Qilin, Akira, Lynx: The Ransomware Groups Dominating 2026 and What They’re Targeting
Something unusual happened in the ransomware ecosystem between April 2025 and the first quarter of 2026. RansomHub, which had claimed 547 victims in 2024 and looked like the dominant force of the era, went dark in April 2025 without warning. Within weeks, its displaced affiliates had found new homes. LockBit’s affiliate base had already fragmented after Operation Cronos the previous year. What filled the vacuum was not a single successor but a three-way split — and the three groups that absorbed most of that demand have almost nothing in common beyond the fact that they encrypt data and demand money.
Qilin is now the highest-volume ransomware operation on the planet, with 1,689 victims logged on its leak site as of April 2026 according to ransomware tracking site Ransomware.live. Akira has quietly become the most technically disciplined, claiming roughly $244 million in ransomware proceeds and running one of the cleanest edge-device exploitation pipelines in the business. Lynx has already rebranded itself once — the descendant of INC Ransomware appears to have spawned Sinobi in mid-2025, which is now operating alongside or in place of the original Lynx infrastructure.
Treating these three as variants of the same problem — as most coverage does — misses the point. They represent three different business models that happen to be converging on the same victim pool, and defending against them requires three different responses.
Qilin: volume at industrial scale
Qilin emerged in 2022 under the name Agenda and spent its first two years as an unremarkable mid-tier Ransomware-as-a-Service (RaaS) operation. In 2024 it claimed 179 victims — respectable but not dominant. Then RansomHub collapsed in April 2025 and everything changed.
Within three months, Comparitech’s tracking showed Qilin’s attack claims jumping roughly 280 percent as former RansomHub affiliates migrated across. By October 2025 the group had claimed 700 victims for the year alone, more than RansomHub managed in the whole of 2024. Computer Weekly reported that in January 2026 Qilin logged over 100 attacks in a single month, with its nearest competitor — Akira — managing 68. Ransom-DB’s February 2026 data put Qilin at 136 victims in a single 30-day window, second only to an emerging group called 0APT.
The business model that enables this volume is textbook RaaS but executed with unusual professionalism. Affiliates keep 80 to 85 percent of ransom payments; the core operators take the remaining 15 to 20 percent and provide the malware, infrastructure, leak site, and — in a development Barracuda’s research team flagged in late 2025 — a “Call Lawyer” feature that provides affiliates with legal consultation during extortion negotiations. Qilin has effectively productised the support stack around ransomware deployment.
Initial access patterns reflect the breadth of the affiliate base. Checkpoint and the Center for Internet Security document the full range: phishing and spear-phishing campaigns, exploitation of internet-facing applications (Citrix, Remote Desktop Protocol), infostealer malware targeting browser credentials, compromised VPN accounts, and in mid-2025 a notable pivot to FortiGate vulnerability exploitation (CVE-2024-21762, CVE-2024-55591). In at least one documented incident, Qilin affiliates compromised a managed service provider’s ScreenConnect remote management tool and pivoted from there to the MSP’s downstream customers — an efficiency multiplier that MSPs need to take seriously.
The malware itself is written in Rust and Golang and supports both Windows and Linux. Linux variants specifically target VMware ESXi hypervisors, where a single compromise can encrypt dozens of virtual machines with minimal lateral movement. Affiliates can configure encryption modes (normal, step-skip, fast, percent), choose custom file extensions, and tailor obfuscation. This is a product, not just a tool.
Targeting is broad by design but consistent in its priorities. SOCRadar’s late-2025 analysis put manufacturing first among Qilin’s victim industries, followed by professional services, wholesale and logistics, healthcare, and financial services. Geography skews to the United States (the majority of victims), with Canada, the UK, France and Germany forming a secondary tier. Qilin, unlike some of its contemporaries, has not shown restraint around healthcare — the June 2024 attack on UK pathology provider Synnovis, which demanded a $50 million ransom and disrupted services at several London hospitals, remains one of its signature incidents. NCC Group reported in early 2026 that Qilin had breached the Transport Workers Union Local 100 in New York City, exposing records of 41,000 current and 26,000 former public transport employees.
What makes Qilin dangerous is not technical novelty. It’s volume, affiliate diversity, and the absence of any obvious ethical ceiling.
