayed detection. Threat actors exploit operational blind spots far more often than they defeat well-designed controls.


We also see a clear shift away from “spray and pray” ransomware towards targeted, intelligence-led intrusion. Many of the groups listed above operate with patience—mapping environments, identifying crown-jewel data, and timing execution to maximise disruption and leverage. Encryption is increasingly optional; data theft, regulatory exposure, and reputational damage now drive extortion value.


From our perspective, organisations that fare best against ransomware share common traits:


  • Strong identity and access governance, particularly around privileged and third-party access
  • Continuous monitoring capable of detecting abnormal behaviour before encryption occurs
  • Practised, decision-ready incident response plans tested under realistic conditions
  • Executive understanding that ransomware is a business risk, not just a technical one


Crucially, we observe that investment skewed too heavily toward preventative tooling—without equal focus on detection, response, and recovery—creates a false sense of security. Ransomware resilience is built through layered controls, clear ownership, and the ability to act decisively under pressure.


  • Understanding who the threat actors are provides context.
  • Understanding how they succeed provides defence.
  • Being operationally ready is what ultimately limits impact.


For organisations seeking to move beyond reactive security and build true ransomware resilience, Cybergen delivers threat intelligence, detection, and response capabilities designed for real-world adversaries, not theoretical ones.


For more information about next-generation threat intelligence and ransomware readiness, get in touch with our team today.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.


Let's get protecting your business


Disaster Recovery

Keep your data secure and protected at all times.

Cybergen News

Sign up to get industry insights, trends, and more in your inbox.

Contact Us

SHARE THIS

Latest Posts

Neon AI letters with a glowing purple orbit on a dark tech-style background

Shadow AI Is Already Inside Your Organisation: Here's How to Regain Control

June 3, 2026
Discover how Shadow AI is creating hidden security, compliance and data risks. Learn how to regain visibility, govern AI usage and reduce exposure.
Two professionals in a tech office with a laptop showing code and a digital globe display

Why Traditional Threat Intelligence Is No Longer Enough: The Evolution of Intelligence-Led Cybersecurity

May 19, 2026
Traditional threat intelligence is no longer enough. Discover how intelligence-led cybersecurity helps organisations predict, prioritise, and prevent cyber threats before they escalate.
Technician in a data center using a tablet beside server racks and digital displays

Network Security in 2026: What CISOs Should Prioritise

May 15, 2026
Discover the top network security priorities for CISOs in 2026, from modern firewalling and exposure management to Zero Trust, SASE, AI security, and cyber resilience.
CREST and Pen Test logos on a blue cybersecurity-themed background

Why CREST Penetration Testing Matters More Than Ever in 2026

May 12, 2026
Discover why CREST penetration testing is essential for identifying exploitable vulnerabilities, reducing cyber risk, and strengthening your organisation’s security posture.

From ChatGPT to Copilot: How Employees Are Creating Hidden AI Security Risks

May 11, 2026
Artificial intelligence is no longer emerging technology. It is already embedded inside the modern workplace. Across the UK, employees are using AI applications such as ChatGPT, Microsoft Copilot, Claude, Gemini, Perplexity, and countless specialist tools to improve productivity, save time, analyse information, draft reports, automate repetitive work, and accelerate decision-making. For many organisations, this represents an enormous opportunity. Teams can work faster, employees can automate administrative tasks, knowledge workers can produce content in minutes instead of hours, and businesses can gain competitive advantage through operational efficiency. However, there is another side to this story that many leadership teams, CISOs, and compliance professionals are only beginning to understand. Your employees are already using AI. The real question is whether you know how they are using it. Because while artificial intelligence is driving productivity, it is also creating a hidden security risk inside organisations, often without malicious intent, and frequently without employees even realising they are exposing sensitive information. The uncomfortable truth is that many businesses have already lost visibility and control. Employees are uploading confidential documents into public AI systems, sharing commercially sensitive information in prompts, exposing HR and financial data, pasting source code into third party models, and unknowingly bypassing existing data governance processes. In many cases, security teams simply do not see it happening. And if you cannot see it, you cannot control it. In 2026, secure AI adoption is rapidly becoming one of the most important priorities for cybersecurity leaders. The challenge is no longer whether employees should use AI. The challenge is how organisations can enable AI safely, securely, and compliantly without slowing innovation.
Hands typing on a laptop with a glowing AI interface on screen

Seeing the Unseen: How to Gain Visibility and Control Over AI Usage in Your Organisation

April 28, 2026
Uncontrolled AI usage is creating hidden risks across organisations. Learn how to gain visibility, manage exposure, and take control of AI usage before it becomes a security or compliance issue.
Abstract digital globe with blue data streams and binary code racing through a tunnel-like network background

The New Insider Threat: When Data Moves Faster Than Security Can See

April 23, 2026
Insider threats are evolving as data moves faster than security controls. Learn how organisations can regain visibility and protect sensitive information.
Laptop with cyber data protection graphics, shield icons, and a hand touching a glowing security interface

From Data Protection to Data Control: Why Traditional Security Models Are Failing

April 20, 2026
Traditional data protection is no longer enough. Discover why organisations must shift to data control to manage modern cyber risk.
A person in a suit works at a desk with multiple monitors displaying complex data, charts, and a glowing digital lock.

The Data Security Crisis: How AI, Shadow AI and Insider Risk Are Creating Invisible Breach Paths

April 11, 2026
AI is creating new, invisible data security risks. Learn how shadow AI, insider behaviour, and identity threats are exposing organisations, and how to defend against them.
A hand touching a tablet screen against a blue digital background with a glowing padlock icon.

Identity Is the New Attack Surface: How Cybercriminals Are Bypassing MFA and What Organisations Must Do Next

April 8, 2026
MFA is no longer enough. Discover how attackers bypass identity controls and why intelligence-led security is critical to defending modern organisations.