Ransomware attacks through the first half of 2026 hit a volume 20% higher than the same period last year, even as the number of incidents dipped slightly from the first quarter to the second. The sustained pressure comes amid an intensifying contest for dominance between two ransomware-as-a-service operations — Qilin and The Gentlemen — that are reshaping the threat landscape for Windows-dependent businesses.
The Numbers Behind the Surge
NordStellar’s Q2 2026 threat report, summarized by Manufacturing Business Technology on July 16, shows that ransomware incidents fell 4% between Q1 and Q2 but remained at an elevated baseline. The six-month total dwarfed the first half of 2025 by a fifth, signaling that the ecosystem has not merely spiked but shifted into a higher gear.
Qilin led the quarter with 299 victims listed on its leak site, while The Gentlemen followed closely with 284, a 39% jump from the previous quarter. GuidePoint Security’s own Q2 GRIT report confirmed the same top three: Qilin, The Gentlemen, and DragonForce, noting that it tracked 91 active ransomware groups — the highest number ever recorded.
Those leak-site counts are not perfect mirrors of intrusion volume. They are public claims by criminal operations, not independently verified incidents, and can be gamed, duplicated, or delayed. But the alignment across multiple threat intelligence firms gives the trend weight. The gentle quarterly drop, from a record pace in late 2025, is not an “all clear”; it’s a new normal.
A Rivalry That Reshapes the Market
The dynamics between Qilin and The Gentlemen are more than a leaderboard curiosity. In the ransomware-as-a-service (RaaS) model, core operators supply encryptors, leak infrastructure, and payment handling, while affiliates choose targets and tools. Affiliates can — and do — switch platforms when they perceive better payout terms or operational reliability.
When one group surges, it attracts talent and resources. When two titans collide, the competition can push both to refine their offerings, expand initial-access partnerships, and take on higher-profile targets. Mantas Sabeckis, a senior threat intelligence researcher at NordStellar, described the dynamic as a sign that the ransomware market is “stabilizing and maturing” rather than fragmenting. That maturity means defenders face not isolated bandits but well-funded, professionalized networks.
June data from Check Point, cited by ITPro, suggested The Gentlemen overtook Qilin to account for 17% of published attacks that month. The discrepancy with NordStellar’s quarterly figures is a reminder that snapshots depend on collection windows and methodology. The practical conclusion is the same for security teams: both operations are persistent, high-volume threats that have achieved enough scale to sustain simultaneous campaigns across industries.
DragonForce, though smaller, reached an all-time quarterly high, according to NordStellar. The ripple effect is that lesser-known crews, seeing the success of the top tier, are ramping up recruitment and access-broker relationships, broadening the surface area businesses must defend.
Large Enterprises Are No Longer Sheltered
Small and medium businesses still dominate victim lists — firms with fewer than 200 employees and revenues under $25 million remain the most frequent targets. Their often-lean IT resources, incomplete patching, and untested backups make them low-hanging fruit.
But the data contains a startling shift at the high end: victims with more than $1 billion in revenue rose 74% from Q1 to Q2, climbing from 23 publicly listed incidents to 40. While the absolute numbers are modest, the growth is not an anomaly. Large organizations offer richer data for double-extortion schemes — stealing data before encrypting it and threatening publication — which NordStellar found appeared in 76.8% of negotiations it analyzed. Time-limited payment discounts, a common pressure tactic, showed up in 45.5%.
For Windows-centric enterprises, this changes the calculus. A clean backup restore can bring servers, file shares, and domain controllers back online, but it does not undo a data theft event. Legal exposure, regulatory fines, and customer-notification obligations persist, even when technical recovery succeeds. The old rule — “if we can restore, we don’t pay” — no longer fully captures the risk.
Who Was Hit Hardest
Manufacturing topped NordStellar’s sector tally at 19.5% of Q2 victims. IT firms followed at 10.7%, professional and technical services at 8.3%, construction at 7%, and healthcare at 6.2%. Manufacturing’s prominence is especially relevant to Windows-heavy environments, where operational technology (OT) networks often run unpatched Windows workstations, depend on Active Directory, and lack segmentation. A single compromised engineering PC can pivot to production systems with alarming speed.
What Windows Administrators Must Do Now
The sustained threat level demands a move beyond policy statements to concrete, tested defenses. CISA’s #StopRansomware guidance continues to emphasize a few fundamentals:
- Eliminate public RDP exposure. Audit every firewall rule that forwards port 3389. If Remote Desktop is essential, enforce phishing-resistant MFA and apply account lockout policies. Log all remote-login attempts.
- Segment your network. Separate administrative accounts from daily-use accounts. Isolate OT, backup, and management networks to limit lateral movement. A compromised HR workstation should not be able to reach domain controllers.
- Protect backups from the identity plane. Maintain at least one backup copy that is offline, immutable, or cloud-based with different credentials. Run restoration exercises that include Active Directory, critical LOB applications, and user files — not just server volumes.
-
Harden endpoints with native Windows tools. Controlled Folder Access, part of Microsoft Defender Antivirus, blocks untrusted apps from modifying protected folders. Pilot it carefully to avoid disrupting legitimate business software. Attack surface reduction rules can also curb common ransomware behaviors: malicious scripts, obfuscated code, and process injection.
-
Make endpoint detection effective. Microsoft Defender for Endpoint can isolate a compromised Windows device from the network while keeping its connection to the Defender service. That capability is only useful if the team has rehearsed who can authorize isolation, which systems are exempt, and how containment will prevent a single endpoint from becoming a launch point.
For smaller shops without 24/7 security operations, the priority list is shorter but no less urgent: enable MFA everywhere, keep systems patched, back up to a cloud service with separate credentials, and test the restore process at least quarterly.
How We Got Here: The RaaS Maturation
Ransomware-as-a-service has been the dominant model for years, but 2025–2026 marks a consolidation phase. After law enforcement actions disrupted major groups like LockBit and ALPHV/BlackCat, affiliates scattered and regrouped around emerging operations. Qilin (formerly known as Agenda) and The Gentlemen filled the vacuum, investing in infrastructure and support that rivals the professionalism of legitimate SaaS platforms.
Affiliates now expect not just working encryptors but real-time negotiation dashboards, data leak management, and reliable payment processing. The competition between top-tier groups raises the floor for the entire ecosystem, making it harder for defenders to rely on amateurs’ mistakes.
Outlook: A Permanent New Baseline
The 4% quarterly decline is not a trend reversal. The ecosystem has found a level roughly a fifth higher than last year, and the emergence of 91 active groups means disruptions to any single operation will have limited impact. For Windows administrators, the next milestone isn’t tracking the latest gang name — it’s demonstrating that a stolen credential or a compromised workstation can be detected, contained, and recovered without giving an affiliate time to escalate to domain-wide encryption.
The tools exist within Microsoft 365 and Windows Server to mount a strong defense. The question is whether organizations will configure and test them before the next affiliate decides their network is a worthwhile target.