IOCTA 2026: Europol's Report on Ransomware

More than 120 active ransomware brands in a single year. These are the findings that open the 2026 edition of the Internet Organised Crime Threat Assessment (IOCTA), Europol’s annual assessment of organized cybercrime, published at the end of April 2026 under the title ” How encryption, proxies and AI are expanding cybercrime “. The report covers the year 2025, and provides a benchmark for law enforcement agencies across the continent. It is structured around three fundamental trends: extreme fragmentation of the ransomware market, a shift from extortion to the threat of data publication, and the emergence of coalitions between previously separate criminal groups.

Table des matières

Over 120 active brands: a fragmented and unstable market

In 2025, Europol observed over 120 active ransomware brands, a figure that reflects the extreme fragmentation of the market. The report describes an environment marked by extreme volatility, fueled by competition between players, the consequences of law enforcement interventions and the availability of new technical tools. The paradox is clear: the ecosystem has never been so atomized, but those who benefit most are the operators capable of absorbing affiliates displaced by dismantling. The proliferation of leaked ransomware codebases(Conti, LockBit, Black Basta), the proliferation of ready-to-use RaaS platforms and AI-assisted code assembly tools have lowered the barrier to entry to the point where almost anyone can launch a variant. But few of these entrants survive: most operations remain short-lived, rebranding within weeks. The report notes significant overlap between administrators and affiliates from one group to another, as well as the pooling of proxy and laundering infrastructures. It is this porosity that makes rebrands so rapid and attribution so difficult.

Data from the first quarter of 2026, after the period covered by IOCTA, shows a reversal of this trend. Check Point Research, which monitors leaky sites (DLS), notes that the ecosystem ” has decisively changed direction “: the number of active groups has fallen from 85 at the peak in Q3 2025 to 71 in Q1 2026, and while 21 new names have emerged, most reported fewer than 10 victims. The top ten ransomware groups again concentrate 71.1% of published victims, compared with 57% at the fragmentation peak. The reconsolidation is taking place around dominant players: Qilin in the lead with 338 victims, followed by Akira, The Gentlemen and a returning LockBit 5.0. Together, they claimed 41% of all victims in the quarter, and Qilin even recorded more victims than the 50 worst-performing groups combined. Check Point Research describes “a recurring pattern throughout the history of the ecosystem: law enforcement actions disrupt the ransomware market, affiliates disperse, and the survivors who escape these disruptions absorb the displaced talent pool and grow”.

Pie chart of top 10 ransomware groups by victim count Q1 2026, Qilin leading with 338 — Top 10 ransomware groups by number of claimed victims in Q1 2026 – Source: Check Point Research

Europol taxonomy: three levels of ransomware groups

IOCTA 2026 proposes a three-level classification of ransomware groups, based on their barrier to entry, technical sophistication and recruitment model.

Public affiliation programs (open RaaS) are open to almost everyone. They provide a complete kit: malware assembler, distribution botnets, victim persistence and monitoring tools, exfiltration and laundering infrastructure, trading services and leak site hosting. The administrator takes a percentage of each payment. Qilin is the archetype: Europol links it to the former Conti group, describes it as having integrated DDoS capabilities to increase pressure and working on automating attacks on Fortinet SSL VPNs, and notes that it offers its affiliates 80 to 85% of the ransom amount. Akira, another offshoot of Conti, has been active since March 2023 and maintained a steady pace into 2025, extending its capabilities to virtualized environments thanks to SonicWall vulnerabilities.

Semi-closed groups recruit selectively on forums, looking for affiliates who are both competent and trusted. Fog, detected in early 2024, adopts a modular architecture that allows the scope of encryption, ransom note content and other aspects of the attack to be parameterized according to the target. Black Basta, another offshoot of Conti, operated in this way before a leak of its internal logs in 2025 exposed its phishing templates, crypto addresses and victim IDs. Its leaked site has been inactive ever since, but the members involved are likely to continue their activity under another brand, in line with the rebrand scheme described by Europol.

Closed groups form the most resilient category, with minimal dependence on the CaaS (Crime-as-a-service) ecosystem: they develop their own malware, sometimes their own exploits, operate on partitioned channels and host their own infrastructure. Cl0p is the archetypal example: it re-emerged in 2025 with its systematic exploitation of zero-day vulnerabilities (notably with the Oracle EBS flaw, which affected hundreds of companies). Play, on the other hand, remained active in 2025, targeting critical infrastructures with double extortion as its main modus operandi.

These three levels do not form watertight compartments. IOCTA notes that administrators and affiliates move from one group to another, infrastructures are shared and groups change category over time. BlackBasta, semi-closed yesterday, rebrands today; affiliates from public programs join closed operations when the opportunity arises. It is this fluidity that makes taxonomy useful as a reading grid, but insufficient as a predictive tool.

DragonForce, LockBit and Qilin coalition announced on the dark web

In September 2025, a coalition of DragonForce, LockBit and Qilin was announced on the dark web. DragonForce, a mainly Russian-speaking group active since 2023, assembles its payloads from leaked Conti and LockBit codebases and has launched a bespoke extortion service (analysis of stolen data, call scripts, pressure letters) taking a 20% commission on each ransom. The group operates on a white-label model: it provides the infrastructure and tools, while affiliates operate under their own names.

