Qilin Ransomware Now Leads the Market

▼ Summary
– Qilin has emerged as the dominant ransomware-as-a-service operation, holding about 16% of the cybercriminal market share after major groups like LockBit and RansomHub were disrupted.
– Qilin’s success is attributed to high affiliate payouts, mature infrastructure, continuous technical innovation, and expanded extortion services, attracting affiliates from collapsing rival programs.
– The rapid emergence of new groups like The Gentlemen shows how quickly the cybercrime landscape evolves, with The Gentlemen surpassing Qilin as the most prolific ransomware strain in June 2026.
– Over the last 12 months from July 2026, Qilin listed 1,496 victims on its data leak site, while Akira had 1,205 and The Gentlemen had 763.
– Affiliates are increasingly using AI tools to conduct campaigns, lowering the barrier to entry and reducing the technical knowhow needed for aspiring cybercriminals.
The ransomware landscape is undergoing a significant shift, moving away from fragmentation and toward consolidation. Qilin ransomware has emerged as the leading ransomware-as-a-service (RaaS) operation, filling the void left by the disruption of major groups like LockBit and RansomHub.
However, Qilin’s dominance is not absolute. The swift rise of newer groups, such as The Gentlemen, illustrates how volatile the cybercrime ecosystem remains.
According to Lotem Finkelstein, vice president of research at Check Point, Qilin now commands approximately 16% of the cybercriminal market share, as detailed in the firm’s 2026 Cyber Security Report. Active since at least October 2022, Qilin has built a technically mature infrastructure that supports its operations.
“Over the last few months, what we have observed is that they are consolidating again and becoming major ransomware groups,” Finkelstein told Infosecurity.
Recent data from Sophos X-Ops Counter Threat Unit (CTU), reviewed by Infosecurity, underscores Qilin’s reach. In the 12 months ending July 2026, Qilin listed 1,496 victims on its data leak site. By comparison, Akira posted 1,205 victims, and The Gentlemen recorded 763.
Aiden Sinnott, principal threat researcher at Sophos X-Ops CTU, agreed with Finkelstein’s assessment. “Qilin has become dominant largely because it was the main beneficiary of ransomware market consolidation following major law enforcement activity,” Sinnott explained.
The appeal for affiliates lies in Qilin’s high affiliate payouts, mature infrastructure, continuous technical innovation, and expanded extortion services. This combination proved especially attractive just as competing RaaS programs like LockBit, ALPHV, and RansomHub were collapsing.
“The result was a rapid influx of experienced affiliates and a sharp increase in victim volume,” Sinnott added.
Finkelstein noted that affiliates are now using AI tools to execute their campaigns, lowering the barrier to entry. Aspiring cybercriminals require less technical expertise than before, making the threat more accessible.
The Gentlemen Rises
Despite Qilin’s strong position, another group is vying for market leadership. Data from Comparitech shows that in June 2026, The Gentlemen knocked Qilin off the top spot for the first time in months. The Gentlemen became the month’s most prolific ransomware strain with 115 victims, compared to Qilin’s 78.
Rebecca Moody, head of data research at Comparitech, pointed out a key geographic difference. Over half of Qilin’s targets were based in the United States, whereas less than one in five of The Gentlemen’s June victims were American.
Research published by Check Point in April confirmed that The Gentlemen is gaining momentum, signaling that the fight for ransomware supremacy is far from settled.
(Source: Infosecurity Magazine)