Akira: the edge-device specialist
Akira runs a different playbook. Since its emergence in March 2023, the group has maintained one of the most focused intrusion strategies in the ransomware economy: find an edge device that isn’t patched, compromise it, and pivot into whatever sits behind. In 2025 and into 2026, that edge device has overwhelmingly been a SonicWall firewall.
The core of this campaign is CVE-2024-40766, a SonicWall SSL VPN improper access control vulnerability first disclosed in August 2024. SonicWall released a patch the same day. Almost a year later, Arctic Wolf’s threat intelligence team observed a significant uptick in Akira activity exploiting the same vulnerability — in devices that had never been patched, or in newer devices that had inherited vulnerable credentials during migration from SonicWall’s Gen 5 and Gen 6 firewalls. By late summer 2025, Darktrace, Rapid7, and the H-ISAC were all issuing parallel warnings. The FBI and CISA updated their joint #StopRansomware advisory in November 2025, adding that Akira had also begun deploying payloads against Nutanix Acropolis Hypervisor (AHV) systems — its first documented move beyond the historical VMware ESXi and Hyper-V targeting.
The commercial scale of the operation is significant. CISA’s November 2025 update put Akira’s total ransomware proceeds at approximately $244.17 million. Ransom demands per incident reportedly range from $200,000 to $4 million.
Akira’s technical approach is methodical. According to Rapid7’s investigations of the SonicWall campaign, the typical attack chain looks roughly like this: initial access via SSL VPN (either credential theft or CVE exploitation), privilege escalation to a service account, lateral movement across file servers to identify and stage sensitive data for exfiltration, disabling or deletion of backups, and then ransomware deployment at the hypervisor level. The group aggressively disables security tooling and clears event logs to impede forensic reconstruction.
A noteworthy detail: Rapid7 also documented Akira affiliates accessing SonicWall’s Virtual Office Portal, which in certain default configurations allows public access to the MFA/TOTP setup flow. If attackers already have a valid username and password — from a prior credential dump, for instance — they can configure their own MFA token and present a fully “authenticated” login. This is one of several reasons patching alone is not sufficient: credential rotation on all SonicWall local accounts, removal of unused accounts, and restricted Virtual Office Portal access are all necessary steps.
Targeting patterns are pragmatic rather than ideological. Akira primarily hits mid-market organisations across North America, Europe, and Australia — large enough to pay substantial ransoms, small enough to have under-resourced security teams. Manufacturing, education, and healthcare have been prominent. The group operates a Linux variant specifically designed for VMware ESXi, and the November 2025 Nutanix AHV development suggests a deliberate strategy of broadening hypervisor coverage as defenders harden ESXi.
Defensively, the single most important observation is this: the initial access vulnerability in question has been patched for well over a year. Organisations still being hit are organisations that did not complete the remediation. The security analyst community on Reddit and elsewhere has started an unambiguous message — SSL VPN technology itself is reaching the end of its useful life as a secure remote access method. Moving to Zero Trust Network Access (ZTNA) architectures eliminates the attack surface entirely rather than patching it.
Lynx (and Sinobi): the disciplined operation
Lynx is the most analytically interesting of the three because it has already completed a full rebrand cycle — twice.
The original INC ransomware emerged in August 2023. In March 2024 its source code was reportedly offered for sale on the RAMP cybercrime forum for $300,000. In July 2024, Palo Alto Networks Unit 42 published research identifying a new ransomware strain called Lynx that shared roughly half of INC’s function set, and closer to 90 percent of the Linux ESXi variant. The code lineage was unambiguous: Lynx was INC, repackaged and operationalised by new owners with a more sophisticated affiliate platform.
Lynx scaled quickly. By September 2024 it had 20 confirmed victims. By early 2025 the figure was 42. By August 2025, SOCRadar and Group-IB put it at nearly 300. The affiliate programme offered an 80/20 split in favour of affiliates — more generous than Qilin’s — and Group-IB’s research identified a mirrored infrastructure of 29 .onion domains split across administration panels, leak blogs, guest panels, and corporate mirrors. The operational resilience this provides is significant: law enforcement takedowns of individual mirrors do not meaningfully disrupt the service.
