rbtfl.
LeadersConflictsDefenceAIEnergySpaceTradeMineralsShippingMoneyDebtFood all trackers ▸
Ransomware reconsolidates around Qilin and 'The Gentlemen' as healthcare takes the hits

Ransomware reconsolidates around Qilin and 'The Gentlemen' as healthcare takes the hits

After two years of fragmentation, the top 10 crews drive 71% of victims; a Qilin-defector brand scales faster than any on record

Shadow·Money· worsening ما الذي تعطّل·كيف تتغيّر الحياة ·12 takes · ·rbtfl upd 25 يونيو 2026

Summary

Ransomware reconsolidated in Q1 2026, reversing two years of fragmentation: the top 10 crews now drive 71.1% of victims (highest since Q1 2024) as active groups fell from 85 to 71. Qilin led with 338 victims; the breakout was "The Gentlemen" (tracked as LARVA-368 / "hastalamuerte"), a Russian-speaking brand spun out of Qilin after a July 2025 payment dispute, which has hit nearly 300 victims across 66 countries. Healthcare attacks rose ~10% year-on-year, with named hits on hospitals and clinics across Switzerland, India and the US. The surge runs in parallel with takedowns like Operation Endgame, disruption and growth at once.

By the numbers

  • 71.1%, share of victims claimed by the top 10 groups in Q1 2026.
  • 338, Qilin victims in Q1 2026, its third straight quarter on top.
  • ~300, The Gentlemen victims across 66 countries since mid-2025.
  • 85 → 71, drop in active groups; 21 new entrants, mostly under 10 victims.
  • ~10%, year-on-year rise in healthcare-sector ransomware attacks.

Why it matters

Consolidation concentrates extortion in fewer, better-resourced crypto- funded crews that are harder to disrupt and quicker to rebrand after a defection. The healthcare tilt turns IT extortion into patient-safety risk, the front line where ransomware now most visibly changes lives.

What to watch

  • Whether takedowns push affiliates into new spin-off brands again.
  • Healthcare and critical-infrastructure victim counts through H2 2026.
  • Laundering routes after Garantex/Grinex.