State of Guide

The State of Ransomware 2026: Threat Actors, Tactics, and the Defender's Response

The state of ransomware in 2026: active groups, intrusion patterns, the supply chain pivot, and the defender response that's actually reducing dwell time.

Permanent URL · Annually refreshed

The State of Ransomware 2026: Threat Actors, Tactics, and the Defender’s Response

Something quietly revealing happened in the ransomware data between late 2025 and Q1 2026. Most coverage focused on the headline numbers — 7,902 victims on leak sites in 2025, up from 6,129 the prior year; a further 2,165 victims in Q1 2026 alone, annualising to roughly 8,660 for the year and representing an 18.5% year-over-year increase. Those numbers are accurate and they matter. But they describe the visible ecosystem, which is not quite the same as the actual one.

The more interesting finding, and the one most coverage missed, is that the ransomware ecosystem grew measurably more fragmented while appearing to consolidate. Ransomware.live tracked 306 groups active across 2025. CipherCue’s analysis of 7,655 leak site claims from March 2025 to March 2026 identified 129 active groups, with the top group — Qilin — accounting for only 15% of claims. The remaining 85% split across 128 other groups. By Q1 2026, Breachsense observed the number of active groups growing each month: 58 in January, 54 in February, 65 in March.

That fragmentation raises a question worth asking: if no single law enforcement disruption would materially reduce overall ransomware volume, what would? The answer defenders are starting to converge on — slowly, and with resistance from the parts of the industry built around point products — is that the ransomware problem is not primarily a ransomware problem. It is an identity problem, a third-party problem, and an operational resilience problem. The encryption payload is the visible crisis; the actual failure mode is usually something else.

This is the state of ransomware as Q2 2026 begins: what the data shows, which groups are driving it, how the intrusion patterns have shifted, where the defensive response is working, and what the 2026–2027 trajectory looks like.

The 2026 ransomware landscape at a glance

CategoryPosition in 2026Year-over-year shiftSignificance
Total victim count~8,660 annualised from Q1 2026 pace+18.5% vs 2025’s 7,307Volume growing despite more active defence
Most active groupQilin (Agenda)Held top position; 1,179 claims over 12 monthsDominant by volume, not by profitability
Fastest-growing groupThe Gentlemen35 victims Q4 2025 → 182 Q1 2026Experienced affiliates behind new banner
Most impactful TTP shiftVoice phishing as initial access11% of Mandiant-investigated intrusionsEmail phishing declining as share
Median dwell time14 days (Mandiant M-Trends 2026)Up from 11 days in 2024Long espionage intrusions skewing average
Most targeted sectorManufacturingThree consecutive months top in Q1 2026Operational pressure drives payment
Most targeted countryUnited States50%+ of global victimsConcentration consistent across years
Notable structural shiftScattered Spider + LAPSUS$ + ShinyHunters unified as “Scattered LAPSUS$ Hunters”August 2025 announcementIdentity-abuse ecosystem consolidating

The groups that define 2026

Four groups account for roughly half of all ransomware victim activity tracked in 2026 so far. Understanding their specific operating patterns is the starting point for any serious defensive posture.

Qilin (Agenda): the dominant volume play

Qilin was the most prolific ransomware operator of 2025 by a wide margin and has held that position through Q1 2026. Ransomware.live attributed 1,001 victims to Qilin in 2025; RansomLook’s competing tracker attributed 973. CipherCue’s twelve-month dataset through March 2026 shows Qilin at 1,179 leak site claims, roughly 3.1 per day, spanning 74 countries — the widest geographic footprint of any group.

The specific Q1 2026 pattern shows Qilin’s dominance clearly: 342 victims across January, February, and March. In March alone, Qilin claimed 131 victims — their highest single month ever, and their third consecutive month above 100 victims. Three months running above 100 is unprecedented in tracking history for any single group.

But volume is not the same as profitability. Multiple intelligence sources have observed that Qilin’s open affiliate recruitment model produces high victim counts and correspondingly higher rates of non-payment compared to more selective groups. The affiliate model — affiliates retain around 80% of ransom payments in Qilin’s structure, with the core group taking 20% — prioritises scale over success rate. Mandiant estimated Akira, a more disciplined operation, collected over $42 million in 2025 despite substantially lower victim counts than Qilin.

