Skip to Content

Ransomware and Cyber Extortion in Q2 2026

ReliaQuest Threat Research
ReliaQuest Threat Spotlight image

Editor’s note: This report was authored by Tristano Di Liberto

Key Points

  • Ransomware’s top ranks reshuffled in Q2 2026, with “Qilin,” “DragonForce,” and “Coinbase Cartel” losing ground while “The Gentlemen” took first place in terms of named victim count.

  • “Deadlock” broke 11 months of silence with 75 June victims, pairing blockchain command and control (C2) with kernel-level EDR termination.

  • Attacks spread across 90 groups and 99 countries, with professional, scientific, and technical services (PSTS) leading sector targeting for a fifth straight quarter and the US absorbing roughly 49% of victim activity.

  • Defenders should focus detections on the behaviors that drive ransomware impact, including remote-service abuse, identity compromise, lateral movement, and defense evasion.


Three of Q1's dominant ransomware groups lost significant ground in Q2 2026, but the techniques driving risk across the landscape barely changed. As “Qilin,” “DragonForce,” and “Coinbase Cartel” declined in terms of named victim counts, “The Gentlemen” claimed the top spot for the first time. Overall, ransomware groups posted 2,252 victims in Q2—down 15% from Q1 but up about 51% year over year, and the top ranks are still shifting. Defenders must focus on attacker behaviors, not the leaderboard shuffle, especially as some of the most disruptive groups may never crack the top ranks at all.

Ransomware group “Deadlock” is why this report looks past the leaderboard. A comparatively “quiet” group by named victim volume has introduced blockchain-hosted command and control (C2) and kernel-level EDR evasion that outpace the defenses most organizations have in place today. Active since July 2025 but absent from public data-leak sites for 11 months, the group emerged in June 2026 with 75 named victims in a single month, a pace that rivals established groups. Deadlock's malware retrieves its connection instructions from a public blockchain, letting operators rotate addresses invisibly, with no domains or IP addresses for defenders to block or take down. Before encryption, it exploits a vulnerable driver to disable endpoint security tools entirely, removing the telemetry defenders rely on to detect and respond.

Underneath the shakeup, the landscape held steady. Professional, scientific, and technical services (PSTS) led sector targeting for the fifth consecutive quarter, with manufacturing and construction close behind. While the US absorbed nearly half of all victim posts, India and Thailand maintained their elevated Q1 totals. Many enterprises have vendors, outsourced IT, or manufacturing partners in these regions.

In this report, we cover:

  • The Gentlemen's rise to number one; the sharp declines of Qilin, DragonForce, and Coinbase Cartel; and how attacker techniques drove risk more than hierarchy shifts.

  • Deadlock's emergence and what its techniques signal for Q3, including how they might spread and where affiliate mobility can land next.

  • Sectoral and geographic trends that remained steady even as the top of the market shifted.

The Gentlemen Claims #1 As the Leaderboard Reshuffles

The top 11 tracked groups accounted for 1,368 of Q2's victim claims across 99 countries, and The Gentlemen's rise tells the clearest story of where the ecosystem is heading.

Figure 1: Number of organizations listed on data-leak sites by ransomware group, Q2 2026

Over the course of the past three quarters, The Gentlemen became the most-active group, powered by aggressive affiliate recruitment and a well-packaged intrusion kit that lowers the bar for new operators. The group posted 300 victims in Q2, edging out Qilin at 289. In Q1, The Gentlemen’s 588% quarter-over-quarter surge to 179 posts earned it second place, making this quarter’s lead a natural next step. Month over month, The Gentlemen posted 101 victims in April, 77 in May, and 122 in June, closing the quarter with its strongest month yet. That upward turn signals accelerating affiliate output, and the pressure The Gentlemen applies is likely to persist into Q3.

An AI-Accelerated Pre-Packaged, Proven Playbook

What sets The Gentlemen apart is its packaging, where affiliates receive ready-made tools that ship and update faster than most competing programs. According to publicly leaked chat logs, the group's leader "hastalamuerte" previously ran the "ArmCorp" affiliate group under Qilin and launched The Gentlemen with a proven playbook already in place: edge devices for exploitation, lightweight tunneling tools for C2, and single-host Server Message Block (SMB) encryption. Affiliates who worked under other programs already know the workflow, which likely accelerated recruitment. Those same chats indicate that affiliates receive a full starter kit, consisting of pre-compromised victim lists, custom EDR killers, Group Policy Object-based domain-wide deployment, and WinSCP for exfiltration.

