Ransomware Statistics Q1 2026: Eight In Nine Attacks Never Become Public

by

Estimated reading time: 7 minutes

Only one in nine ransomware attacks becomes publicly disclosed. The rest happen in silence. That gap between what is reported and what is real has direct consequences for every organization that buys, sells, or underwrites cyber insurance. This ransomware trend is just part of the BlackFog Q1 2026 State of Ransomware report, released on May 6, 2026. The findings uncover a threat landscape that runs far deeper than public data suggests. From ransomware data exfiltration to reports that fraud is also now competing with ransomware as a primary cyber threat, the full picture of unreported activity is even harder to construct. Or dare we say, it’s like seeing in a black fog.

The Undisclosed Ransomware Attack Problem

BlackFog tracked 2,160 undisclosed ransomware attacks in Q1 2026. That figure represents a 2% increase year on year. During the same period, only 264 attacks were publicly disclosed, a 15% decrease from Q1 2025. The ratio tells the real story. For every attack that makes the news, eight more do not. Organizations cannot fear what they cannot see. They cannot build defenses around threats they have no data on. And underwriters cannot price risk they cannot measure. Prior insurer data suggested ransomware claims were stabilizing, but that reading depends entirely on what gets reported.

The undisclosed volume held steady across the quarter. January recorded 711 attacks, February 654, and March 795. The upward trend in March signals sustained attacker momentum heading into Q2.

BlackFog ransomware report Q1 2026 shows one in nine attacks becomes public, with 2,160 undisclosed ransomware attacks recorded, highlighting cyber insurance ransomware claims risk and data exfiltration trends.

Disclosed Attacks: What Organizations Do See

Among the 264 publicly disclosed attacks, the data paints a consistent picture. Healthcare took the most hits, with 72 attacks accounting for 27% of all disclosed incidents. Government followed with 32 attacks at 12%, and technology recorded 28 attacks at 11%. Organizations across 39 countries were impacted. The United States led with 161 attacks, representing 61% of all disclosed incidents. Australia recorded 14 attacks and Canada 7. The average ransom demand in disclosed attacks exceeded $1 million, reaching $1,028,214. The average targeted organization employed 13,254 people. Attackers gave victims an average of just 7.7 days to meet demands.

The Logistics Surge

One sector stands out beyond the usual targets. Logistics attacks surged 200% year on year in Q1 2026. That figure demands attention from underwriters and risk managers in supply chain-dependent industries. A logistics provider under ransomware attack does not just lose data. It stops moving goods. The downstream disruption spreads to every business that depends on that provider. OT and IoT environments in industrial sectors face particular ransomware exposure, and the logistics surge in this report reinforces that finding. Supply chain cyber exposure is now a first-order underwriting question.

See also  Cyber Insurance Market 2025: Prices Ease, Capacity Expands, Risks Intensify

Who Is Attacking

The ransomware landscape is fragmenting fast. Among publicly disclosed attacks, Qilin led with 22 attacks at 8% of the total. ShinyHunters followed with 16 attacks at 6%, and INC accounted for 11 attacks at 4%. The most significant figure is this: 38% of all publicly disclosed attacks were not attributed to any known group. Attribution is failing to keep pace with attacker activity. In the undisclosed space, Qilin again led with 339 attacks at 16%. The Gentlemen ranked second with 200 attacks at 9%, and Akira followed with 190 attacks at 9%. In total, 79 ransomware groups claimed victims during the quarter. Fourteen new groups emerged in Q1 alone.

The Gentlemen: A New Group To Watch

The Gentlemen warrant specific attention. The group emerged in 2025 and claimed 273 attacks through the end of Q1 2026. It scaled fast. It targets mid- to large-sized organizations across manufacturing, construction, healthcare, and services. And it uses double extortion tactics, combining data theft with encryption to maximize pressure on victims. Its operational sophistication is high from the outset. Observed tactics include lateral movement, abuse of legitimate administrative tools, and active detection evasion. This is a targeted operation, not an opportunistic one.

