What “Elevated New Normal” Actually Means
Industrial Cyber’s Q1 2026 ransomware report frames the current state as “ransomware reaches an elevated new normal as attack volumes hold steady into 2026”. The phrasing matters. Through 2023-2024, defenders treated ransomware spikes as anomalies that would revert to mean. The 2026 data shows the reversion has stopped — attack volumes have plateaued at a level roughly 2x what was considered normal in 2022, and the analyst consensus is that this is the new baseline, not a peak.
Three Q1 2026 datapoints anchor the new baseline. BlackFog’s State of Ransomware 2026 documented 172 publicly disclosed incidents in Q1 — 90 in March, 82 in February — across 20+ countries with healthcare, government, and manufacturing as the top three sectors. The fragmentation is the standout feature: 30 distinct ransomware groups claimed responsibility in March alone, and 41% of February attacks remained unattributed to known groups, signalling fast operator rotation and emerging entrants.
The single most consequential data point is the rise of The Gentlemen. The group went from 35 victims in Q4 2025 to 182 in Q1 2026 — a 420% increase that pushed them to #2 globally behind Qilin (361 victims, down 25% from 484 in Q4) and ahead of Akira (176 victims, down 22% from 226). Industrial Cyber assesses that “The Gentlemen’s pattern of rapid growth very likely indicates the participation of experienced affiliates and operators behind the moniker” — meaning this is not a fresh-from-nothing group but a rebrand or talent-migration outcome from established RaaS infrastructure.
The second strategic shift documented across both reports is the abandonment of encryption-only models. Threat actors are “increasingly abandoning traditional encryption-based attacks in favor of data theft and extortion-only operations.” That changes incident response materially. The classic ransomware playbook (isolate, restore from backup, assess encryption blast radius) addresses 60% of the threat at most when the attacker’s leverage is data exposure rather than data lock.
What Mid-Sized Organisations Must Re-Baseline
The “elevated new normal” framing should change three operational assumptions that most mid-sized organisations carry into 2026.
The first is incident-response cadence. A 30-group landscape with 41% unattributed attacks means your TTP playbooks based on 2024 group profiles are increasingly stale. Threat-actor TTPs that worked against Qilin in 2025 are not the right priors for The Gentlemen in 2026. IR retainers should require quarterly threat-actor profile refreshes against current data, not annual updates.
The second is initial-access vector priority. The Q1 2026 reports converge on edge-device and remote-access exploitation as the dominant initial-access pattern. Industrial Cyber specifically calls out CVE-2024-55591 in FortiOS/FortiProxy as a sustained exploitation vector. The implication is that perimeter EDR and endpoint hardening — historically the dominant defensive investment — produce diminishing returns when the attacker enters via an unpatched VPN appliance or firewall and never touches an endpoint until lateral movement.
The third is backup strategy assumptions. When the dominant extortion model was data encryption, fast restoration from backup was the controlling defensive variable. When the dominant model is data theft and exposure, backup quality solves only part of the problem. The newer requirement is data-classification discipline plus exfiltration detection — knowing which data sets would damage you most if leaked, and detecting bulk transfers out of those data sets before the attacker walks away with them.
Advertisement
What Defenders Should Take Away
1. Patch Edge Devices and Remote-Access Appliances Inside a 7-Day Window
The Q1 2026 IR data points repeatedly to edge devices as initial access. Fortinet, Palo Alto, Citrix, Pulse Secure, Ivanti — every appliance in this category should be on a 7-day patching SLA when a CVE is disclosed, with the patch deployment itself measured and reported. The 2025-2026 pattern is that attackers weaponise edge-device CVEs within 72 hours of disclosure; organisations on a 30-day patching cycle for edge devices are statistically certain to be breached during a window in which a working exploit exists. The defensive cost of accelerating to 7 days is real (engineering disruption, change-window pressure) but materially less than the cost of an active intrusion.
2. Deploy Outbound Bulk-Transfer Detection on the Three Highest-Sensitivity Data Sets
In an extortion-only world, the controlling event is the bulk exfiltration moment, not the encryption moment. Identify the three data sets whose public exposure would most damage the business — typically customer PII, financial records, and source code or strategic plans — and deploy DLP / network-detection rules tuned for bulk outbound transfer from those repositories. Tools like Vectra, ExtraHop, or Microsoft Defender for Cloud Apps can do this; the harder part is the data-classification work to identify what to monitor. Detection within hours of the exfiltration moment changes the negotiation posture entirely.
3. Rotate Threat-Actor Profiles in IR Playbooks Quarterly
Your IR playbook’s “if it looks like Qilin, do X” branches need to be reviewed quarterly against current threat-intel. The Gentlemen’s Q1 2026 surge means defenders working from 2025 priors will be slower to recognise the TTP signature, slower to attribute, and slower to predict next-stage attacker behaviour. Subscribe to a quality threat-intelligence feed (Recorded Future, Mandiant, Google TAG, or sector-specific ISACs) and schedule a quarterly playbook-update meeting with named owners. Lean teams without in-house threat-intel can rely on the ENISA, NCSC, and CISA ransomware advisory streams as a free baseline.
4. Run a Tabletop Specifically on Encryption-Less Extortion
Most ransomware tabletops in 2026 still assume encryption is the primary attacker leverage. Add a scenario explicitly modelling encryption-less extortion: the attacker has 200 GB of customer PII, a deadline to pay or publish, and no encrypted systems. Walk through the decision tree: who authorises ransom-versus-not, who notifies regulators (and on what clock), what does external counsel need, what is the customer-communication template, what is the threshold at which law enforcement becomes a partner versus an investigator. The exercise will reveal that most organisations have no decision framework for this scenario.
5. Build a Cross-Functional Ransomware Decision Cell with Pre-Approved Authority
The decision-making bottleneck during a real ransomware incident is rarely technical — it is authority. Stand up a five-person decision cell with pre-delegated authority covering: containment isolation (CISO), regulatory notification (general counsel), customer communication (CMO + comms), payment authorisation (CFO with board pre-approval bands), and law-enforcement liaison (security or risk lead). Document who can act unilaterally inside what window, and what triggers escalation to the board. Organisations that wait until the incident to clarify authority are still arguing about ransom payment 96 hours into the crisis while the data is being published. The cells that pre-delegate move 24-48 hours faster.
What Comes Next: Threat Actor Rotation and the Next ‘Top 5’
The Q1 2026 data should be read as a signal that the ransomware top-5 list rotates faster now. Qilin remains dominant but lost 25% volume quarter-over-quarter; The Gentlemen surged 420%; Akira softened. The fragmentation BlackFog documented (30 groups in March alone, 41% unattributed in February) means the next 18 months will produce more rebrands, splits, and new entrants. Defenders who anchor their threat-modelling on a static top-5 list will be perpetually surprised. The disciplines that compound — edge-device patching, exfiltration detection, classification-aware DLP, quarterly TTP refresh, pre-delegated decision authority — are not group-specific. They work against The Gentlemen, against whatever rebrands in Q3 2026, and against whichever group emerges in Q1 2027. The “elevated new normal” framing is the right operating reality. Treat it as the baseline, build the disciplines that compound, and stop waiting for ransomware volumes to revert to the 2022 mean. They will not.
Frequently Asked Questions
Who is The Gentlemen ransomware group?
The Gentlemen is a ransomware operator that emerged in Q4 2025 with 35 victims, then surged to 182 victims in Q1 2026 — a 420% increase that ranks them #2 globally behind Qilin. Industrial Cyber’s threat-intelligence assessment is that the rapid growth pattern indicates experienced affiliates and operators behind the brand, suggesting a rebrand or talent migration from established ransomware-as-service infrastructure rather than a fresh new group.
What does “encryption-less extortion” mean and why does it matter?
Encryption-less extortion is a ransomware model where the attacker steals data and threatens to publish it, without encrypting the victim’s systems. It matters because traditional ransomware playbooks (isolate, restore from backup) address only the encryption variable; when the attacker’s leverage is data exposure, fast backup restoration solves only part of the problem. Defenders need to add data-classification discipline and outbound bulk-transfer detection to address the exfiltration variable.
Why are edge devices the dominant initial-access vector in 2026?
Edge devices — VPN appliances, firewalls, remote-access gateways from Fortinet, Palo Alto, Citrix, Ivanti, Pulse Secure — sit on the perimeter, are difficult to patch on aggressive cycles due to availability concerns, and accumulate technical debt faster than endpoints. Q1 2026 IR data points to repeated exploitation of CVEs like FortiOS/FortiProxy CVE-2024-55591 as initial-access vectors. The defensive implication is that endpoint EDR investment alone produces diminishing returns when attackers enter via the appliance and pivot internally.