The underlying intrusion techniques are largely conventional and match the converged playbook the rest of the top tier runs. On top of that, the chat logs indicate that the group adds a likely AI-accelerated iteration layer, which lets the program refresh affiliate tools on a timescale that competing operations built around human developers can't match. The implication for defenders is that this model is inherently replicable. Any ransomware-as-a-service (RaaS) program willing to standardize on off-the-shelf large language models (LLMs) and copy the packaging approach can compress its own build cycle by the same amount, and affiliate mobility through Q3 and Q4 is likely to favor whichever programs adopt this pattern next.

Qilin, DragonForce, and Coinbase Cartel Lose Ground

The three sharpest declines came from groups that sat near the top of the leaderboard at the end of Q1. Qilin, first in the rankings for four consecutive quarters, fell from 111 posts in April to 79 in June (-29%), though its total of 289 kept it a close second. Given The Gentlemen's lineage under Qilin, affiliate migration is the most plausible driver and likely explains why Qilin slipped as The Gentlemen surged. DragonForce dropped from 65 to 27 (-58%) posts, a decline that points to affiliate attrition or quiet retooling rather than a shutdown. It’s realistically possible that the splintered off affiliates will resurface under a competing brand next quarter, while retooling could set up a rebound. Coinbase Cartel collapsed from 45 to 4 (-91%) posts, the sharpest drop of any tracked group. A fall that abrupt rarely comes from affiliates drifting away and more often reflects an operational break. The trajectory is consistent with the disruption curve typically seen after law enforcement action, though no cause has been publicly confirmed.

When dominant groups lose ground this fast, the next quarter's leaders tend to inherit those affiliates as well as their tooling familiarity and existing access. That's why the market can reshuffle names quarter to quarter while the underlying tactics, techniques, and procedures (TTPs) carry over.

Deadlock: A Newcomer with Notable Methodology

Of the groups that surfaced in Q2 2026, Deadlock is the most operationally relevant, despite posting relatively few organizations to its data-leak site. Its combination of public victim naming, blockchain-based C2, and kernel-level EDR termination sets it apart from the field—a reminder that technique can outweigh volume.

From Private Sales to Public Exposure

Deadlock's June 2026 move from private extortion to public naming is the development defenders should focus on. Going public escalates pressure on victims fast, exposing them to legal, regulatory, and reputational consequences that private deals never carry. Its quiet 2025 profile understated its real capability, and the data-leak site debut is an inflection point. A low profile was never low risk, and now that Deadlock has gone public, it operates in the same arena as established players like The Gentlemen and Qilin.

That public turn came after 11 months of likely deliberate silence. Deadlock has been operational since at least July 2025, but for most of that time it worked underground. Victims communicated with operators exclusively through Session, an anonymized, end-to-end encrypted messenger that minimized attribution risk and kept negotiations out of view, while stolen data moved through private underground markets.

Figure 2: Deadlock ransom note demanding Bitcoin or Monero payment via Session messenger

The group’s public posts revealed broad, opportunistic targeting rather than a defined sector focus, spanning industries across Europe and East Asia. This signals a group casting a wide net, which makes its future targeting hard to predict. The extortion mechanics stayed consistent with the group’s previous behavior, with ransom notes offering Bitcoin or Monero payment and a Session-based recovery process. But now, Deadlock has widened its reach and gone public, combining its underground capabilities with the added weight of a public leak site.

Blockchain-Based C2

Deadlock is the first financially motivated ransomware operation ReliaQuest has observed storing its C2 infrastructure inside a public blockchain. Instead of relying on hardcoded proxy addresses or DNS, the malware queries a smart contract (a self-executing program stored on the Polygon blockchain) at runtime. When operators want to change the C2 address, they send a transaction to that contract, and the malware reads the updated address on its next check-in. Because the address lives on a public blockchain rather than a server, there's no registrar or host to coordinate with, and no static indicator to block or take down.