Then, in mid-2025, a new group called Sinobi appeared. By January 2026 Sinobi had posted 215 victims on its leak site. AttackIQ and eSentire’s analysis concluded that Sinobi shared both technical and infrastructural overlap with Lynx, strongly suggesting it was either a rebrand or a direct successor. SOSRansomware’s tracking in January 2026 positioned Sinobi alongside Lynx, Qilin, and Akira among the four most active operations of early 2026.
Tactically, Lynx and its Sinobi successor favour precision over volume. Halcyon’s threat profile notes that Lynx affiliates combine spearphishing, RDP brute-forcing against exposed endpoints, and exploitation of specific unpatched CVEs for initial access. The encryption implementation uses AES-128 in CTR mode with Curve25519 Donna for key protection — cryptographically robust and fast. Once inside, the group terminates security processes and backup tools, enumerates network shares via SMB and network topology via Nmap, and exfiltrates data before encryption. Ransom notes are sent to all networked printers — a psychological pressure tactic designed to ensure the incident becomes visible to the maximum number of employees at once.
The target profile is narrower than Qilin’s. Manufacturing is first, followed by business services, technology, and transportation. Energy and legal services feature heavily. The group’s stated avoidance of government, healthcare, and non-profit targets is belied by confirmed attacks on energy infrastructure and utilities, but the overall pattern is commercial and mid-market. The Sinobi rebrand shows signs of intensifying healthcare targeting, which SOSRansomware reads as a strategic focus on regulatory-sensitive verticals that maximise negotiation leverage.
An important feature of the Sinobi evolution: its affiliate recruitment is selective rather than open. Where Qilin deliberately grows its affiliate base, Sinobi appears to restrict it — trading volume for operational discipline and reduced exposure to infiltration by researchers and law enforcement.
Comparing the three
These groups share a business model and an ecosystem. Beyond that, they are genuinely different. The table below captures the targeting and technical distinctions that matter for defenders.
| Dimension | Qilin | Akira | Lynx / Sinobi |
|---|---|---|---|
| Active since | 2022 (as Agenda) | March 2023 | July 2024 (Sinobi: mid-2025) |
| Approximate victim count | 1,689+ (leak site, all-time) | ~$244M in proceeds (CISA, Nov 2025) | ~300 (Lynx) + 215 (Sinobi, Jan 2026) |
| Affiliate model | Open, aggressive recruitment, 15–20% operator cut | Closed/trusted affiliate base | Closed hybrid (Sinobi), tight selection |
| Primary initial access | Phishing, exposed RDP/Citrix, FortiGate CVEs, MSP compromise | SonicWall SSL VPN (CVE-2024-40766), credential abuse | Spearphishing, RDP brute-force, specific CVEs |
| Malware language | Rust + Golang | Rust (Megazord variant), C++ | INC-lineage code, AES-128 CTR + Curve25519 |
| Hypervisor targeting | VMware ESXi (Linux variant) | VMware ESXi, Hyper-V, Nutanix AHV (Nov 2025) | VMware ESXi, multi-architecture Linux |
| Primary geography | US, Canada, UK, Germany, France | North America, Europe, Australia | US, UK, Canada, Australia, Germany |
| Top victim sectors | Manufacturing, services, finance, healthcare | Manufacturing, education, healthcare | Manufacturing, business services, technology |
| Notable tactic | ”Call Lawyer” affiliate legal support feature | Edge-device patience — re-exploits year-old CVE | Ransom notes printed to all network printers |
| Attributed origin | Russia / CIS-aligned (language kill switch) | Possible Conti successor | INC lineage, source-code lineage confirmed |
The single most useful defensive observation is that these three groups weight their initial access techniques differently. Harden your edge devices and credential hygiene against Akira. Harden your MSP and third-party access paths against Qilin. Harden your email gateway and exposed RDP against Lynx. Doing one well and the others poorly leaves you exposed.
What 2026 looks like from here
Three structural patterns are now clear.