What makes Qilin particularly significant, and under-reported: the group has professionalised extortion mechanics in ways that distinguish it from traditional ransomware operations. Their leak site includes a “call a lawyer” option that reframes ransom demands in terms of regulatory fines and litigation risk. They have integrated Russian-speaking affiliate recruitment through closed forums like RAMP, with operational rules excluding CIS (Commonwealth of Independent States) targets — the standard pattern for Russian-tolerated cybercrime operations.

Their most publicly visible attack was the February 2024 compromise of Synnovis, the pathology services provider for NHS hospitals in London. That attack disrupted blood testing across multiple London hospitals and was one of the rare incidents where ransomware activity was publicly linked to patient harm. The 2025 and 2026 Qilin campaigns show the same operational approach applied with more precision and at higher throughput. Our Qilin, Akira, Lynx threat actor profile covers the TTPs, affiliate structure, and defensive indicators in detail.

Akira: the disciplined second-place

Akira Ransomware was the second-most active group of 2025 across both major trackers, adding nearly 740 victims across the year. Their activity declined from a Q4 2025 peak (226 victims) to Q1 2026 (176 victims, a 22% decrease), but the structural reason matters: Akira’s affiliates had depended heavily on exploiting SonicWall SSL VPN vulnerabilities through Q3 and Q4 2025, and as that exploit window narrowed, their intrusion rate dropped. This is a revealing pattern. Akira is not a group that generates its own zero-days; it is a group that executes extremely well on emerging vulnerabilities in internet-facing enterprise appliances.

The sectoral footprint matters. Akira leads specifically in construction (61 claims over twelve months) and business services (50 claims). They have a heavier US concentration than Qilin — 57% of Akira’s claims target US organisations, versus 37% for Qilin. This is consistent with a US-centric affiliate pool and an operational preference for targets with insurance coverage that makes payment more likely.

Akira is also, per intelligence reporting from multiple sources through Q1 2026, one of the three ransomware groups confirmed to have integrated AI agents into its attack pipelines. The productivity implications are real: AI-assisted reconnaissance, target profiling, and phishing content generation reduce the operational cost of an attack campaign.

The Gentlemen: the rapid-growth newcomer

The Gentlemen is the most interesting data point in the Q1 2026 numbers. The group first appeared in August 2025. Through Q4 2025 it ranked 16th in victim count, with only 35 claims. In Q1 2026, it jumped to 182 victims — second place behind Qilin. That trajectory is not consistent with an organic new group building affiliate capacity over time. It is consistent with experienced affiliates and operators migrating from other brands and consolidating activity under a new banner.

This pattern — affiliate migration between brands — recurs throughout ransomware history. LockBit’s affiliates dispersed after Operation Cronos in early 2024. BlackCat/ALPHV affiliates scattered after that group’s exit scam in March 2024. RansomHub affiliates migrated heavily after DragonForce Cartel’s reported takeover. The Gentlemen’s rapid growth is likely another chapter in the same story: the ransomware operator pool is relatively stable; the brands above them are fluid.

From a defensive standpoint, this matters because it means attribution to a specific group has limited predictive value. The affiliate you encountered under Brand X in 2024 may be operating under Brand Y in 2025 and Brand Z in 2026, with largely unchanged TTPs.

Scattered LAPSUS$ Hunters: the structural shift

The most significant structural development in the ransomware ecosystem happened in August 2025, when Scattered Spider, LAPSUS$, and ShinyHunters announced they would operate under a combined banner, “Scattered LAPSUS$ Hunters.” Early coverage framed this as a newly formed alliance. Closer analysis suggests something less dramatic but more revealing: the three groups had substantial membership overlap and operational collaboration for years, and the announcement is better understood as a rebranding of an existing reality than as a new alliance.

The distinction matters. For defenders, the announcement did not signal a fundamentally new threat. It confirmed that the social-engineering-first, identity-abuse-centric model these groups collectively represent has consolidated into a single coordinated brand with coordinated operational capacity.

What distinguishes this group from Qilin and Akira is not technical sophistication. It is methodology. Where Qilin’s affiliates exploit vulnerabilities and Akira’s affiliates exploit VPN flaws, Scattered Spider’s methodology is voice phishing, help desk impersonation, SIM swap attacks, and OAuth authorisation abuse. The 2023 MGM and Caesars attacks, the Jaguar Land Rover incident, the Salesforce/Salesloft Drift campaign, and the continuing pattern of attacks on enterprise SaaS environments all follow the same playbook: compromise the human process, then use legitimate-looking access to escalate.

Mandiant’s M-Trends 2026 report, released in late March 2026, crystallised the data point. Voice phishing climbed to the second-most common initial infection vector in 2025, appearing in 11% of Mandiant investigations where a vector could be identified. Exploits remained first at 32%. Email phishing, which was the dominant social engineering vector just a few years ago, has declined to a fraction of its former share. Our Scattered Spider defence guide covers the specific TTPs and defensive controls in detail.

The intrusion patterns that have shifted

If you were writing a defensive program in 2024 based on the threat landscape of 2022, you would be significantly behind where attackers actually are in 2026. Four intrusion-pattern shifts define the current landscape.

First, the initial access hand-off has collapsed in time. Mandiant’s 2022 data showed the median time between initial compromise and access hand-off to a follow-on operator at over eight hours. In 2025 investigations, that figure has collapsed to as little as 22 seconds in some documented cases. The division-of-labour model — where one threat cluster gains access and transfers it to a separate group for follow-on operations — appeared in 9% of Mandiant 2025 investigations, up from 4% in 2022.

The defensive implication is significant. Detection playbooks tuned for single-actor intrusion chains are less effective against the modern model, where the actor who gained initial access may be detected but has already handed off to a different actor running different TTPs. Organisations focused exclusively on detecting high-impact ransomware-stage tactics may lack detections for the low-impact techniques initial access partners use — which is the stage where intervention is far easier and cheaper.

Second, prior compromise has become the top initial infection vector for ransomware-related incidents. Mandiant’s 2025 data shows prior compromise as the initial vector in 30% of ransomware-related investigations, nearly doubling from the prior year. What this means operationally: attackers are buying access from infostealer operators who have been harvesting credentials for months, rather than performing initial compromise themselves. The credential theft happens, sits in a log file on a criminal market for some period, and then gets purchased and used for ransomware deployment.

The window between credential theft and ransomware deployment is where dark web monitoring earns its keep. Organisations that detect their own employees’ or vendors’ credentials on infostealer markets — before those credentials are weaponised — have a real intervention window.

Third, voice phishing has moved from specialised to mainstream. The 11% figure from Mandiant’s 2026 data is striking because it represents only the cases where Mandiant could definitively identify the vector. The actual prevalence is almost certainly higher. Voice phishing requires live human engagement, which makes it resistant to automated technical controls, and it is effective against help desks and IT support functions whose core job is to help users resolve access problems.

Fourth, targeting of backup and virtualisation infrastructure has increased in precision. The 2025 data, per Mandiant, shows attackers deploying with deliberate intent to destroy backups and encrypt virtualisation platforms. Ransomware attacks that encrypt production data without destroying backups are recoverable. Ransomware attacks that destroy backups first are business extinction events for the subset of organisations that depended on those backups.

Immutable backup architectures — the 3-2-1-1-0 pattern, where the “1” represents an immutable copy and the “0” represents verified zero errors in recovery testing — have become the cyber insurance baseline for coverage. This is not coincidence. Insurers are pricing on the data that attackers are now specifically targeting backup infrastructure, and organisations without immutable backups face correspondingly higher premiums, higher retentions, or coverage exclusions. Our immutable backups guide covers the technical architecture and the insurer-recognised vendor list.

The sectoral and geographic patterns

Manufacturing has been the top-targeted sector in Q1 2026 for three consecutive months, claiming 76 victims in March 2026 alone — more than construction (53) and finance (48). This is a shift from the 2023–2024 period when healthcare and critical infrastructure dominated the victim share. The attacker logic is straightforward: manufacturing has low tolerance for operational disruption, holds significant intellectual property, and has historically under-invested in cybersecurity relative to financial services or healthcare.

Healthcare dropped from 93 victims in February 2026 to 47 in March — still above the 2025 monthly average, but not a sustained spike. The February surge was likely driven by specific campaigns rather than a structural shift in attacker preference. Healthcare remains a high-value target because of the operational pressure and patient safety considerations that drive payment decisions.

Geographic concentration remains consistent. The United States accounted for 404 of 808 victims (50%) in March 2026, and roughly 40% of the twelve-month total. France jumped to second place in March with 36 victims, followed by Germany (32), Italy, and the UK. Germany’s position in the top five is notable across multiple datasets; SafePay alone posted 72 claims targeting German organisations over the twelve-month CipherCue dataset, making SafePay the dominant threat to German organisations by a wide margin. This concentration likely reflects German-language affiliate capacity or a deliberate targeting campaign.

