SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Dark lock ransomware extortion leak site laptop screens
#
SaaS
#
Ransomware
#
MFA

Ransomware posts rise 22% as leak sites proliferate

Wed, 29th Apr 2026 (Today)
Author image
By Joseph Gabriel Lagonsin, News Editor

ReliaQuest reported a rise in ransomware and cyber extortion activity in the first quarter of 2026, with posts on data-leak sites reaching 2,638.

That was up 22% from 2,161 in the same quarter a year earlier, reflecting a more fragmented threat landscape of established gangs, fast-rising newer groups and dubious leak sites. The number of active data-leak sites climbed to 91, above the previous peak of 84.

Among the most active names on leak sites were Qilin, The Gentlemen and Akira, followed by Inc Ransom, Clop, Play, Nightspire, Dragonforce and Sinobi. ReliaQuest said rankings among threat actors mattered less than recurring tactics such as abuse of remote access services, identity compromise, lateral movement through administrative protocols and attempts to disable security tools.

Breakout group

The sharpest rise came from The Gentlemen, which moved into the number two position after its leak-site posts jumped 588% quarter on quarter, from 26 in the final quarter of 2025 to 179 in the first quarter of 2026. ReliaQuest said the increase did not appear to be tied to a single major campaign or malware launch.

Instead, it pointed to a group with an established operating model. The Gentlemen has been active since at least mid-2025 and has advertised a 90/10 profit split in favour of affiliates on dark-web forums, compared with the 80/20 model used by former leading groups including RansomHub and ALPHV.

According to ReliaQuest, the group claims to offer affiliates ransomware for Windows, Linux, NAS and BSD systems, along with a separate ESXi encryptor. It also advertises support for automated lateral movement, credential reuse, Group Policy deployment and methods aimed at disabling antivirus and firewall protections.

Fake leak sites

The report also highlighted pressure from two newer leak sites, 0APT and ALP-001, which ReliaQuest said were likely using questionable or fabricated claims to extort companies. It excluded 0APT's 253 posts from its group, sector, geography and post-count analysis because it assessed those claims as highly likely to be false, though it still counted the site among active leak sites.

That distinction matters because even a false claim can trigger costly internal reviews and external scrutiny. A company named on a leak site may still face questions from customers, executives and advisers while trying to determine whether a breach is genuine, recycled from older data or wholly fabricated.

ReliaQuest said 0APT emerged with a burst of alleged victims, offered little proof of compromise, showed no clear link to a known ransomware variant and reportedly asked prospective affiliates to pay a 1 BTC deposit. Those signs suggested an attempt to monetise attention and pressure rather than evidence of a proven operation.

ALP-001 appeared to follow a slightly different path. ReliaQuest said identifiers used by the site matched those used by an established initial access broker on dark-web forums, suggesting an attempt to move from selling access into direct extortion. Some of the leaked material also appeared to come from misconfigured or publicly accessible services, raising doubts about the actor's sophistication and the credibility of its claims.

Identity route

Another prominent name in the quarter was ShinyHunters, which listed only 34 organisations but had an outsized impact because of its focus on identity systems, software-as-a-service platforms and mobile-based social engineering. ReliaQuest included it in the analysis because, although it is better known for data theft and extortion than for conventional ransomware, it uses the same leverage model: stealing valuable data and demanding payment.

The group's approach included calling employees on personal mobile phones while posing as IT support staff and directing them to phishing domains designed to mimic Okta login and support pages. ReliaQuest said this method could bypass some corporate web controls because the interaction took place on personal devices over cellular networks.

Attackers then used stolen credentials and adversary-in-the-middle infrastructure to reset passwords, enrol new multi-factor authentication devices and gain persistent access, it said. From there, they could move into SaaS environments such as Salesforce and SharePoint and remove data through legitimate application programming interfaces and bulk downloads.

ReliaQuest also said ShinyHunters had exploited Salesforce Experience Cloud misconfigurations with a modified version of the open-source AuraInspector tool, claiming 300 to 400 breaches between late 2025 and March 2026. The two access paths differed operationally but led to the same extortion outcome, it said.

Sector pressure

By sector, professional, scientific and technical services remained the most targeted area for the fourth consecutive quarter. Posts rose 14% quarter on quarter, from 736 to 840, with legal services drawing particular attention.

ReliaQuest linked part of that activity to a cluster of 16 law firms and legal services organisations targeted by Inc Ransom in a short period. It said the pattern could indicate deliberate targeting of the legal sector, though it also pointed to the possibility that a shared third-party platform or cloud repository had been compromised.

Law firms hold data with unusual leverage in extortion cases, including privileged communications, financial records, tax files and case materials, the company said. A breach affecting one legal services provider can therefore spread consequences to clients and partners through shared systems and documents.

Geographic shifts

The US remained the most targeted country, with posts rising from 1,359 in the final quarter of 2025 to 1,473 in the first quarter of 2026. ReliaQuest said the market remained attractive because of the scale of potential victims and the prospect of larger payouts.

India was the most notable mover outside the top position, with attacks rising 33% after growth in late 2025. ReliaQuest said that trend carried broader supply-chain risk for companies with manufacturing, outsourced IT or subsidiary operations in the country.

The report said the quarter showed how ransomware pressure had become more diffuse, with rapid turnover among actors and more noise from leak sites. Defenders should focus less on the names at the top of the rankings and more on the behaviours that repeatedly lead to intrusion, data theft and extortion, it added.

"Q1 2026 reinforced that ransomware is no longer a matter of tracking the biggest group names but a broader operational problem shaped by affiliate-driven scale, rapid actor turnover, and a leak-site ecosystem that's getting larger and noisier."

Related stories
Jazz urges stronger IP safeguards amid AI data leaks
AI advances are reshaping cyber risk, experts warn
Agiloft launches free Astra AI for contract analysis
Ping Identity warns of AI agent authorisation risks
SAS launches AI supply chain agent in industry push

Top stories

Cequence launches agent controls for enterprise AI
Industrial manufacturing tops Digitain cyber risk ranking
Fortinet report warns of widening cyber skills gap
Anthropic's AI agents spark debate over business risk
DevOps incidents jump 21% as downtime hits 9,255 hours