HIGHRansomware
Verified
Global

ALPHV Successor RansomHub Becomes Top Ransomware Threat in Q1 2026

·Source: Group-IB / Recorded Future

Updated:

Executive Summary

RansomHub, believed to include former ALPHV/BlackCat operators, claims 185+ victims in Q1 2026 alone. Now the most prolific ransomware operation.

Analysis

RansomHub has rapidly grown to become the most active ransomware group globally, claiming 185+ victims in Q1 2026. The group offers 90% revenue share to affiliates, the most competitive in the RaaS market. Uses a Golang-based encryptor targeting Windows, Linux, and ESXi. Notable victims include manufacturing, healthcare, and government organizations across 30+ countries.

Timeline

Discovered
Jan 1, 2026
Published
Mar 7, 2026
Source Attribution

Originally published by Group-IB / Recorded Future on Mar 7, 2026. Verified by: Group-IB, Recorded Future.

Related Threats

CRITICALRansomware

7 tabletop exercise mistakes that sabotage incident response

Discussion-based, low-stress simulations during which IT, legal, and other key leadership stakeholders walk through theoretical scenarios to test their preparedness for cyber incidents is a popular and highly useful tool. Yet unless tabletop training is properly handled, the results can be misleading and potentially destructive. When your organization’s incident response training consistently fail

CSO Online
HIGHRansomware

Bombay High Court Issues Injunction Prohibiting Hackers From Publishing Allegedly Hacked HDFC Investor Data

The Bombay High Court granted interim relief to HDFC AMC after a ransomware group called “Morpheus” allegedly stole over 680 GB of sensitive company and investor data. The court barred unidentified hackers from publishing or sharing the information, warning that any leak could lead to identity theft, financial fraud and irreparable harm. The case will... Source

DataBreaches.net
HIGHRansomware

Bombay High Court Issues Injunction Prohibiting Hackers From Publishing Allegedly Hacked HDFC Investor Data (1)

The Bombay High Court granted interim relief to HDFC AMC after a ransomware group called “Morpheus” allegedly stole over 680 GB of sensitive company and investor data. The court barred unidentified hackers from publishing or sharing the information, warning that any leak could lead to identity theft, financial fraud and irreparable harm. The case will... Source

DataBreaches.net