Ransomware Attacks Hold Near Record Levels as New Threat Groups Scale Faster, NCC Group Warns

Ransomware activity remains stubbornly high in 2026, even as monthly volumes fluctuate, according to new threat intelligence from NCC Group. The firm recorded 748 global ransomware incidents in April, a slight decline from March but still part of a broader trend that shows attackers operating at a higher baseline than last year.

That shift reflects something more structural than a temporary spike. The ransomware-as-a-service economy has matured into a repeatable, scalable business model, lowering the barrier to entry while increasing the speed and consistency of attacks.

Industrials and North America Continue to Take the Brunt

Industrial organizations remain the primary target, accounting for 28 percent of all attacks in April. These environments often combine legacy systems with operational technology, creating high-value disruption potential with relatively weak defensive visibility.

North America continues to absorb the largest share of attacks globally, underscoring the region’s concentration of high-value enterprise targets and critical infrastructure.

New Ransomware Groups Are Scaling Faster Than Ever

Established ransomware group Qilin led activity in April, responsible for 14 percent of attacks. But the more notable development is the rapid rise of a newer group known as The Gentlemen, which surged to account for 10 percent of global incidents within a short timeframe.

Security analysts say this reflects a shift in how ransomware operations are built and deployed. Rather than developing tools from scratch, emerging groups are assembling proven components into highly efficient attack pipelines.

The Gentlemen appears to be leveraging proxy infrastructure and advanced malware such as SystemBC to quietly establish footholds inside networks. From there, attackers can move laterally and deploy ransomware faster, reducing the time defenders have to respond.

Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure and repeatable intrusion methods to accelerate attacks at scale. Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs.”

AI Threat Debate Intensifies With Claude Mythos

The report also highlights growing concern around AI-driven cyber capabilities, particularly following announcements tied to Claude Mythos from Anthropic. The model is described as capable of identifying vulnerabilities and building exploit chains with limited human input.

While the potential is significant, NCC Group cautions that real-world impact remains uncertain due to limited access and testing constraints.

Hull said: “Developments around AI models such as Claude Mythos suggest AI-assisted vulnerability discovery and exploitation could further compress attacker timelines in the future. However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments.

“Regardless, organizations can no longer rely on reactive security measures alone. Continuous attack surface management, strong identity controls and rapid detection of suspicious behavior are becoming essential to reducing cyber risk.”

Geopolitics Set to Shape the Next Wave of Cyberattacks

Beyond criminal ransomware operations, the report points to rising geopolitical tension as a driver of future cyber activity. Regulatory changes in China and strategic initiatives such as NASA’s Artemis program are expected to attract increased interest from nation-state actors.

These campaigns are likely to focus less on disruption and more on espionage, supply chain infiltration, and intelligence gathering across multinational organizations.

The Bottom Line

The ransomware threat is no longer defined by spikes and dips in monthly activity. It is defined by consistency, speed, and scale. New groups are launching faster, operating more efficiently, and exploiting shared infrastructure to industrialize cybercrime.

For defenders, the takeaway is blunt. The time between intrusion and impact is shrinking. Detection, identity security, and continuous monitoring are now the difference between containment and crisis.