84 Ransomware Groups, One Uncomfortable Truth: Takedowns Are Fragmenting the Ecosystem, Not Killing It

Law enforcement celebrated when LockBit got dismantled. Champagne was metaphorically popped, press releases were issued, and the narrative was that the ransomware problem was finally getting smaller. Then Travelers published its Q1 2026 Cyber Threat Report, and the numbers said something else entirely.

The Scoreboard Nobody Wanted In

the first quarter of 2026, ransomware operators posted 2,405 victims to dark-web leak sites, according to the Q1 2026 Travelers Cyber Threat Report as summarized by PropertyCasualty360. That figure is down just 2% from the all-time record set in Q4 2025, and up 7% from the same quarter one year earlier. To put the longer arc in perspective: ransomware claims have increased 80% since 2022, and ransomware activity overall has tripled in that same period, per Travelers' data reported by PropertyCasualty360. The number of victims posted to leak sites increased by 50% in 2025 alone, according to the Travelers Institute. These are not rounding errors. They are a trend line pointing in one direction. The most arresting figure, though, is not the victim count. It is the group count. According to Travelers' report as covered by PropertyCasualty360, 84 distinct criminal groups were active in Q1 2026, the highest number Travelers has recorded since 2020. A year prior, the comparable figure was 70. Of those 84 groups, 19 were making their first-ever appearance in leaksite data, according to Corvus by Travelers. New entrants. A fresh class of operators, arriving precisely during the period when major enforcement actions were supposed to be chilling the market.

The Fragmentation Problem, Explained

Here is the uncomfortable strategic insight buried in the data: taking down a dominant ransomware group does not eliminate the criminal capacity that group represented. It redistributes it. When a major operation is disrupted, its affiliates, its tooling, and sometimes its developers scatter. Some retire. Many do not. They spin up new operations, join smaller crews, or launch independent brands. The result is an ecosystem with more nodes, not fewer. Travelers addresses this dynamic directly. As PropertyCasualty360 reported, the insurer noted that fragmentation makes ransomware harder to combat because catching one group becomes less impactful when attacks are spread across multiple, constantly changing actors. A concentrated threat is, paradoxically, easier to monitor and disrupt than a diffuse one. The security community understood this intellectually for years. The Q1 2026 data is now the empirical receipt. The leading groups in Q1 2026 illustrate both the persistence of established players and the chaos of the new landscape. Qilin posted 414 victims to claim the top spot, while a group called the Gentlemen posted 207 victims, according to PropertyCasualty360. Targeted organizations included entities in financial services, according to the same report. Two very different operators, both thriving in the same quarter. That is what a fragmented ecosystem looks like in practice.

The VPN Door Is Still Wide Open Frag mentation in threat actors does not mean

randomness in entry points. Travelers' data reveals a striking consistency on the intrusion side: more than 85% of Travelers' cyber claims filed between August and December of 2025 involved VPNs as the initial point of entry, according to the Travelers Institute. That figure deserves to be read slowly. Not a plurality. Not a majority. More than 85%. Virtual private networks, intended as a security control, have become one of the most reliable doors into corporate environments. The mechanism is not mysterious. Unpatched VPN appliances, stolen credentials used against VPN portals, and misconfigured multi-factor authentication around VPN access are all well-documented attack surfaces. Emsisoft's Q1 2026 state-of-ransomware analysis notes that the current landscape is defined not just by volume but by intent, with threat actors increasingly prioritizing objectives that extend beyond simple encryption for ransom. The data-theft-over-disruption shift that Industrial Cyber documented, citing BlackFog's Q1 2026 findings, reinforces this: operators are increasingly exfiltrating data before or instead of encrypting, because stolen data generates extortion leverage even when victims restore from backups. The VPN is the front door; what happens after entry is increasingly a data heist, not just a lockout.

What This Actually Means for You If

you manage security for any organization, the policy implication of the fragmentation finding is that your threat model cannot be built around tracking named groups. Monitoring for LockBit indicators of compromise while 19 new groups debut in a single quarter is like changing the locks after giving out keys to strangers you have never met. The practical response is to focus on the invariant parts of the problem: initial access vectors (patch your VPN appliances, enforce phishing-resistant multi-factor authentication), detection of lateral movement, and data exfiltration controls, because even if the group you are watching disappears tomorrow, the next one will use the same door. The Travelers Institute notes that the insurer recommends five cyber readiness practices to help organizations protect against evolving threats, though the specifics of those practices are detailed in the full Q1 2026 Travelers Cyber Threat Report. That report is worth reading in full, not for the named groups (those will change), but for the structural patterns that will not. The scoreboard of 84 active groups will look different in Q2. The lesson it teaches will be the same.