Dive Brief:
- Companies around the world have been keeping the vast majority of ransomware attacks secret, according to a new report from the security firm BlackFog.
- The number of undisclosed attacks in the first quarter of 2026 was almost 10 times as large as the number of disclosed attacks, according to the report published Wednesday.
- BlackFog’s report, based on information from dark-web leak sites, also includes data on the most targeted sectors and new tools that have emerged in the cybercrime ecosystem.
Dive Insight:
BlackFog’s threat intelligence team identified 264 publicly disclosed ransomware attacks in the first three months of 2026, but it also identified 2,160 undisclosed attacks. While the number of disclosed attacks represented a 15% year-over-year decrease, the number of undisclosed attacks ticked up slightly from Q1 2025.
The U.S. was by far hackers’ dominant target, with U.S. organizations accounting for half of all undisclosed attacks (1,070) and 61% of all disclosed attacks.
The Qilin ransomware gang was the most active group in both segments, accounting for 16% of undisclosed attacks and 8% of disclosed attacks. But the second- and third-most active groups differed between segments. A relatively new group called The Gentlemen accounted for the second-most undisclosed attacks, followed by Akira, while ShinyHunters accounted for the second-most disclosed attacks, followed by INC.
Manufacturing was the most targeted sector among undisclosed attacks, accounting for more than one-fifth of all such incidents, while healthcare was the most commonly targeted sector among disclosed attacks, accounting for 27% of those incidents. Among disclosed attacks, government organizations (12%) and information technology companies (11%) were the next most targeted.
Virtually all (96%) disclosed attacks involved data exfiltration, BlackFog said, highlighting attackers’ focus on data theft as a source of leverage and profit.
“While the decline in total attacks may suggest incremental progress,” BlackFog researchers wrote, “the sustained volume of incidents, high rate of data exfiltration, and significant proportion of unattributed activity demonstrate that ransomware continues to evolve and pose a significant risk to organizations worldwide.”
In the first quarter of the year, hackers increasingly favor “more accessible and scalable tooling that reduces complexity and shortens the path from compromise to impact,” according to the report.
One popular tool was the Venom Stealer infostealer, which hackers delivered using the ClickFix infection technique and which BlackFog said “turns social engineering into a continuous data exfiltration pipeline.” Researchers also identified a new command-and-control framework, dubbed Lotus C2, that features ready-to-use infrastructure for managing malware and maintaining access to victim networks. “Its modular design and ease of use lower the barrier to entry for less sophisticated actors, enabling broader adoption of advanced attack capabilities,” BlackFog said.
One of the most concerning new attack surfaces is shadow AI, which has proliferated as employees race to adopt new AI tools without the necessary permissions or security measures. According to prior BlackFog research, 49% of employees use AI programs that their companies haven’t approved, 51% have connected AI tools to other platforms without approval and 58% use free AI tools that lack enterprise security protections. Six in 10 respondents also said the speed benefits of AI were worth the security risks.
