HIGHRansomware
Verified
Global

ALPHV Successor RansomHub Becomes Top Ransomware Threat in Q1 2026

Saturday, March 7, 2026 at 10:00 AM UTC·Source: Group-IB / Recorded Future

Updated: Sunday, March 8, 2026 at 09:00 AM UTC

Executive Summary

RansomHub, believed to include former ALPHV/BlackCat operators, claims 185+ victims in Q1 2026 alone. Now the most prolific ransomware operation.

Analysis

RansomHub has rapidly grown to become the most active ransomware group globally, claiming 185+ victims in Q1 2026. The group offers 90% revenue share to affiliates, the most competitive in the RaaS market. Uses a Golang-based encryptor targeting Windows, Linux, and ESXi. Notable victims include manufacturing, healthcare, and government organizations across 30+ countries.

Timeline

Discovered
Jan 1, 2026
Published
Mar 7, 2026
Source Attribution

Originally published by Group-IB / Recorded Future on Mar 7, 2026. Verified by: Group-IB, Recorded Future.

Related Threats

CRITICALRansomware

Cisco fixes critical IMC auth bypass present in many products

Cisco has released patches for a critical vulnerability in its out-of-band management solution, present in many of its servers and appliances. The flaw allows unauthenticated remote attackers to gain admin access to the Cisco Integrated Management Controller (IMC), which gives administrators remote control over servers even when the main OS is shut down. The vulnerability, tracked as CVE-2026-2009

CVE-2026-20093
CSO Online
HIGHRansomware

Akira ransomware group can achieve initial access to data encryption in less than an hour

A new report from Halcyon finds that the group also puts more effort than usual into developing working decryptors, likely to incentivize businesses to pay up. The post Akira ransomware group can achieve initial access to data encryption in less than an hour appeared first on CyberScoop .

CyberScoop
CRITICALRansomware

vSphere and BRICKSTORM Malware: A Defender's Guide

<div class="block-paragraph_advanced"><p>Written by: Stuart Carrera</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Building on </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

CVE-2026-22769
Mandiant