The long tail matters more than the headlines. 141 countries appeared in the CipherCue twelve-month dataset. US organisations are the most frequent targets, but the remaining 60% of victim share spans six continents. The operational reality for any large organisation is that ransomware is genuinely global — geographic concentration of operations is not a defensive posture.

Nation-state vs criminal: where the lines blur

Ransomware is predominantly a criminal enterprise — financially motivated, affiliate-driven, operationally distinct from nation-state cyber-espionage. But the lines are not clean.

Chinese state-sponsored activity, particularly the Volt Typhoon and Salt Typhoon campaigns targeting US and allied critical infrastructure, does not typically deploy ransomware — the goal is persistent access, not extortion. The significance for the ransomware conversation is that the TTPs are converging. Both criminal and state-sponsored actors are using living-off-the-land techniques, legitimate remote management tools (AnyDesk, TeamViewer, Splashtop), cloud application abuse, and identity compromise. A defensive posture tuned only to detect “ransomware behaviour” will miss both nation-state espionage and the pre-encryption stages of modern ransomware attacks.

Our Volt Typhoon and Salt Typhoon defence guide covers the nation-state side in depth. The summary relevant to the ransomware picture: behavioural detection, identity-first defence, and network segmentation between operational technology and corporate IT matter for both threat classes. The specific actors differ; the structural defensive priorities overlap substantially.

The second blurring pattern is North Korean state-sponsored financially motivated activity. North Korea’s Reconnaissance General Bureau (RGB) operates clusters that mix espionage with financial crime — the Lazarus Group being the most publicly known. North Korean IT worker operations — where DPRK operatives fraudulently obtain remote IT positions at Western companies to generate revenue and potentially deploy backdoors — also factored into Mandiant’s 2025 dwell time data, with long-term intrusions skewing the median upward.

The defensive response: what is working, what is not

Average dwell time in Mandiant’s 2025 data — the period between initial compromise and detection — was 14 days, up from 11 days in 2024. That increase is driven largely by long-term espionage intrusions and North Korean IT worker operations, not by defender weakness. Ransomware-specific dwell times are actually shorter; most ransomware attacks encrypt within days of initial access.

What is measurably working:

Identity-first defence. Organisations that have materially invested in MFA coverage across all access (not just privileged), phishing-resistant MFA for high-risk users, privileged access management with session recording, and just-in-time access patterns have measurably better outcomes against the voice-phishing-and-help-desk-abuse methodology that dominates the Scattered Spider playbook.

EDR/XDR with behavioural detection. Signature-based AV alone is ineffective against modern ransomware. EDR/XDR that detects behavioural patterns — credential dumping, lateral movement tooling, ransomware-specific process trees — materially reduces dwell time. CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint dominate this market. Our EDR comparison for mid-market covers the vendor decision.

Immutable backups with tested recovery. Recovery time from a ransomware attack correlates directly with whether backups were (a) immutable, (b) tested, and (c) sized for production restore rather than just offsite copying. Organisations that pass all three tests recover in days; organisations that fail one or more recover in weeks or not at all.

Managed Detection and Response (MDR). For organisations without 24/7 SOC capacity — which is most mid-market — MDR providers (Arctic Wolf, Sophos MDR, Huntress, CrowdStrike Falcon Complete, Red Canary) meaningfully reduce time-to-detection and time-to-containment. Our MDR comparison covers the vendor landscape.

Tested incident response. Organisations that tabletop the ransomware scenario annually — including the legal, insurance, communications, and negotiation dimensions — respond measurably faster and make better decisions under pressure than organisations encountering their first ransomware incident live. Our tabletop exercises guide covers scenario design.

What is not working:

Legacy email security gateways. Traditional SEG products were designed for an email-phishing-dominant threat model. Modern BEC, particularly AI-generated variants, routinely evades them. API-based email security (Abnormal, Material, Mimecast’s newer architecture) performs measurably better against modern BEC.

Awareness training alone. Phishing awareness training has limited marginal value against voice phishing, deepfake voice calls, and AI-generated spear-phishing. The attacker has gotten measurably better at producing convincing content; user vigilance has not improved at the same rate.

Point products without integration. The “best-of-breed” security architecture — EDR from one vendor, SIEM from another, email security from a third, identity from a fourth — increasingly struggles against attack chains that cross tool boundaries. Integration quality matters more than individual product quality for detecting modern attack chains.

