The Q1 2026 ransomware leaderboard, built from leak-site claim counts across Ransomtracker and corroborating sources, looks meaningfully different from a year ago. The LockBit and ALPHV exits left a power vacuum that’s been partly filled, partly fragmented. Here’s the snapshot, with the caveats that always apply to leak-site numbers.
The top of the table
RansomHub remains the largest operator by claim count. The post-ALPHV affiliate consolidation is now mature, many of the experienced affiliates that used to run ALPHV operations have moved their pipeline onto RansomHub’s encryptor and infrastructure. The result is high volume and an unusually professional victim-management operation.
Akira is the surprise of Q1. Sustained victim claims across manufacturing, education, and mid-market enterprise. The technical capability remains modest by elite-operator standards but the affiliate base is large and disciplined.
Play rounds out the top three, with a steady cadence of victims and very little operational drama. Play has one of the better surviving brand-recognition profiles among 2024-vintage operators.
The growing mid-tier
The middle of the table is more interesting than the top. Qilin, Medusa, BlackBasta, BianLian, Embargo, and a handful of smaller operators are each claiming dozens to low-hundreds of victims per quarter. None has dominant share, but collectively they account for more activity than the top three.
This fragmentation is structurally different from the LockBit-era market, where one operator dominated. Today’s mid-tier is more resilient to takedowns, disrupting any single one moves a small share of activity to a competitor, but harder to engage diplomatically because there’s no single brand to negotiate with.
The methodology caveats
Leak-site claims are not the same as confirmed victims. Operators routinely list victims who never actually paid, victims who were attacked months ago, and occasionally victims they didn’t actually compromise (pressure tactic). Independent corroboration through victim disclosures, regulatory filings, or news reporting confirms a fraction of the claims.
Our leaderboard counts public claims, not confirmed compromises. The relative ranking is reliable; the absolute numbers should be read as upper bounds. Where we can corroborate, the conversion rate from listed-victim to confirmed-compromise sits around 75-85% across the top operators.
Sectoral patterns
Three sectoral observations from Q1. Manufacturing remains the most-claimed sector across operators, high downtime cost, often weak internal IT, frequently pays. Healthcare claims are up year-over-year, reflecting both genuine increased targeting and increased visibility from regulatory disclosure requirements. Education claims are stable but the per-incident impact is severe given the population’s vulnerability.
What to expect in Q2
Three predictions, each with the standard “we are tracking, not forecasting” disclaimer. The mid-tier will continue to fragment. RansomHub will retain top spot but with declining share. At least one current top-five operator will quietly stop claiming new victims by mid-quarter, either through internal collapse, takedown, or affiliate migration.
The structural story is clear: the era of one dominant operator is over for now, and the diffuse landscape is harder to defend against not because any individual operator is more capable but because there are more of them, faster.