A few operational details give shape to how the group builds and maintains this infrastructure:

  • Contract deployment was funded through an instant cryptocurrency exchange, a pattern consistent with the operational-security preferences typical of financially motivated groups.

  • Proxies resolve to a mix of hijacked and attacker-owned hosts running ordinary web software, so the traffic blends into normal small-business web activity.

  • The technique echoes EtherHiding, an approach that hides malicious payload retrieval inside blockchain transactions, previously associated with "UNC5342," a North Korean state-aligned intrusion set focused on cryptocurrency theft.

Kernel-Level EDR Termination via BYOVD

Deadlock disables EDR before encryption by abusing a vulnerable driver to reach the kernel—the most privileged layer of the operating system—which lets it shut down security tools that would otherwise stop the attack. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), works because the driver operates at the same privilege level as EDR itself, so once it loads, even fully protected system processes can be terminated. That's why this driver is worth prioritizing for defenders.

Mechanically, a loader drops a legitimate, but vulnerable, antivirus driver, a signed component that Windows trusts by default, into the target’s Videos directory. The driver contains an improper privilege management flaw (CVE-2024-51324, CVSS 7.8) that lets any low-privilege user shut down protected processes, including EDR.

The rest of the intrusion chain relies on familiar tooling, which is what makes behavior-led detection so important:

  • Encrypted files use the .dlock extension. The malware sleeps for about 50 seconds before encrypting, defeating short sandbox detonation windows.

  • AnyDesk is the group's preferred remote-access tool for persistence, often abusing deployments already present in the environment.

  • RDP handles lateral movement after AnyDesk; PowerShell scripts bypass User Account Control (UAC), disable Windows Defender, and delete volume shadow copies before encryption. Because these are familiar admin pathways being abused, behavior-led detection beats family-specific indicators.

Deadlock breaks the two controls most organizations lean on: network blocking loses value when C2 rotates on demand, and mature EDR loses telemetry when it's killed at the kernel. While Deadlock's methods point to where attacker capability is heading, the sector and regional data shows where these pressures are absorbed.

Familiar Sectors, Same Pressure

The industries primarily targeted held their order from Q1, even as the groups shuffled. Professional, scientific, and technical services (PSTS) was the most-targeted sector again, with 437 victim posts across the top 11 groups. PSTS accounted for 32% of tracked activity, the lead sector for the fifth quarter running. Five straight quarters at #1 makes PSTS a fixture in the ransomware market, not a passing trend. The persistence reflects the sector's specific extortion appeal, as firms in PSTS hold sensitive client data across many downstream businesses. Because of this cross-company data exposure, organizations should treat their PSTS vendors as an extension of their own ransomware risk.

Group specialization was visible across the top tier, with a handful of sectors absorbing sustained pressure from a small number of operators rather than facing broadly distributed risk. Qilin was the dominant threat to construction, health care and social assistance, finance and insurance, and public administration. The Gentlemen concentrated on PSTS and manufacturing, along with retail trade and accommodation and food services. Akira, though smaller in overall volume, focused its activity heavily on manufacturing and construction. For defenders, this means the likeliest attacker in these sectors is often predictable, so threat models can be tuned to specific groups rather than the field as a whole.

Figure 3: Number of organizations listed on data-leak sites by sector, Q2 2026

US Stays Top Target; India Raises Supply-Chain Risk

Country targeting in Q2 held the pattern of prior quarters—mature Western economies with dense enterprise footprints and high ransom-paying capacity draw sustained secondary targeting. The US remained the dominant target by a wide margin, absorbing 1,094 victim posts in Q2, roughly 49% of all observed activity and nine times the volume of the next country.

Figure 4: Number of organizations listed on data-leak sites by country, Q2 2026

India’s volume from Q2 confirmed its continued spike of growth rather than a one-quarter spike, as seen in Q1. Enterprises with subsidiaries, outsourced IT, or manufacturing in India face elevated exposure because these partners typically hold privileged access into the parent through IT service platforms, shared identity, or Enterprise Resource Planning (ERP) integrations. An incident at any of these partners can ripple upward and disrupt the parent company, even if the parent is never breached directly.

US targeting has held steady quarter over quarter, but supply-chain exposure is the more actionable trend. If your vendors are based in India, Thailand, or the broader region, treat third-party ransomware exposure as a primary risk. Verify vendor incident-response capabilities directly: restoration SLAs, breach notification timelines, retainer coverage, tabletop maturity, and segmentation of any shared systems.

What's Next for the Ransomware Landscape

Three shifts will likely define ransomware activity through Q3 2026 and beyond, each rooted in signals visible in Q2.

  1. Blockchain-based C2 will likely spread beyond Deadlock (moderate confidence). "Cry0" ransomware has already been observed using the Internet Computer Protocol (ICP) blockchain, though only for extortion negotiations—a narrower use than Deadlock's full C2 rotation inside a Polygon smart contract. Because Deadlock's approach relies on public blockchain primitives and straightforward proxy rotation, the barrier for others to copy it is low. By year-end, at least one additional ransomware brand will likely adopt smart-contract-based C2 in some form.

  2. Deadlock's July and August cadence will show whether June was a backlog dump or a sustained shift. If volume holds at or above June's level, the group is likely to break into the top five by quarterly victim volume by Q4.

  3. Affiliates from Qilin, DragonForce, and Coinbase Cartel will likely migrate to competing programs through Q3, following the pattern of prior brand turnover. The Gentlemen is the most plausible destination, as it runs proven affiliate throughput, ships tools faster than most rivals through its AI-accelerated build pipeline, and offers a pre-packaged intrusion kit that shortens ramp-up. Deadlock is the less obvious option for affiliates who value operational resilience over volume, given its blockchain-backed C2. Whichever program absorbs the most affiliates, defenders should expect a one- to two-quarter detection lag at most enterprises.

Current State vs. Next Evolution

Q2's leaderboard turned over, but the tactics converged: hide the infrastructure, stall attribution, and kill the endpoint before encryption starts. Chasing individual actors buys less each quarter; the shared techniques resurface with whoever comes next. In Q3, track the names less and invest in the technique-level preparations below, each mapped to where defenses sit today and where these groups are headed.

Current State

Next Evolution

Impact

How to Defend/Prepare

Static C2 infrastructure (domains, IPs)

Proxy addresses stored on a blockchain and rotated on demand

IP and domain blocking becomes reactive; on-chain infrastructure cannot be taken down

Monitor Polygon RPC traffic from non-developer hosts and treat Session messenger activity from enterprise endpoints as anomalous. Start with proxy and DNS logs before EDR telemetry.

Public leak site as the main extortion tool

Long stealth periods followed by an opportunistic public leak-site launch

Threat-intel feeds keyed on data-leak sites can miss groups for months or years

Hunt on techniques (artifacts, behaviors) rather than relying on data-leak site feeds alone.

EDR as a reliable kill-chain disruptor

EDR shut down at the kernel via BYOVD

Mature EDR can go dark right before encryption; downstream telemetry is lost

Enforce Microsoft's vulnerable-driver block list; audit endpoints for known abused drivers. Confirm enforcement is active and check for policies stuck in Audit mode, servers excluded from Hypervisor-Protected Code Integrity (HVCI), and per-host driver exceptions.

Step Up Your Defenses Against Ransomware

ReliaQuest's Approach

ReliaQuest GreyMatter® helps organizations reduce ransomware impact by improving detection speed, automating containment, and expanding visibility into both internal exposures and external risk signals. That matters in a quarter defined by leaderboard turnover and technically distinct operators like Deadlock.

Digital Risk Protection (DRP): Counter record leak-site activity and scam leak noise by monitoring the open, deep, and dark web and helping validate whether exposure claims are credible.

Agentic AI: Autonomously triages alerts by correlating vulnerable-driver writes with EDR process termination and shadow-copy deletion.

GreyMatter Transit: Detects threats as data moves between source and storage, bridging the visibility gap left when ransomware operators disable endpoint telemetry.

ReliaQuest detection rules align with techniques used by the groups covered in this report and help prevent similar threats in the future. Used alongside the following GreyMatter Automated Response Playbooks, organizations can contain ransomware threats in as little as five minutes:

  • Isolate Host: Restricts a compromised host's access to critical resources before damage spreads, especially valuable when Deadlock has already killed EDR at the kernel.

