// FOCUS
Ransomware
The defining cybercrime of the decade. How it works, who runs it, and where the money goes.
- MSPs: ransomware’s #1 target of 2026 [Field Report]
Managed service providers entered 2026 as the single highest-leverage target class in the ransomware economy. Why the channel is now the front line, which TTPs operators are running against MSPs specifically, and what the better-run shops have already changed. - LockBit, 2 years after Operation Cronos: where are they now?A 2026 retrospective on the international takedown that displaced LockBit at the top of the ransomware ecosystem — what stuck, what reverted, where the affiliate workforce migrated, and what the next coordinated action should learn from the playbook.
- 2026 ransomware victim toll: countries, sectors, operatorsA data-led snapshot of who’s actually being ransomed in 2026 — which sectors are losing ground, which operators are pulling away from the pack, and which national-level patterns the leak-site economy reveals.
- Ransomware attribution 2026: TTPs, notes, fingerprintsA 2026 attribution playbook for ransomware investigations — combining TTP fingerprinting against MITRE ATT&CK, ransom-note artifact analysis, leak-site monitoring, and the open-source intelligence pivots that hold up under scrutiny.
- Ransomware IR runbook 2026: NIST 800-61 r3 + CISA templatesA practitioner walkthrough of building a ransomware-specific incident response runbook in 2026 — combining NIST SP 800-61 r3, CISA’s #StopRansomware playbook, and the lessons from named incidents on the Ransomtracker leak feed.
- What is double extortion ransomware? An explainer for non-technical executives in 2026An executive-level explainer of double extortion — the dominant ransomware playbook in 2026 — covering how it works, why backups don’t fully defeat it, and the policy choices boards now have to make in the first hour of an incident.
- How initial access brokers price corporate access in 2026: an explainer for defendersA field guide to the 2026 initial-access-broker market — how IABs source access, how they price it, who buys, and what the listings look like under the hood.
- Tracing crypto laundering: tutorial with Chainabuse, OXT, Walletexplorer, and EtherscanA 2026 tutorial for following ransomware and fraud proceeds across the blockchain using free tools — Chainabuse for tagged wallets, OXT for BTC clusters, Walletexplorer for entity heuristics, and Etherscan for ETH/USDT.
- How to set up a malware analysis sandbox at home: FlareVM, REMnux, and Cuckoo tutorialA step-by-step tutorial for building a free malware analysis sandbox at home — Windows reverse-engineering with FlareVM, Linux analysis with REMnux, and automated detonation with Cuckoo.
- How to verify a ransom payment on-chain: tutorial with Mempool, OXT, and Ransomwhe.reA practitioner’s tutorial for verifying — or refuting — a claimed ransom payment on the Bitcoin blockchain using free tools. Useful for journalists, IR teams, and victims dealing with secondary-extortion claims.
- Tracking ransomware affiliates across rebrands with VirusTotal, MalwareBazaar, and YARAA 2026 tutorial for tracking individual ransomware affiliates across operator rebrands using VirusTotal Intelligence, abuse.ch’s MalwareBazaar, and YARA rules. Code reuse, builder fingerprints, and TTP continuity reveal the same crews under new names.
- The new mid-tier RaaS contenders: Qilin, Medusa, EmbargoThree mid-tier ransomware operators have built sustained victim claim counts in 2025-2026. Profiles of Qilin, Medusa, and Embargo — what’s distinctive about each, and what the rise of the mid-tier means for defenders.
- Akira’s pivot to extortion-only: a 2026 group profileAkira began as a classic encrypt-and-extort operation but has been quietly drifting toward data-theft-only attacks across 2025-2026. A profile of where they came from, where they are now, and why the model is working.
- RansomHub explained: the post-LockBit consolidatorRansomHub became the largest active RaaS by claim count in 2025 by absorbing experienced affiliates from the LockBit and ALPHV exits. A 2026 profile of the operator, their tooling, and their structural position.
- Why double extortion isn’t enough anymore: the rise of triple and quadruple extortionEncrypt the data, leak the data — that’s not enough leverage anymore. A 2026 look at how operators stack additional extortion vectors when the basic playbook stops getting paid.
- Ransomware Q1 2026 leaderboard: who’s claiming the most victimsA 2026 Q1 ransomware leaderboard built from leak-site claims, with the structural changes shaping the operator pool — RansomHub at the top, a long mid-tier, and the takedown ripples still propagating through the ecosystem.
- Why hospital ransomware attacks keep getting worseHospitals have been the worst ransomware targets for half a decade and the attacks keep getting worse, not better. A practitioner’s look at why the sector remains uniquely vulnerable and what’s finally starting to help.
- BEC vs ransomware: which is more profitable per attack in 2026?A side-by-side look at the per-attack economics of business email compromise vs ransomware in 2026. Hint: the louder threat isn’t the bigger one.
- The pivot from encryption to data theft: pure-extortion gangs in 2026A new generation of operators has dropped encryption entirely — they steal the data and threaten to leak it without ever locking a single file. Here’s why that model is winning.
- Ransomware negotiation tactics that actually work in 2026A practitioner’s guide to ransomware negotiation in 2026 — what professional negotiators do, what amateurs get wrong, and how the conversation has changed since the 2024 takedowns.
- Crypto laundering pipelines after the 2025 mixer takedownsMixer takedowns reshaped the laundering landscape. A 2026 view of where ransomware and fraud proceeds actually flow now — DEXes, cross-chain bridges, privacy coins, and the residual mixers still standing.
- Tracking ransomware infrastructure: a 2026 OSINT methodologyA practitioner’s OSINT methodology for tracking ransomware infrastructure in 2026 — the seven sources to monitor, how to correlate them, and the operational hygiene that keeps your work credible.
- Maltego workflows for ransomware research: a 2026 starter packA starter pack of Maltego transforms and graph patterns for ransomware research — entity model, transform recommendations, and three reusable graphs that pay rent on every investigation.
- How Stealer Logs Power Modern Ransomware AttacksA dollar-per-log credential-theft economy now feeds the multi-million-dollar ransomware economy. The pipeline from a teenager’s pirated game download to enterprise extortion is shorter than most security teams realise.