The cyber insurance feedback loop

The ransomware insurance conversation has changed materially since 2023. Coverage is available but priced on specific technical controls. Premium increases have slowed from the hardening-market peak of 2022–2023 but have not reversed. Ransomware sub-limits are tightening again as carriers see 2025’s volume surge working through to claims data.

Our cyber insurance 2026 guide covers the specific control requirements and the carrier landscape. The summary relevant here: cyber insurance has become the most effective enforcement body for mid-market security hygiene. Insurers require MFA, EDR, immutable backups, tested IR, PAM, patch management with SLAs, and API-based email security for coverage. The organisations that meet those requirements have structurally better ransomware resilience, regardless of whether they signed up for the insurance implication.

The OFAC sanctions angle deserves ongoing attention. Post the Treasury sanctions on multiple ransomware operators and affiliated entities, ransom payment decisions have become legally complex. The “can we pay?” question has a jurisdictional answer (“not to this group, potentially to that one”) and a timing answer (“not before sanctions screening is complete”). Our ransomware negotiation guide covers the decision framework without providing operational payment guidance — we treat negotiation as a decision support question, not a how-to.

The AI-assisted attacker: the 2026 inflection

Intelligence reporting through Q1 2026 has confirmed what the theoretical attack modelling predicted: ransomware groups have integrated AI agents into attack pipelines. Akira, Qilin, and Scattered Spider have all been identified as AI-agent-integrated operations.

The attacker AI stack is unglamorous and effective:

  • Reconnaissance agents scrape LinkedIn, GitHub, company websites, and job postings to build target profiles at scale.
  • Spear-phishing agents generate hyper-personalised content, often within minutes, tailored to the target’s role and observable communication patterns.
  • Vulnerability identification agents analyse observed tech stacks against known exploit databases.
  • Data prioritisation agents identify the files most likely to generate extortion leverage — financial records, IP, employee PII, customer data.

The FBI’s Cyber Division figure — AI-assisted intrusions up 340% year-over-year in 2025 — should be read skeptically on the specific number but directionally on the trend. The attack economics have shifted in ways that favour attackers in the short term.

The defensive response has to be structural, not tactical. If phishing content is now indistinguishable from legitimate communication, content inspection matters less and behaviour-based detection matters more. If attacker dwell time is compressed, detection and containment speed matters more than prevention perfection. If initial access is increasingly sold rather than self-performed, credential exposure monitoring matters more than preventing every credential theft.

Our AI-generated BEC guide covers the specific BEC evolution. The cross-cutting point is that “attacker using AI” is no longer a future threat. It is the baseline.

The twelve-month forward view

Five developments to track through the rest of 2026:

1. Qilin’s trajectory. Can Qilin sustain 100+ victims per month through the rest of 2026, or does affiliate churn and non-payment erode the operation? Ransomware history suggests dominant operations run for 18 to 36 months before disruption, exit scam, or structural decline. Qilin’s dominance began in mid-2025; the decline window is 2027 under that pattern, but no individual operation is guaranteed to follow it.

2. The Scattered LAPSUS$ Hunters methodology scaling. Voice phishing at 11% of Mandiant-investigated intrusions is a step change, not an endpoint. Expect the figure to climb further through 2026, and expect other ransomware operations to adopt the methodology as its effectiveness becomes undeniable.

3. Supply chain and SaaS compromise as an initial access vector. Salesloft/Drift was not the first OAuth-chain compromise and will not be the last. Expect continued SaaS ecosystem incidents through 2026, and expect defensive third-party risk management to mature accordingly. Our third-party risk guide covers the specific OAuth hardening controls.

4. Law enforcement operations. The ransomware ecosystem has been remarkably resilient to takedown operations — LockBit, BlackCat/ALPHV, RansomHub, and others have either absorbed disruption or migrated to new structures. But law enforcement capability has also grown. Expect 2026 to include at least one significant operation against a currently-active group. The structural effect on ecosystem volume will likely be modest; the individual-group effect can be substantial.

5. Cyber insurance claim patterns. The 2025 ransomware volume surge is working through to 2026 claims data. Expect premium adjustments, sub-limit tightening, and carrier appetite shifts through late 2026 and early 2027. For buyers, this means renewal conversations will be harder than 2024 and 2025 renewals were; for defenders, this means control investment matters more, not less.

What the visible picture misses

The final point worth making is about what the ransomware data does not show.