  • Disable User: Revokes access for accounts compromised via vishing, initial access broker (IAB)-sold VPN credentials, or brute-forced RDP.

  • Initiate Host Scan: Automatically scans the affected endpoint to confirm malicious artifacts and scope the compromise before encryption begins.

Your Action Plan

The following steps put your organization in the best position to catch the Q2 2026 threats covered here before they cause disruption:

  • Restrict RDP and remote access. Enforce device-based certificate authentication (via Intune, Jamf, or your Mobile Device Management [MDM]) on VPN and RDP endpoints, limit RDP to defined admin hosts in a segmented management VLAN, and audit Network Policy Server (NPS) logs and Group Policy inheritance for unmanaged jump paths.

  • Enforce Microsoft's vulnerable-driver block list. This counters kernel-level EDR termination. Antivirus won't catch the BYOVD chain (CVE-2024-51324), but Windows Defender Application Control (WDAC) with HVCI will. First audit for legacy signed drivers, hardware without VBS/HVCI support, and untrusted kernel modules to avoid breaking critical systems.

  • Monitor blockchain RPC and session messenger egress. This targets blockchain-based C2. Outbound traffic from servers or non-developer endpoints to Polygon RPC providers (Infura, QuickNode, Alchemy, public mirrors), or Session activity from enterprise hosts, is high signal. Look in outbound proxy and firewall logs, DNS query logs, and server-class EDR network telemetry.

  • Harden identity against vishing and Adversary-in-the-Middle (AiTM) attacks. Stolen credentials and affiliate-supplied access remain the entry points feeding the top-tier groups covered in Q2. Our Q1 2026 “ShinyHunters” guidance still applies: train employees to recognize and report vishing attempts and implement phishing-resistant MFA such as FIDO2 hardware keys.

Key Takeaways

Q2 2026 reinforced a lesson building for multiple quarters: ransomware defense is shaped by affiliate-driven scale, rapid actor turnover, and a data-leak site environment that keeps fragmenting. Three former leaders lost meaningful ground in one quarter, mid-tier volatility swung by hundreds of percent month over month, and one technically novel newcomer (Deadlock) surfaced with methods the rest of the market has not yet matched.

Beneath the churn, the top of the market competes on two fronts. Deadlock represents technical novelty with blockchain C2 and kernel-level EDR termination. The Gentlemen represents operational tempo, using AI to compress its affiliate-kit build cycle from months to days. Both are structural shifts in how ransomware programs scale, and any program that can't compete on at least one will likely lose affiliates.

Deadlock points to where the landscape is likely heading: a blockchain-hosted C2 that resists takedown, and kernel-level evasion that blinds endpoint telemetry before encryption. While not yet mainstream, the pattern has moved from proof-of-concept to active deployment. Because Deadlock relies on public blockchain services and standard proxy rotation, other operators can copy the approach without custom tools. Paired with 11 months of data-leak site silence, Deadlock is exactly the kind of operator that leaderboard-driven intelligence misses until it's too late.

Organizations need a proactive posture to defend against these groups. Focus detections on the behaviors that drive impact, such as remote-service abuse, identity compromise, lateral movement, defense evasion, and rapid exfiltration from software-as-a-service (SaaS) and file stores. Integrate agentic AI to close the gap between detection and containment. Behavior-based rules generate alert volume no human team can triage at ransomware speed, and the operators driving Q2's data are already using AI to outpace manual defense.

This is external threat intelligence from the ReliaQuest Threat Research team. The findings describe threats, vulnerabilities, and attacker activity affecting third parties and the broader threat landscape—not ReliaQuest's own environment. Nothing in this report should be interpreted as a vulnerability in ReliaQuest's systems or data.

Proactively Protect Against Threats with GreyMatter

As adversaries continuously evolve and accelerate their attacks using AI, security programs must also adopt AI to minimize risk and stay ahead of threats. GreyMatter leverages AI to enhance existing workflows by providing support in augmentation, assistance, and automation to take the low-brain, high-time activity out of security operations and accelerate responses.

Get a live demo of GreyMatter to learn more about the outcomes of AI-powered security operations.

cta-img1