Key Takeaways
Ransomware Attacks Hit Hundreds of Companies

- Ransomware incidents reached 5,275 in H1 2026, up 20% from the same period last year
- Two RaaS groups, Qilin and The Gentlemen, are driving the surge with roughly 2,500 attacks per quarter
- Security experts warn the maturing ransomware ecosystem could become more dangerous despite a slight quarterly dip
Ransomware attacks surged 20% in the first half of 2026, according to a new NordStellar report that recorded 5,275 incidents between January and June. The second quarter alone saw 2,581 attacks. Two competing Ransomware-as-a-Service operations are behind the spike, and security researchers say the numbers point to a maturing criminal ecosystem that's settling into a new, higher baseline.
Why the quarterly dip doesn't mean much
Q2 attacks dropped 4% compared to Q1. That sounds like progress until you zoom out. The quarterly average has stabilized around 2,500 incidents, a figure that would have been exceptional just two years ago.
“The slight decrease in attacks shouldn't be a sign to relax just yet. Although the number of attacks has been slightly decreasing every quarter this year, we are now seeing a new alarming baseline of about 2,500 attacks per quarter.”
— Vakaris Noreika, Cybersecurity Expert at NordStellar
The phrasing matters. Security teams should read "slight decrease" as noise within a trend, not evidence the threat is receding. Attackers haven't slowed down; they've consolidated.
Who is behind the surge?
Two Ransomware-as-a-Service groups account for much of the activity: Qilin and The Gentlemen. Qilin has operated since at least 2022 and has hit healthcare and municipal targets, including the UK's Synnovis healthcare group and Cleveland Municipal Court. The group communicates in Russian and has grown into one of the largest ransomware operations globally.
The Gentlemen split from Qilin in 2025 and has scaled faster than any known hacker group. In Q2 2026, it attacked 284 organizations across 66 countries and 20 industries. That's fewer than Qilin's 299, but represents a 39% year-over-year increase for the newer group.
NordStellar says this competition is a warning sign. Two well-resourced groups fighting for market share means more attacks, better tooling, and affiliates who can cherry-pick whichever platform offers the best cut. The RaaS model continues to lower the barrier for less technical criminals who can rent infrastructure and launch campaigns without writing a line of code.
What this means for product teams
For AI builders and product teams, ransomware is no longer a distant IT problem. Training pipelines, model weights, and customer data all live on infrastructure that attackers treat as high-value targets. A compromised cloud instance can lock you out of months of work. Double-extortion tactics, where attackers exfiltrate data before encrypting it, mean even good backups won't save you from a public leak.
The practical response is layered: immutable backups, network segmentation, and aggressive patching. But the bigger shift is cultural. Security reviews need to happen before a pipeline ships, not after an incident.
Logicity's Take
The NordStellar numbers confirm what incident responders have been saying privately: ransomware has industrialized. The RaaS model mirrors legitimate SaaS, complete with affiliate programs and customer support. For AI product teams, the lesson is simple. Assume your cloud workloads are a target. Invest in zero-trust architecture and treat backup integrity as a release requirement, not an afterthought. Tools like [Cloudflare](https://logicity.in/r/cloudflare) for edge security and [DigitalOcean](https://logicity.in/r/digitalocean) for isolated development environments can reduce blast radius, but no single vendor solves this. Defense is a stack, not a checkbox.
Disclosure
Some links in this post are affiliate links — Logicity earns a commission if you sign up, at no extra cost to you. We only link products we have used or actively recommend.
The baseline has shifted
The 20% year-over-year jump isn't the headline. The headline is 2,500 attacks per quarter as the new normal. That number could climb if either Qilin or The Gentlemen expands its affiliate network, or if a third group emerges to challenge them.
Regulators are watching. The EU's NIS2 directive and similar frameworks in the US are pushing mandatory incident reporting, which will surface even more attacks that previously went unreported. Expect the public numbers to rise further, regardless of whether actual attack volume increases.
Frequently Asked Questions
How many ransomware attacks occurred in H1 2026?
NordStellar recorded 5,275 ransomware incidents in the first half of 2026, a 20% increase compared to the same period in 2025.
What is Ransomware-as-a-Service?
RaaS is a criminal business model where ransomware developers license their tools to affiliates who carry out attacks. The affiliates share a percentage of ransom payments with the developers.
Who are Qilin and The Gentlemen?
Qilin is a Russian-language ransomware group active since 2022. The Gentlemen split from Qilin in 2025 and has rapidly expanded, attacking organizations in 66 countries.
Why did ransomware attacks drop 4% in Q2 2026?
Security experts say the quarterly dip is statistical noise. The overall trend remains elevated, with a new baseline of roughly 2,500 attacks per quarter.
How can companies protect against ransomware?
Effective defenses include immutable backups, network segmentation, aggressive patching, zero-trust architecture, and regular security audits before deploying new systems.
A recent example of critical infrastructure under cyberattack
Need Help Implementing This?
If you're building AI products and want to harden your infrastructure against ransomware, reach out to our team at Logicity. We help startups and engineering teams design security-first architectures before incidents happen.
Source: Fast Company / Chris Morris
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Ai In Business
AI Search Trust Problem: Why 85% of Users Doubt Results
New research reveals a massive gap between AI search adoption and user trust. Two-thirds of Americans use AI search tools, but only 15% trust the results. For businesses relying on AI-powered discovery, this trust deficit represents both a risk and an opportunity.

INSIDER REVEAL: How the American Enterprise Institute Uncovered the AI Productivity Boom
The American Enterprise Institute has been searching for signs of an AI-driven productivity boom. According to McKinsey, AI can increase productivity by up to 40%. We dive into the details of this emerging trend and what it means for businesses.

Will AI Ethics Regulation Become the New Industry Standard?
The Vatican has emphasized the need for AI ethics regulation in a recent statement, sparking a global conversation about responsible AI development. We explore the implications of this call to action and what it means for businesses and individuals alike. As AI continues to shape our world, we must consider the ethical implications of its development and deployment.