Affiliate migration is now the dominant market force. The RansomHub collapse in April 2025 did not reduce ransomware activity — it redistributed it. Any law enforcement takedown of a major RaaS operator should be expected to produce a short-term drop in attributed attacks followed by a medium-term surge elsewhere as displaced affiliates rejoin competing platforms. Qilin’s 280 percent jump illustrates the pattern. The emergence of 0APT as a new market leader in early 2026, with 141 victims in a 30-day window, suggests the redistribution is ongoing.
Rebranding is operational, not cosmetic. INC became Lynx became (probably) Sinobi inside two years. The technical lineage survived; the brand was disposable. This pattern complicates law enforcement attribution and public statistics — counts of “active groups” overstate the underlying operator population because one operation can spawn multiple leak sites.
Edge devices are the new perimeter. Akira’s SonicWall campaign is the clearest example, but Qilin’s FortiGate pivot and Sinobi’s exploitation of SonicWall SSL VPN through CVE-2024-53704 (authentication bypass via session cookie manipulation) show the same pattern. The 2026 attack surface is not the endpoint or the server — it’s the VPN appliance, the firewall management interface, the MSP RMM tool, and the hypervisor. Defenders whose detection and response capabilities stop at the laptop are already behind.
One further trend worth flagging. CISA’s May 2025 guidance — and NCSC-UK’s parallel advisory — have been unusually direct in calling out that the underlying vulnerabilities being exploited are not novel. They are, in the FBI’s language to Congress in early 2026, “basic” — configuration errors, unpatched known CVEs, missing MFA, weak credential hygiene. The Akira campaign, which is still running on a CVE patched in August 2024, is the archetype. The ransomware economy does not need zero-days. It needs organisations that cannot operationalise basic hygiene.
For detailed first-response steps if your organisation has been hit, see our ransomware 72-hour response playbook. If the threat actor you’re defending against is social-engineering-led rather than ransomware-led, see our analysis of Scattered Spider tactics and defences.
Frequently asked questions
Which ransomware group is most active in 2026? By volume, Qilin. NCC Group’s January 2026 Threat Pulse placed Qilin at the top of monthly ransomware activity with over 100 attacks in January 2026 alone, followed by Akira with 68. However, “most active” and “most dangerous for my organisation” are different questions — Akira’s targeted SonicWall campaign has been more impactful for specific sectors than Qilin’s broader-based volume.
Is Qilin the successor to RansomHub? Not technically — Qilin is a separate operation that has existed since 2022. However, RansomHub’s collapse in April 2025 drove a large number of its affiliates to Qilin, which is why Qilin’s attack volume jumped sharply in mid-2025. The infrastructure is different; the operator population significantly overlaps.
What is the difference between Lynx and Sinobi? Sinobi emerged in mid-2025 and shares substantial technical and infrastructural overlap with Lynx, which itself inherited code from INC Ransomware. Security researchers at eSentire and AttackIQ assess that Sinobi is likely a rebrand or direct successor of Lynx, continuing the pattern of operational continuity under new names that the INC-Lynx transition established in 2024.
Why does Akira keep succeeding with an old vulnerability? CVE-2024-40766 was patched in August 2024, but Akira has continued to exploit it through 2025 and into 2026 because many organisations never applied the patch, or migrated configurations from older SonicWall devices without rotating credentials. The Virtual Office Portal also allows attackers with stolen credentials to configure their own MFA tokens, bypassing protections on patched devices. Patching alone is not sufficient.
Are any of these groups state-sponsored? None are assessed to be state-sponsored in the way PRC groups like Volt Typhoon or Salt Typhoon are. Qilin is widely believed to be Russia-based, based on language kill switches that prevent execution on systems configured for Russian or other Eastern European languages. Akira may have connections to the defunct Conti ransomware group, which had historical links to Russian cybercriminal networks. These groups are financially motivated and likely operate with state toleration rather than state direction.
What should organisations do first? Three priorities, in order: patch internet-facing edge devices (SonicWall, Fortinet, Citrix) and rotate all credentials on them; enforce MFA on every remote access path including VPN, RDP, and administrative interfaces; maintain immutable, tested backups with at least one offline copy. These three controls together block the most common initial access and recovery-denial tactics across all three groups.
This is a permanent reference page covering the three most active ransomware-as-a-service operations of 2026. It is refreshed quarterly as group activity shifts. Last significant update reflects data through early Q2 2026.