All posts

Ransomware attacks hit 5,275 in H1 2026, up 20% YoY

Huma ShaziaJuly 17, 2026 at 9:46 AM4 min read
Ransomware attacks hit 5,275 in H1 2026, up 20% YoY

Key Takeaways

Ransomware Attacks Hit Hundreds of Companies

Ransomware attacks hit 5,275 in H1 2026, up 20% YoY
Source: Fast Company
  • Ransomware incidents reached 5,275 in H1 2026, up 20% from the same period last year
  • Two RaaS groups, Qilin and The Gentlemen, are driving the surge with roughly 2,500 attacks per quarter
  • Security experts warn the maturing ransomware ecosystem could become more dangerous despite a slight quarterly dip

Ransomware attacks surged 20% in the first half of 2026, according to a new NordStellar report that recorded 5,275 incidents between January and June. The second quarter alone saw 2,581 attacks. Two competing Ransomware-as-a-Service operations are behind the spike, and security researchers say the numbers point to a maturing criminal ecosystem that's settling into a new, higher baseline.

Advertisement

Why the quarterly dip doesn't mean much

Q2 attacks dropped 4% compared to Q1. That sounds like progress until you zoom out. The quarterly average has stabilized around 2,500 incidents, a figure that would have been exceptional just two years ago.

The slight decrease in attacks shouldn't be a sign to relax just yet. Although the number of attacks has been slightly decreasing every quarter this year, we are now seeing a new alarming baseline of about 2,500 attacks per quarter.

— Vakaris Noreika, Cybersecurity Expert at NordStellar

The phrasing matters. Security teams should read "slight decrease" as noise within a trend, not evidence the threat is receding. Attackers haven't slowed down; they've consolidated.

Who is behind the surge?

Two Ransomware-as-a-Service groups account for much of the activity: Qilin and The Gentlemen. Qilin has operated since at least 2022 and has hit healthcare and municipal targets, including the UK's Synnovis healthcare group and Cleveland Municipal Court. The group communicates in Russian and has grown into one of the largest ransomware operations globally.

The Gentlemen split from Qilin in 2025 and has scaled faster than any known hacker group. In Q2 2026, it attacked 284 organizations across 66 countries and 20 industries. That's fewer than Qilin's 299, but represents a 39% year-over-year increase for the newer group.

NordStellar says this competition is a warning sign. Two well-resourced groups fighting for market share means more attacks, better tooling, and affiliates who can cherry-pick whichever platform offers the best cut. The RaaS model continues to lower the barrier for less technical criminals who can rent infrastructure and launch campaigns without writing a line of code.

Advertisement

What this means for product teams

For AI builders and product teams, ransomware is no longer a distant IT problem. Training pipelines, model weights, and customer data all live on infrastructure that attackers treat as high-value targets. A compromised cloud instance can lock you out of months of work. Double-extortion tactics, where attackers exfiltrate data before encrypting it, mean even good backups won't save you from a public leak.

The practical response is layered: immutable backups, network segmentation, and aggressive patching. But the bigger shift is cultural. Security reviews need to happen before a pipeline ships, not after an incident.

ℹ️

Logicity's Take

The NordStellar numbers confirm what incident responders have been saying privately: ransomware has industrialized. The RaaS model mirrors legitimate SaaS, complete with affiliate programs and customer support. For AI product teams, the lesson is simple. Assume your cloud workloads are a target. Invest in zero-trust architecture and treat backup integrity as a release requirement, not an afterthought. Tools like [Cloudflare](https://logicity.in/r/cloudflare) for edge security and [DigitalOcean](https://logicity.in/r/digitalocean) for isolated development environments can reduce blast radius, but no single vendor solves this. Defense is a stack, not a checkbox.

ℹ️

Disclosure

Some links in this post are affiliate links — Logicity earns a commission if you sign up, at no extra cost to you. We only link products we have used or actively recommend.

The baseline has shifted

The 20% year-over-year jump isn't the headline. The headline is 2,500 attacks per quarter as the new normal. That number could climb if either Qilin or The Gentlemen expands its affiliate network, or if a third group emerges to challenge them.

Regulators are watching. The EU's NIS2 directive and similar frameworks in the US are pushing mandatory incident reporting, which will surface even more attacks that previously went unreported. Expect the public numbers to rise further, regardless of whether actual attack volume increases.

Frequently Asked Questions

How many ransomware attacks occurred in H1 2026?

NordStellar recorded 5,275 ransomware incidents in the first half of 2026, a 20% increase compared to the same period in 2025.

What is Ransomware-as-a-Service?

RaaS is a criminal business model where ransomware developers license their tools to affiliates who carry out attacks. The affiliates share a percentage of ransom payments with the developers.

Who are Qilin and The Gentlemen?

Qilin is a Russian-language ransomware group active since 2022. The Gentlemen split from Qilin in 2025 and has rapidly expanded, attacking organizations in 66 countries.

Why did ransomware attacks drop 4% in Q2 2026?

Security experts say the quarterly dip is statistical noise. The overall trend remains elevated, with a new baseline of roughly 2,500 attacks per quarter.

How can companies protect against ransomware?

Effective defenses include immutable backups, network segmentation, aggressive patching, zero-trust architecture, and regular security audits before deploying new systems.

Also Read
Kudankulam nuclear plant data leak: India's biggest critical infrastructure breach

A recent example of critical infrastructure under cyberattack

ℹ️

Need Help Implementing This?

If you're building AI products and want to harden your infrastructure against ransomware, reach out to our team at Logicity. We help startups and engineering teams design security-first architectures before incidents happen.

Source: Fast Company / Chris Morris

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.