The post-LockBit ransomware market hasn’t produced a single dominant operator. Instead it produced a long mid-tier of operators each claiming dozens to low-hundreds of victims per quarter. Three of them, Qilin, Medusa, and Embargo, have stable affiliate bases, working tooling, and recognisable victim patterns. Here’s the comparative profile.
Qilin
Qilin (also known as Agenda) emerged in mid-2022 and has matured into one of the most operationally consistent operators on the leaderboard. Their encryptor is cross-platform with mature ESXi support, and they’ve built a reputation among affiliates for paying out reliably. The 2025 attacks against Synnovis (UK pathology services, with downstream impact on multiple London hospitals) drew sustained press attention.
Affiliate split is competitive (80-85% to the affiliate). Initial-access patterns include phishing, credential abuse, and edge-appliance exploits. Victim sectors skew toward manufacturing and healthcare, with notable activity against the European mid-market.
Medusa
Medusa (the ransomware operator, not to be confused with the Medusa botnet) has been claiming victims since 2021 but accelerated significantly in 2024-2025. The operator’s distinguishing trait is aggressive press engagement, they regularly comment on victim incidents publicly and have used media outreach as a pressure tactic. CISA published a joint advisory in 2025 specifically on Medusa TTPs.
The encryptor is competent rather than novel. Affiliate operations focus on opportunistic targeting, they appear to take whatever access their affiliates bring rather than pursuing specific verticals. Education, public sector, and small-to-mid enterprise dominate the claim list.
Embargo
Embargo is the newest of the three, emerging in mid-2024 and building claim count steadily through 2025-2026. The operator runs a Rust-based encryptor (an increasingly common choice for new operators after the post-Conti BlackBasta shifted to Rust). Their leak site has unusually professional victim-management UX, suggesting either an experienced team or substantial vendor-provided tooling.
Embargo has been notable for negotiation discipline, they appear to honour deletion attestations more reliably than most newer operators, which is partly why their affiliate base has grown despite the crowded market.
What the mid-tier rise means
Three implications for defenders.
Operator-specific TTP modelling is less useful. When LockBit dominated the market, learning LockBit’s playbook covered most of the threat. With a fragmented mid-tier, you have to model TTPs at the technique level rather than the operator level. MITRE ATT&CK mapping matters more than ever; threat-actor-specific playbooks matter less.
Takedowns hurt the ecosystem less. A successful disruption of Medusa would shift maybe 10% of activity to other operators. The market has become structurally resistant to law-enforcement disruption.
The defensive priority list is operator-agnostic. Edge-appliance patching, identity hygiene, MFA hardening, EDR coverage, segmentation, and offline backups protect against all three of these and most of their peers. Whatever the next mid-tier brand is in 2027, the same controls protect against them too.
The forecast
Expect at least one of these three to fade and at least one new mid-tier operator to emerge by year-end. The rotation is constant. The ecosystem’s volume isn’t going down, it’s redistributing across more operators of similar size. That’s the structural state of ransomware in 2026.