Three gangs tighten their grip on ransomware

Three ransomware operations — Qilin, Akira and DragonForce — were behind 40% of the 672 attacks logged worldwide in March, according to Check Point Research, highlighting how a criminal market that still looks fragmented on the surface is being pulled by a smaller group of high-output players. Check Point said Qilin accounted for 20% of published attacks, Akira 12% and DragonForce 8%, while 47 separate groups were still active during the month.

The figures point to a concentrated threat environment rather than a broad-based lull. Check Point said the March total was down 8% from a year earlier but up 7% from February, a sign that ransomware activity regained momentum after a softer patch earlier in the quarter. The company’s data comes from extortion “shame sites”, where gangs publish victims they say refused to pay, meaning the numbers are best read as a measure of criminal activity and pressure tactics rather than a full census of confirmed breaches.

That caveat matters. Another tracker, Breachsense, counted 808 victim companies in March across 65 active groups, also based on leak-site claims rather than confirmed intrusions. Even with the methodological gap, both datasets tell the same broader story: March was busy, Qilin was the standout operator, Akira rebounded sharply, and DragonForce continued to climb. Breachsense counted 131 March victims for Qilin, 84 for Akira and 54 for DragonForce.

Qilin’s rise is no longer a short burst. Security researchers identify it as the ransomware operation formerly known as Agenda, a group that has evolved into a mature ransomware-as-a-service platform with Rust and Linux tooling, affiliate support and a steady stream of victim disclosures. Check Point said the group has expanded affiliate recruitment since early 2025, while Trend Micro described Agenda as one of the most prolific operations of 2025, with almost 1,400 disclosed victims on its leak site last year. A Health and Human Services threat profile has also linked Qilin to double extortion, phishing-led access and variants written in both Golang and Rust.

Akira remains a different kind of danger: less flashy than some rivals, but entrenched and technically adaptable. A joint advisory from the FBI, CISA and international partners said Akira has targeted organisations across North America, Europe and Australia since March 2023 and had claimed about $244.17 million in ransom proceeds by late September 2025. The same advisory said the group had expanded beyond Windows and VMware-focused attacks, including abuse of a SonicWall vulnerability to encrypt Nutanix AHV virtual machine disk files. Check Point said Akira has been leaning into business services and industrial manufacturing, sectors where downtime can quickly turn into bargaining power.

DragonForce, by contrast, has become a symbol of the market’s franchise model. Check Point described it as a white-label “cartel” that lets affiliates run their own brands on shared infrastructure, while Trend Micro said the group’s affiliate-driven structure helped lift its profile in 2025. Reuters reported that Marks & Spencer’s chairman told lawmakers the retailer believed DragonForce was behind the April 2025 attack that disrupted online shopping for weeks and was carried out by loosely aligned parties using social engineering. That episode helped show why DragonForce matters beyond victim counts: it has become associated with disruptive, high-visibility campaigns against brand-sensitive targets.

The concentration at the top does not mean the rest of the field is disappearing. Broadcom said the collapse of RansomHub caused only a brief dip in activity, with former affiliates moving to groups such as Qilin, Akira and DragonForce. That suggests the ransomware economy is becoming more fluid, with crews and access brokers shifting between brands while the service model stays intact. Huntress has also warned that ransomware-as-a-service, multi-extortion and alliances between groups are defining features of the 2026 landscape, lowering the barrier to entry and allowing specialist operators to combine malware, stolen data, harassment and disruption.

March’s sector and geography data adds to that picture. Check Point said business services took 35% of ransomware victims, followed by consumer goods and services at 14% and industrial manufacturing at 13%, together making up 61% of reported incidents. North America accounted for 55% of attacks, Europe 24% and Asia-Pacific 12%, with Europe’s share rising from 17% in February. Breachsense likewise found the United States remained the single biggest national target, with France, Germany, Italy and the United Kingdom also among the most affected countries.