Ransomware Attacks Up 20% in First Half of 2026, Report Finds
Ransomware incidents increased by 20% year-over-year in the first half of 2026, with a total of 5,275 recorded attacks, according to a new NordStellar report.

Ransomware attacks saw a significant rise in the first half of 2026, climbing 20% compared to the same period last year, a new report from NordStellar indicates. A total of 5,275 incidents were recorded. While the second quarter of 2026 saw a slight 4% decrease in attacks compared to the first three months of the year, cybersecurity experts caution against complacency. "The slight decrease in attacks shouldn’t be a sign to relax just yet," said NordStellar cybersecurity expert Vakaris Noreika. "We are now seeing a new alarming baseline of about 2,500 attacks per quarter." The surge is largely attributed to heightened activity from two prominent ransomware-as-a-service groups: Qilin and The Gentlemen. Qilin, active since at least 2022, has become a major global operation. The Gentlemen, formed by former Qilin members after a 2025 split, has expanded rapidly, targeting hundreds of organizations across diverse industries. NordStellar suggests the growing influence of these groups points to a maturing and potentially more stable ransomware ecosystem, increasing the overall threat. Established groups possess refined tools and operational infrastructures, enhancing their capabilities. Small and medium-sized businesses remained the primary targets, accounting for over 60% of attacks. However, large enterprises with annual revenues of at least $1 billion experienced a substantial 74% increase in attacks, rising from 23 in the first quarter to 40 in the second. The report also touched upon the growing role of artificial intelligence in cyber threats. The SANS Institute noted that 78% of organizations encountered confirmed or suspected AI-enabled attacks in the past year. Concurrently, while the use of AI in cybersecurity defenses is increasing, significant shortcomings were reported in its threat detection and response capabilities. Sysdig highlighted the emergence of JadePuffer, the first ransomware campaign reportedly operated entirely by a large language model, signaling rapid advancements in AI's offensive capabilities.