Where we stand
In Q1 2026, the Russia–Ukraine War entered its fifth year, while a new geopolitical flashpoint emerged on February 28, when the US–Israel strikes on Iran marked the beginning of a broader regional escalation.
Periods of armed conflict have always coincided with increased cyber activity. However, what distinguishes the current landscape is not simply the volume of attacks, but their intent. We have moved beyond an era where civilian organizations could plausibly be considered collateral damage. Increasingly, they are the target.
State-aligned advanced persistent threat (APT) groups and loosely affiliated hacktivist collectives are now operating with objectives that extend beyond economic gain. Some attacks have shown a shift in focus from financial gain to intentionally disruptive objectives targeting critical infrastructural and private companies alike.
Such appears to be the case when on March 11, less than two weeks after attacks on Iran began, reports of a cyber incident at U.S. medical device manufacturer Stryker came out, an attack claimed by pro-Iranian group Handala. Within a few days the scope of the incident started to emerge, with Handala claiming to have wiped over 200,000 devices and stolen 50 terabytes of data.
The long-term impacts of the incident are still unclear, attacking a US healthcare company is a very public reminder of the asymmetrical nature of cyberwarfare.
Q1 2026 also focused significantly on the impact of artificial intelligence on cybersecurity, something that Hollywood has been stoking our fears on for decades. Recent concerns include:
- The use of generative AI to create highly personalized, convincing, and scalable spear-phishing and deepfake phishing attacks.
- Seemingly benevolent open-source AI agentic tools like OpenClaw can introduce significant security risks.
- Anthropic’s claims that its Claude Mythos Preview was able to discover and exploit zero-days that have existed, undiscovered, for years. The risk was deemed so significant that it’s only been released to a limited group of companies (presumably, the adults in the room).
Thankfully as I look out my window this morning I can confirm that the sky isn’t falling. Companies are adapting to both the threats and the opportunities that AI represents just as they’ve always adapted to threats and opportunities. There have always been flaws in software, but the reality is that there must be a business case to justify finding them, and AI doesn’t change that. My suggestion is that we don’t need to push the panic button just yet.
Tracking the chaos: What the data tells us
Despite all this uncertainty, we can look to some excellent resources to get a real indication of ransomware activity and trends. These resources include:
- Ransomlook.io (open source)
- Ransomware.live (project by Julien Mousqueton)
That their data isn’t identical is part of the story — it reflects just how difficult it can be to track ransomware claims. Yet, in Q1 2026, both platforms reported remarkably similar trends:
- Ransomware.live: 2,318 incidents (vs. 2,251 in Q1 2025), across 70 active groups (vs. 67)
- RansomLook: 2,570 incidents (vs. 2,509 in Q1 2025), across 89 active groups (vs. 76)
Key takeaways:
1. Victim volumes have plateaued
Despite heightened geopolitical tensions, the total number of recorded ransomware victims remained broadly flat year-over-year. This suggests that while the threat environment is intensifying, it is not necessarily translating into a proportional increase in successful attacks.
2. Threat actor fragmentation is increasing
Both datasets show a rise in the number of active groups. This points to continued fragmentation within the ransomware ecosystem, with new entrants offsetting disruption caused by law enforcement actions or internal group instability.
3. Market leadership remains stable
The most active ransomware groups and their relative rankings were largely consistent across both datasets. This indicates that, despite fragmentation, a small number of dominant players continue to account for a significant share of activity. Combining the data of Ransomware.live and Ransomlook.io gives the following breakdown:
Geographic Distribution: A Growing Concentration
According to Ransomware.live, ransomware victims were recorded in 97 countries during Q1 2026.
However, the distribution of attacks is becoming increasingly concentrated.
The United States accounted for 64.7% of all recorded victims, a significant increase from 48% in Q1 2025. This sharp rise suggests either improved visibility into U.S.-based incidents, increased targeting, or both.
Meanwhile, Germany moved into the #2 position, displacing Canada, which had previously held that spot.
Top 10 Most Affected Countries (Q1 2026):
| Country | % of Victims |
| USA | 64.7% |
| Germany | 5.9% |
| Canada | 5.2% |
| United Kingdom | 5.2% |
| France | 4.3% |
| Italy | 4.3% |
| India | 3.0% |
| Brazil | 2.8% |
| Spain | 2.8% |
| Japan | 2.1% |
| Other | 37.3% |
Conclusion
Q1 2026 reinforces a critical reality: ransomware is no longer defined solely by financial extortion, but increasingly by its role as a tool of disruption within a broader geopolitical and technological shift.
While overall incident volumes remain relatively flat, structural changes in the ecosystem—rising group fragmentation, geographic concentration in high-value economies such as the United States, and the emergence of more destructive, ideologically motivated campaigns—signal a meaningful evolution in risk.
Incidents such as the attack on Stryker Corporation underscore how civilian organizations are now embedded within the perimeter of modern cyber conflict. In parallel, AI is beginning to accelerate both attacker capabilities and defensive adaptation, further compressing response timelines.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialIn this environment, resilience is no longer optional. Organizations must assume that disruption is not only possible, but in some cases intentional, and design their security posture accordingly.