748 ransomware attacks were recorded globally in April 2026, with industrials the most targeted sector. Qilin was responsible for 14% of ransomware activity, while The Gentlemen emerged as the second most active ransomware group.
Analysis from NCC Group’s latest Cyber Threat Intelligence Report finds ransomware activity stayed high throughout April 2026, despite a modest month-on-month decline.
The global cyber security firm recorded 748 ransomware listings worldwide during April 2026, representing a 7% decrease compared to March. However, ransomware activity in 2026 has been operating at a higher baseline than much of 2025, reflecting the growing scale and maturity of the ransomware-as-a-service (RaaS) ecosystem.
Industrials continued to be the most targeted sector in April, accounting for 28% of all recorded attacks, while North America remained the most impacted region globally.
The Gentlemen signals evolution of ransomware operations
Qilin was again the most prolific ransomware group in April, responsible for 14% of all observed attacks. Meanwhile, The Gentlemen rapidly emerged as one of the most active threat actors, accounting for 10% of ransomware activity and signalling the continued evolution of the ransomware landscape.
The report highlights how The Gentlemen has quickly evolved into a highly operational RaaS group, using advanced tooling and proxy infrastructure to accelerate attacks and improve stealth. NCC Group’s analysis found the group’s affiliates are increasingly leveraging SystemBC malware to establish covert tunnelling, evade detection and support rapid lateral movement across enterprise environments.
Matt Hull, VP of Cyber Intelligence and Response, NCC Group, said: “The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure and repeatable intrusion methods to accelerate attacks at scale. Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs.”
AI-assisted cyber threats continue to develop
The report outlines growing industry debate around AI-assisted cyber capabilities following Anthropic’s announcement of Claude Mythos, an advanced large language model reportedly capable of autonomously identifying vulnerabilities and developing exploit chains. While the model may represent a meaningful advance in AI-assisted vulnerability research, NCC Group notes that its real-world impact remains unclear due to restricted access, controlled testing environments and questions around operational effectiveness at scale.
Matt Hull continued: “Developments around AI models such as Claude Mythos suggest AI-assisted vulnerability discovery and exploitation could further compress attacker timelines in the future. However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments.
“Regardless, organizations can no longer rely on reactive security measures alone. Continuous attack surface management, strong identity controls and rapid detection of suspicious behavior are becoming essential to reducing cyber risk.”
Geopolitical tensions expected to drive cyber activity
The report also identified several geopolitical developments likely to influence cyber activity in the coming months, including China’s expanded supply chain security regulations and the strategic significance of NASA’s Artemis programme.
NCC Group assesses these developments are likely to drive increased nation-state cyber activity focused on espionage, supply chain compromise and intelligence collection against multinational organizations.