Ransomware Data Exfiltration: The Real Claims Driver

Ransomware data exfiltration occurred in 96% of attacks in Q1 2026. That figure has held at critically high levels since 2025. The average volume of data stolen per undisclosed incident reached 743GB. Exfiltration rates at this level mean ransomware is no longer primarily an encryption event. It is a data theft event with encryption added for leverage. The shift from encryption to data theft as the primary extortion mechanism has been reshaping ransomware claims for several years. That distinction matters for policy triggers, breach notification timelines, and total claims exposure. Cyber insurers pricing ransomware coverage on encryption risk alone are mispricing the exposure.

Dr. Darren Williams, Founder and CEO of BlackFog, framed the stakes directly: “With data exfiltration now occurring in 96% of attacks, the question for every organization is no longer whether their data is at risk.”

See also  Cyber Incident Response Plan: Reasons It Fails & How to Fix It

AI Is Reshaping The Attack

Threat actors are using AI to automate data theft at scale. The LotAI campaign shows how AI tools can collect and move stolen data with minimal human input. Platforms including ClawdBot and OpenClaw allow attackers to aggregate, process, and manage stolen data faster than traditional methods. The industrialization of ransomware is accelerating. AI-enabled ransomware and cybersecurity threats are explored in depth in our podcast with leading practitioners. Shadow AI inside organizations is creating a parallel risk. BlackFog research finds that 49% of employees use AI tools that their employer has not approved. A further 58% rely on free AI tools that lack enterprise-grade protections. Unsanctioned AI tools process and retain sensitive inputs. They create data pathways outside organizational control. Attackers are already exploiting those pathways.

Key Incidents From Q1 2026

Three incidents from the quarter illustrate the breadth of exposure. In February, US payment processor BridgePay suffered a ransomware attack that shut down its payment gateway. The attack forced merchants and municipalities nationwide to revert to cash. In March, RansomHouse hit Italian ticketing platform Vivaticket, disrupting services at more than 3,500 cultural institutions across 50 countries, including the Louvre and the Eiffel Tower. Also in March, ShinyHunters claimed to have taken nearly one petabyte of data from Telus Digital. Telus declined to pay. Each incident illustrates a different exposure vector: payment infrastructure, supply chain platforms, and outsourced data operations. Understanding when and how to negotiate with ransomware actors remains one of the most consequential decisions an organization faces, and the Telus refusal illustrates the stakes of that choice.

What This Means For Cyber Insurance

The gap between disclosed and undisclosed ransomware attacks are a fundamental underwriting problem. Carriers and brokers pricing cyber risk rely heavily on reported incident data. But that data captures fewer than 12% of actual events. Sector models, frequency assumptions, and accumulation estimates built on disclosed data alone are built on an incomplete picture. The true scale of ransomware activity is eight times larger than what public reporting shows. Some insurers have already moved to tighten ransomware coverage terms and refusal criteria in response to claims pressure. Incident response readiness is now a core underwriting consideration, and the data in this report adds further weight to that shift. Pricing, policy design, and claims reserves all need to account for what is not being reported, not just what is.

See also  Cyber Insurance Sunday – Upload

FAQ: Ransomware Statistics Q1 2026

What are the key ransomware trend statistics for Q1 2026?

BlackFog tracked 2,160 undisclosed and 264 publicly disclosed ransomware attacks in Q1 2026. The average disclosed ransom demand exceeded $1 million. Data exfiltration occurred in 96% of attacks. Logistics sector attacks surged 200% year on year.

Why do most ransomware attacks go unreported?

Organizations often avoid public disclosure to limit reputational damage, manage legal exposure, or comply with ongoing law enforcement investigations. BlackFog estimates that only one in nine attacks becomes publicly known.

Which sectors faced the most ransomware attacks in Q1 2026?

Healthcare-led disclosed attacks with 27% of incidents. In undisclosed attacks, manufacturing led with 22%, closely followed by services at 21%. Logistics saw the sharpest growth with a 200% year-on-year surge.

What is the cyber insurance implication of 96% data exfiltration rates?

At ransomware data exfiltration rates of 96%, these events now routinely trigger breach notification obligations, third-party liability exposure, and regulatory scrutiny, alongside business interruption claims. Policies priced on encryption risk alone underestimate total exposure.

What new ransomware groups emerged in Q1 2026?

Fourteen new groups emerged during the quarter. The Gentlemen ranked second in undisclosed attack volume with 200 attacks, having claimed 273 total since emerging in 2025. They use double extortion and operate with a high level of sophistication from the outset.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment