Skip to main content
Emerging ThreatsMalware & Ransomware

Ransomware Attacks Surge as Clop Gang Dominates Threat Landscape

A dimly lit, disrupted computer server room with rows of equipment racks and monitors, some server casings and cables…

"Kaspersky products blocked more than 343 million attacks that originated with various online resources in Q1 2026," the company's quarterly analysis reports — a stark tally that frames a quarter of intensified ransomware activity, rapid zero‑day exploitation, and shifting attack surfaces across desktops, servers, and IoT devices.

RAMP takedown, arrests, and legal consequences

January brought a reported disruption of the RAMP cybercrime forum: media and an external post by a RAMP moderator indicated that law enforcement had seized the forum's domains, although the FBI issued no official confirmation and it remains unclear whether RAMP servers themselves were seized. Kaspersky characterizes the action as a disruption of "a key element of the RaaS ecosystem," with ripple effects for ransomware operators, affiliates, and initial access brokers.

Parallel prosecutions and sentences followed. A man suspected of links to the Phobos group was arrested in Poland and charged with creating, acquiring and distributing software designed to obtain information unlawfully. In March, a Phobos ransomware administrator pleaded guilty to creating and distributing the Trojan used in international attacks dating back to at least November 2020. The U.S. Department of Justice charged a negotiator alleged to have colluded with BlackCat and to have served previously as an affiliate. Separately, a U.S. court handed an 81‑month sentence to an initial access broker associated with Yanluowang; DOJ said he facilitated dozens of attacks, causing over $9 million in actual loss and more than $24 million in intended loss.

CVE‑2026‑20131: Interlock’s rapid weaponization of a Cisco FMC zero‑day

Since at least January 26, 2026, the Interlock group has been exploiting CVE‑2026‑20131, a zero‑day in Cisco Secure FMC firewall management software that allowed arbitrary Java code execution with root privileges. Kaspersky describes the campaign as demonstrative of ransomware actors’ continued reliance on zero‑days for initial access, a focus on network appliances as high‑value entry points, and the rapid weaponization of newly disclosed vulnerabilities.

Ransomware landscape: Clop returns, The Gentlemen emerges, and overall volumes

On ransomware leak sites, Clop reclaimed the top share of victims at 14.42% for the quarter, displacing Qilin (12.34%). A newcomer, The Gentlemen, accounted for 9.25% and — according to Kaspersky — had emerged no later than July 2025, quickly surpassing long‑standing actors such as Akira (7.25%) and INC Ransom (6.13%).

Across Q1, Kaspersky detected six new ransomware families and 2,938 new ransomware modifications; overall variant volumes returned to Q3 2025 levels after a surge in Q4 2025. File‑based defenses protected 77,319 unique users from ransomware Trojans in Q1, with activity peaking in March (35,056 unique users). At the malware‑family level, generic verdicts dominated: Trojan‑Ransom.Win32.Gen accounted for 33.90% of unique user hits, followed by Crypren (6.38%), WannaCry (5.87%), and LockBit (2.80%).

macOS and iOS: drive‑by exploit chains, supply‑chain backdoors, and crypto‑theft scams

Apple platforms were targeted by multiple campaigns in Q1. Google uncovered a cryptocurrency‑theft scheme that lured victims into a fraudulent video call and induced them to run malicious scripts under the pretense of technical support fixes. In March, GTIG and iVerify reported an in‑the‑wild exploit chain targeting both iOS and macOS, marketed on the dark web and delivered via drive‑by downloads; the toolkit included an updated component linked to the Operation Triangulation chain and bundled specialized cryptocurrency exfiltration modules.

Supply‑chain attacks also affected macOS: the Axios npm package infection deployed a backdoor on macOS devices after installation. Kaspersky notes a shifting macOS threat mix — PasivRobber spyware is declining while adware and Monitor‑class tracking software edge upward, and the Amos stealer remains among top detections.

IoT and scanning trends: SSH climbs, Mirai variants persist, and geographies shift

Kaspersky’s IoT honeypots recorded a notable increase in devices attacking via SSH relative to the prior quarter, while the Telnet‑to‑SSH distribution ratio otherwise stayed similar to Q4 2025. Mirai botnet variants continue to dominate delivered threats, with a new variant, Mirai.kl, entering the rankings, and NyaDrop activity decreasing significantly.

Geographic sources changed: SSH‑based attacks in Q1 concentrated more in the United States (23.74%) and the Netherlands (17.57%), while Telnet‑sourced attacks showed a marked decline in China’s share (from 53.64% to 39.54%) and a substantial rise in traffic originating from Pakistan (from 14.27% to 27.31%).

How technologists, policymakers, and enterprises should watch these developments

  • Technologists and security teams: track exploit activity for CVE‑2026‑20131 and similar zero‑days affecting network‑appliance management software, and prioritize telemetry and patching on firewall management infrastructure given Interlock’s exploitation timeline.
  • Policymakers and law enforcement: Kaspersky’s report highlights both operational impact from forum disruptions and the uneven public record — January’s RAMP domain seizures were reported but not officially confirmed — suggesting coordination and transparent attribution remain policy priorities.
  • Enterprises and procurement leaders: ransomware actor market‑share shifts (Clop’s return, The Gentlemen’s emergence), continued drive‑by and supply‑chain attacks on macOS, and the persistence of miner and IoT campaigns signal that asset inventories, supply‑chain vetting, and endpoint protections should be reviewed across platforms.

Q1 2026, the data show, was a quarter of both disruption and adaptation: law enforcement activity and prosecutions intersected with rapid exploitation of a high‑impact zero‑day, resurgence by established ransomware actors, and continued evolution of attack sources and tooling. The source report and its figures — 343,823,407 web‑origin attacks blocked, 49,983,611 unique malicious URLs, nearly 15.8 million malicious objects detected on disk, 2,938 new ransomware modifications, and 260,588 unique users targeted by miners — leave a clear record of operational scale and shifting priorities for defenders.

Original report