The Ransomware Succession Crisis: What the Fall of LockBit and ALPHV Means for Defenders in 2026

Something happens maybe once every three or four years in the ransomware world: a generational turnover. The groups that owned the threat landscape from 2022 through 2025, LockBit3, ALPHV/BlackCat, RansomHub, BlackBasta, are gone. Law enforcement dismantled some, internal dysfunction finished others, and a few just went dark. A new set of operators has moved into the space they left behind, and they moved fast.

If you run a security program, this shift has real consequences for your threat model, your detection priorities, and your incident response playbooks. Here is what the data shows and what it means in practice.

The Numbers Tell the Story

Ransomware.live tracking data puts 2026 on pace to be the worst year on record for ransomware victims. Through April 19, there were 2,843 confirmed victims across 74 active groups, out of 333 groups tracked historically. The monthly numbers have been climbing: 702 victims in January, 784 in February, 844 in March, and 513 in the first nineteen days of April. Annualized, that puts the total somewhere between 9,200 and 9,500 victims depending on methodology, which would beat 2025’s record of 8,158 by twelve to sixteen percent. Seasonal variation could shift that range; Q1 has historically underrepresented full-year totals, with Q4 typically running higher.

One caveat on the data: ransomware.live tracks victims based on leak site postings. That means it undercounts victims who pay before operators post their names, and it can include unverified claims. It is still the best open-source dataset available for tracking ransomware at scale, but it is not a census.

This acceleration is happening despite the successful disruption of the old guard:

• LockBit3: 2,017 all-time victims. Last confirmed victim December 2025. The Operation Cronos takedown in February 2024, led by the UK’s National Crime Agency with international coalition support, degraded their infrastructure repeatedly. Sustained pressure, including the May 2024 identification of Dmitry Khoroshev as LockBitSupp and the seizure of decryption keys, ultimately proved fatal to the brand.
• ALPHV/BlackCat: 731 all-time victims. Went offline in March 2024 after what appears to have been an exit scam following the Change Healthcare attack, in which they reportedly collected a $22 million ransom payment and then stiffed their own affiliate. The FBI had already seized their infrastructure in December 2023.
• RansomHub: 844 all-time victims. Offline since March 2025. Had briefly surged as an ALPHV successor, absorbing displaced affiliates, but could not sustain operations.
• BlackBasta: 524 all-time victims. Offline since January 2025. Internal chat leaks in early 2025 exposed their operations and likely accelerated dissolution.
• Bianlian: 553 all-time victims. Offline since March 2025.

Combined, these five groups accounted for over 4,600 victims during their operational lifetimes. They are all gone, yet attack volume did not drop. It went up. That is the central problem defenders are now dealing with.

The New Guard: Who They Are and Why It Matters

The 2026 leaderboard barely resembles what it looked like twelve months ago. The top ten groups by victim count include a mix of genuinely new entrants and established operators who have picked up business from the groups that collapsed.

Qilin leads all groups with 402 victims in 2026 and 1,697 all-time, putting it among the most prolific ransomware operations ever tracked. Qilin has been running since at least mid-2022, when Group-IB first spotted it operating under the name Agenda before rebranding. Its acceleration this year suggests it has successfully absorbed affiliates displaced from LockBit and RansomHub. Its targeting is broad but tilts noticeably toward manufacturing and healthcare, the two sectors least able to tolerate downtime and therefore most likely to pay.

Thegentlemen, with 263 victims, is worth watching. The group appeared recently and has scaled to high volume fast enough that they are almost certainly not starting from scratch. Either they have a well-resourced founding team with prior RaaS experience, or an existing affiliate network simply moved over under a new name. Either way, treat them as experienced operators, not first-timers.

Nightspire (150 victims) and Coinbasecartel (90 victims) follow the same pattern: fast emergence, high early volume, and operations that are clearly borrowing from predecessor playbooks. The growth in groups in the 90-to-200 victim range is itself a signal worth noting. The ransomware economy is breaking up into more, smaller operations rather than consolidating around a few dominant brands.

LockBit5 (119 victims) deserves a closer look. The branding is an obvious attempt to inherit the most recognized name in ransomware. Whether this is a genuine successor operation with access to LockBit’s codebase and affiliate relationships, or an opportunistic group trading on name recognition, remains unclear. Either way, the existence of a “LockBit5” tells you something: ransomware brands work like franchises. The operator can be gone and the brand still has value.

Akira (218 victims) and Play (127 victims) are still running at high volume. These groups have shown the kind of organizational staying power that the disrupted groups could not sustain: good operational security, stable affiliate management, and the ability to keep going when law enforcement pays attention. For threat intelligence teams, Akira and Play are a rare constant in an otherwise unstable landscape.

Clop (127 victims in 2026) remains a persistent presence, though its model is distinct from the traditional RaaS operators. Clop focuses heavily on mass exploitation of file transfer vulnerabilities rather than the affiliate-driven intrusion model most other groups use.

What This Transition Means for Defenders

1. Your Threat Intelligence Must Get Faster

When three or four groups owned the landscape, threat intelligence teams could keep deep profiles on each and build detection logic around their known tooling. That model does not hold up at 74 active groups, many of them new and still poorly characterized. It’s time to make the shift from group-centric to behavior-centric detection. Focus on the techniques that show up regardless of who is running the operation: abuse of legitimate remote management tools (AnyDesk, ConnectWise ScreenConnect, Splashtop), exploitation of known edge device vulnerabilities (Fortinet, Ivanti, Palo Alto Networks products), lateral movement via RDP and SMB, and commodity loaders as initial access vectors. MITRE ATT&CK techniques T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), and T1048 (Exfiltration Over Alternative Protocol) should be detection priorities no matter which group you are tracking.

2. The Affiliate Ecosystem Matters More Than the Brand

Ransomware disruptions work. Operation Cronos demonstrably destroyed LockBit as an organization. But the affiliates, the actual people conducting intrusions, simply migrated to other platforms. When you pull threat intelligence on a “new” group, assume its affiliates have operational history somewhere. Detection logic built around LockBit and RansomHub affiliate TTPs should not be retired just because those groups went dark.

3. Sector Targeting Has Not Changed

The 2026 sector numbers are: Manufacturing (319), Technology (315), Healthcare (199), Business Services (179), and Financial Services (128). That list is nearly identical to 2024 and 2025. If you are in one of these sectors, the generational transition does not lower your risk. If anything it raises it, since new groups tend to be more aggressive early on while they are building a reputation. The US continues to absorb 37.6% of all attacks, 1,068 of the 2,843 total.

4. Fragmentation Creates Negotiation Complexity

New operators have no track record on decryptor reliability. Paying a ransom to a group that has been operating for three months carries substantially more risk that you will not get a working decryptor in return. Make sure your incident response retainer includes firms that have current intelligence on newer groups’ payment track records. If your incident response plan still references LockBit or ALPHV decryptor procedures, update it.

5. Law Enforcement Disruption Works, But It Is Not a Solution

The disruptions of the past two years are among the most effective sustained campaigns against cybercrime we have seen, but the total ransomware volume kept climbing. Do not build law enforcement action into your risk calculations as a mitigating control. Assume the threat persists and grows. The organizations that got through 2025 in the best shape had invested in fundamentals: offline backups with tested restoration, network segmentation that limits lateral movement, endpoint detection with 24/7 monitoring, and incident response plans that had been exercised in the prior twelve months.

The Bottom Line

The ransomware ecosystem in 2026 is more fragmented, more volatile, and higher in volume than at any point in its history. The fall of the old guard did not reduce the threat. It spread it across a larger number of operators, many of whom are still working out their operational patterns and are therefore harder to predict. The practical answer for defenders has not changed: invest in detection and response capabilities that hold up regardless of which group is running the operation this month. The guard has changed. Your fundamentals should not.

---

All ransomware victim counts and group activity data are sourced from ransomware.live tracking data as of April 19, 2026. Law enforcement operation details reference public reporting from the NCA, FBI, and Europol.