
Article Summary
A recent report shows a deepening ransomware rivalry between The Gentlemen and Qilin.
The latest ransomware landscape analysis reveals a deepening rivalry between The Gentlemen and Qilin, as ransomware activity remains elevated in Q2 2026.
- Despite a quarterly dip, ransomware activity is elevated, with attacks in the first half of 2026 up 20 percent compared to the same period last year.
- Attacks by The Gentlemen rose by 39 percent.
- Companies with over $1B in revenue experienced 74 percent more attacks than the previous quarter.
The latest findings from NordStellar reveal that ransomware attack volumes remained high from April to June 2026, sustaining the elevated baseline. The analysis also points to an intensifying fight for dominance between the two most active ransomware groups, The Gentlemen and Qilin, as well as a notable shift in victim targeting.
According to findings from NordStellar, there was a slight four percent decrease in incidents from the first quarter, but attacks remain at a heightened baseline, indicating sustained threat activity.
The slight decrease in attacks shouldn’t be a sign to relax just yet. Ransomware accelerated in the last quarter of 2025, reaching record highs, and although the number of attacks has been slightly decreasing every quarter this year, we are still registering a 20 percent increase in attacks from the same period last year.
The Rivalry
While Qilin’s activity declined slightly from the previous quarter, The Gentlemen accelerated its operations with a 39 percent increase in attacks, further deepening the rivalry between the two groups,” says Mantas Sabeckis, senior threat intelligence researcher at Nord Security. “Even though DragonForce remains significantly less active than the top two, it is steadily scaling up — last quarter’s attack volume marked an all-time high for the group.”
According to Sabeckis, the fact that Qilin and The Gentlemen have managed to establish themselves as the two dominant ransomware groups and more or less maintain their positions, highlights a concerning trend — the ransomware threat landscape is stabilizing and maturing.
“Established ransomware groups have refined tools, affiliate networks, and negotiation infrastructures. The more sophisticated and established a group becomes, the greater the threat it poses,” explains Sabeckis. “This competition between Qilin and The Gentlemen could potentially drive an even higher baseline of activity. Each group is likely ramping up operations and casting a wider net to come out on top, and as affiliates move between groups, the balance of power could shift in the coming months.”
He adds that in a landscape like this, smaller groups such as DragonForce are under growing pressure to scale. They’re more likely to accelerate their operations to prove themselves among more dominant players, further inflating the overall threat landscape.
SMBs Dominate, but Attackers Shifting their Gaze to Enterprises
NordStellar findings reveal that small and medium-sized businesses (SMBs) — those with up to 200 employees and revenues under $25 million — bore the brunt of ransomware activity. However, attacks against large enterprises with revenues exceeding $1 billion surged by 74 percent.
Ransomware actors historically target SMBs because these organizations often lack comprehensive defenses, which can increase the likelihood of a successful attack. This recent spike in enterprise targeting is unusual and may be a temporary fluctuation.
This shift likely stems from the rivalry between dominant threat actors — a successful hit on a major corporation is a badge of honor that boosts a group’s reputation within the cybercriminal underground. The data also reveals that ransomware actors continue to primarily target companies in the U.S.
As seen in previous quarters, companies in manufacturing were hit the hardest, making up for 19.5 percent of all attacks. The information technology sector came second (10.7 percent), followed by professional, scientific, and technical services (8.3 percent), construction (seven percent), and healthcare (6.2 percent).
Companies in the U.S. experienced a slight decline in attacks compared to the previous quarter, while attacks on companies in Canada increased by 13 percent, suggesting that attackers might be shifting their geographical focus.
The increasing maturity of the current ransomware landscape calls for companies to stay on high alert. Businesses can expect more refined and complex attacks, making it critical to identify and patch vulnerabilities before attackers can exploit them.
Previous findings from NordStellar reveal that ransomware actors utilize various schemes to coerce victims into payment, with 76.8 percent of ransomware negotiations including threats to publish or leak the data, and limited-time price discounts being offered in 45.5 percent of the negotiations.
Abandoning the ‘it won’t happen to us’ mindset has never been more critical. Companies should strengthen their defenses by focusing on basic cyber hygiene, which is too often overlooked. This includes enforcing multi-factor authentication, implementing strong password management policies, regularly patching systems and applications, and adopting a zero trust approach to limit lateral movement. Additional best practices should include:
- A focus on early threat prevention and detection — ransomware actors can use data leaked on the dark web to gain initial access, and catching these leaks early alerts the organization to take action by resetting passwords and revoking access keys before it’s too late.
- Backing up critical data is crucial to reduce downtime in the event of a successful ransomware attack.
- Having a recovery plan in place is essential to speed up incident mitigation.






















