BlackFog Q1 Ransomware Report: Only 1 in 9 Ransomware Attacks Made Public as Data Exfiltration Hits 96%

SAN FRANCISCO--(BUSINESS WIRE)--BlackFog, the leader in ransomware prevention and anti data exfiltration (ADX), today revealed findings from its analysis of global ransomware activity from January - March 2026 covering both publicly disclosed and undisclosed attacks.

The findings reveal that the true scale of the threat remains vastly underreported with only one in nine ransomware attacks publicly disclosed. In total 2,160 undisclosed ransomware attacks were identified during the quarter, representing a 2% increase in attacks year-on-year, with victims spread across 97 countries.

Meanwhile, 264 publicly disclosed attacks were recorded. Although this figure is a 15% decrease compared to the same period the previous year, the findings show that ransomware remains a persistent and highly active threat.

Key findings

Ransomware activity in Q1 2026 continued to demonstrate both the scale and diversity of modern attacks. In terms of disclosed attacks for this period, the analysis reveals:

• The average ransom demand exceeded $1M ($1,028,214)
• Organizations across 39 countries were impacted
• Attacks on the logistics sector surged 200% YoY
• Healthcare was the most targeted sector, accounting for 72 attacks (27%)
• Government entities experienced 32 attacks (12%), followed by technology at 28 attacks (11%)

Fragmented Ransomware Groups

The report highlights a fragmented ransomware landscape. Among publicly disclosed attacks, Qilin was the most active variant, responsible for 22 attacks (8%). ShinyHunters followed with 16 attacks (6%), and INC accounted for 11 attacks (4%). Notably, 38% of all publicly disclosed ransomware incidents were not attributed to any known group.

In terms of undisclosed attacks, Qilin again led with 339 attacks (16%), followed by The Gentlemen with 200 (9%) and Akira with 190 (9%). In total, 79 ransomware groups claimed victims during the three-month period.

The Gentlemen: A Growing Force in the Ransomware Landscape

During this quarter, The Gentlemen quickly established itself as one of the most active ransomware groups, ranking second by volume of attacks. Since its emergence in 2025 through to the end of Q1 2026, the group has claimed 273 attacks, reflecting a rapid scale-up in operations and a broader trend of new entrants operating with a high level of maturity from the outset.

Emerging Threats Enabling Data Exfiltration

The focus for attackers remains on credential theft, maintaining persistent access, and data exfiltration, with exfiltration rates staying critically high in Q1 at 96%. The average volume of data stolen per undisclosed incident reached 743GB, with victims given an average of just 7.7 days to meet ransom demands.

Threat actors are also leveraging AI to streamline and scale data theft. Campaigns such as LotAI demonstrate how AI tools can be used to automate data collection and exfiltration. Platforms like ClawdBot and OpenClaw further highlight how AI-driven infrastructure can aggregate, process and manage stolen data more efficiently.

Commenting on the findings, Dr. Darren Williams, Founder and CEO of BlackFog, said:

"A 15% year-on-year decline in reported attacks may suggest progress, but the reality is very different. Ransomware remains a persistent and highly active threat, with attackers increasingly using AI to automate data theft at scale. With data exfiltration now occurring in 96% of attacks, the question for every organization is no longer whether their data is at risk - but whether they can stop it leaving their systems before damage is done."

For a detailed look into the findings, download: BlackFog’s 2026 Q1 State of Ransomware Report

Methodology

This report was generated in part from data collected by the BlackFog Console over the specific report period January – March 2026. It highlights significant events that prevented or reduced the risk of ransomware or a data breach and provides insights into global trends for benchmarking purposes. This report contains anonymized information about data movement across hundreds of organizations and should be used to assess risk associated with cybercrime.

Industry classifications are based upon the ICB classification for Supersector used by the New York Stock Exchange (NYSE).

All recorded events are based upon data exfiltration from the device endpoint across all major platforms.

About BlackFog

BlackFog is the category-defining vendor in anti data exfiltration (ADX). Founded in 2015, the company invented ADX on the thesis that the endpoint is the only control point capable of stopping data from leaving an organization, an architectural bet that has now been validated across three exfiltration vectors: ransomware, shadow AI, and autonomous AI agents. BlackFog’s endpoint-native platform protects more than 500 enterprises, government agencies, and critical infrastructure operators worldwide.

The company is the publisher of the annual State of Ransomware report and the BlackFog/Sapio Shadow AI Research, the most-cited primary research in the category. BlackFog’s recognition includes the teiss Awards 2026, the AI Excellence Award 2026, the Cybersecurity Excellence Awards 2026, and the Cybersecurity Breakthrough Award. Headquartered in San Francisco with international operations in London and Belfast. Learn more at blackfog.com.