Leak site tracking captures groups that claim victims publicly to pressure payment. Groups operating on private negotiation — where public disclosure is withheld as a negotiation lever — are undercounted. Victims who pay quickly and quietly, and whose attackers never post them, are invisible in every public dataset.

Not every “ransomware” incident involves encryption. Extortion-only attacks — where data is stolen and the group threatens publication without deploying encryption — are a growing share of the ecosystem. These attacks often escape the “ransomware” framing in corporate disclosures, underreporting the true scale of the extortion economy.

Small and mid-sized business incidents are substantially underrepresented in tracking. Leak site posting has operational cost for the attacker; small victims may not be worth the posting effort, may be negotiated down below the posting threshold, or may simply not pay and be abandoned without public disclosure. The 8,660 annualised figure for 2026 is a floor, not a ceiling.

Finally, the “failed” attacks — where initial access was gained but ransomware was never deployed because defensive controls intervened, or where the attack was discovered before encryption — are genuinely invisible in every public dataset. These are successes for defenders, and they likely outnumber the visible incidents. But they are not in the headline numbers, which means the headline numbers understate both the threat volume and the defender success rate simultaneously.

This is the ransomware picture as 2026’s first quarter closes: genuinely larger than the year before, genuinely shifting in methodology, genuinely more AI-augmented on the attacker side, and genuinely better-defended in the mid-market cohort that has built the control baseline insurers and regulators now demand. The volume is growing. The outcomes are diverging. The organisations that will still be functioning after their first ransomware encounter are the ones who did the work before the encounter — not the ones who will learn from the encounter itself.

Frequently asked questions

How many ransomware victims are there in 2026 so far? Q1 2026 totalled 2,165 victims tracked on leak sites, annualising to roughly 8,660 victims for the full year. This represents an 18.5% increase over 2025’s 7,307 victims. These numbers reflect leak-site-tracked incidents and undercount private negotiations, small-business incidents, and extortion-only (non-encryption) attacks.

Which ransomware group is most active in 2026? Qilin (also known as Agenda) has been the most prolific ransomware group by victim volume every month of Q1 2026, claiming 342 victims across January, February, and March combined. In March 2026 alone, Qilin claimed 131 victims — their highest single month ever. Akira and The Gentlemen have alternated as the second-most-active group.

Is AI actually being used in ransomware attacks? Yes. Intelligence reporting through Q1 2026 has confirmed that Akira, Qilin, and Scattered Spider have integrated AI agents into their attack pipelines, supporting reconnaissance, spear-phishing content generation, vulnerability identification, and data prioritisation. The FBI’s Cyber Division reported AI-assisted intrusions up 340% year-over-year in 2025.

How is initial access changing? Four shifts matter: voice phishing climbed to 11% of Mandiant-investigated 2025 intrusions (second-most common after exploits at 32%); prior compromise (credentials purchased from infostealer markets) has become the top initial vector for ransomware, up from roughly 15% the prior year; email phishing has continued its multi-year decline; and the time between initial access and hand-off to follow-on operators has collapsed from over eight hours in 2022 to as little as 22 seconds in documented cases.

Should we pay if we get hit by ransomware? The question is legally, ethically, and operationally complex, and the answer depends on your jurisdiction, your cyber insurance coverage, OFAC sanctions implications for the specific threat actor, the state of your backups, and what exactly was exfiltrated. Our ransomware negotiation guide covers the decision framework. We do not provide operational payment guidance.

What is the single highest-impact defensive control against ransomware? There is no single control. The defensive posture that actually reduces ransomware impact is layered: MFA everywhere (especially privileged access and help desk processes), EDR/XDR with behavioural detection, immutable backups with tested recovery, privileged access management, segmentation between IT and OT networks, and a tested incident response plan. Organisations that implement all of these have materially different outcomes from organisations that implement one or two.

What is Scattered LAPSUS$ Hunters? In August 2025, Scattered Spider, LAPSUS$, and ShinyHunters announced they would operate under the combined banner “Scattered LAPSUS$ Hunters.” Analysis suggests this represents rebranding of an existing reality — the three groups had substantial membership overlap and operational collaboration for years — rather than a formal merger. Their combined methodology is voice phishing, help desk impersonation, SIM swap attacks, and OAuth authorisation abuse.

This is the State of Ransomware 2026 hub. It is refreshed annually. For threat actor deep-dives and response playbooks, see our ransomware category. For how we cover threat intelligence and where we draw the line between reporting and operational attack detail, see our editorial standards page.