DragonForce annonce partnership with LockBit and Qilin — DragonForce announces coalition with LockBit and Qilin – Source: Check Point Research

Data from the first quarter of 2026, however, tempers this narrative. According to Check Point Research, several sub-brands associated with the project have declined or disappeared, and “the broader narrative of the cartel appears to be more marketing than operational reality”. LockBit‘s comeback, on the other hand, is tangible: after the dismantling carried out duringOperation Cronos in February 2024, the group launched LockBit 5.0 in September 2025 with multi-platform support, enhanced anti-forensics, accelerated encryption and an entry deposit of around $500 in Bitcoin. Check Point recorded 163 victims in the first quarter of 2026, an increase of 106% on the previous quarter, with a marked geographical diversification: the share of US victims fell below 21%, to the benefit of Italy, Brazil and Turkey.

The Scattered LAPSUS$ Hunters alliance and the convergence of English-speaking extortionists

Alongside structured RaaS programs, IOCTA 2026 devotes a section to the year’s most atypical phenomenon: the formation, in August 2025, of the Scattered LAPSUS$ Hunters (SLSH) alliance, which brings together Scattered Spider, ShinyHunters and LAPSUS$. These mainly English-speaking collectives already shared a common background: online fraud, SIM swapping, high-level social engineering, insider recruitment and extortion campaigns against major corporations and healthcare providers.

Scattered LAPSUS$ Hunters cybercriminal alliance — Scattered LAPSUS$ Hunters, the dreaded cybercriminal alliance – Source: SOS Ransomware

Europol notes a behavioral trait specific to some SLSH members: persistent harassment and threats, ” which do not necessarily cease, even after victims have paid the ransom “. So payment doesn’t necessarily extinguish the pressure. In May 2025, ShinyHunters, the data exfiltration component of the collective, siphoned off overa billion files from Salesforce customer databases by tricking employees into connecting a malicious application to their organization’s Salesforce portal. The same mechanics – social engineering and phishing kits bypassing multi-factor authentication – can be found in the ShinyHunters SSO vishing campaign and the claim to have hacked the European Commission.

Extortion shifts from encryption to the threat of publication

The most structuring trend in the report concerns the extortion model itself. As Europol puts it: ” The aim of extortion is no longer to unlock (decrypt) data, but to pressure victims to pay in order to prevent it from being leaked. ” The reason is pragmatic, and the report states it directly: ” Modern businesses are generally better prepared to deal with the consequences of data loss (encrypted or erased) than those of disclosure. ” Backups and recovery of corrupted data may solve operational continuity, but they cover neither regulatory exposure nor reputational damage.

This tipping point is confirmed by payment figures, as shown by the summary of ransomware payments in 2025: according to Kaspersky and Chainalysis, only 28% of identified victims paid in 2025, an all-time low, and on-chain payments fell to around $820 million (down 8% year-on-year). To maximize pressure without resorting to encryption, groups are piling on the levers: simultaneous DDoS attacks, saturation of business mailboxes and direct phone calls to executives. These pressure tactics are common in the arsenal of ransomware groups, and are sometimes offered as separate services within the CaaS ecosystem, according to Europol.

Extortion without encryption (pure data theft) takes this logic to its logical conclusion: attackers exfiltrate data and threaten to publish it, without ever encrypting a single system. Kaspersky cites ShinyHunters as a typical example of a group that has abandoned encryption to focus exclusively on exfiltration. The Canvas / Instructure affair of May 2026 offers the clearest illustration of this: no encrypted systems, pressure based entirely on data stolen from thousands of educational establishments, and a payment at the end.

Percentage ransom payments by quarter — Percentage of ransom payments per quarter – Source Coweware

The nuance, documented by Coveware, is that this pure exfiltration is losing effectiveness: the payment rate for this sub-category has fallen to around 19% (Coveware, third quarter 2025), as organizations understand that paying does not remove their notification obligations or prevent subsequent resale of the data. This erosion of returns could prompt some groups to return to encryption, or to innovate technically.

AI, from vibe-coding to agentic AI

On the subject of artificial intelligence, IOCTA 2026 also mentions the use of generative AI and its already operational uses in criminal operations. Current applications include coding assistance, conversation script generation for extortion call centers, and personalized social engineering. Malicious LLMs, stripped of their ethical filters, circulate on the dark web, and criminals frequently resort to “jailbroken” public models.

The Gentlemen’s internal leak provides a concrete example: the administrator states that he developed his administration panel in three days using AI, based on Chinese models (DeepSeek, Qwen). Plans to use a self-hosted LLM to sort exfiltrated data and identify the most exploitable information were mentioned, but not implemented at the time of the leak. It is this second level,agentic AI capable of autonomous planning and execution, that Europol identifies as an emerging threat: its adoption remains ” a development factor “, but the report anticipates a possible rise in the threat to unprecedented levels.

The dark web in 2025: ephemeral markets and reinventing forums

IOCTA 2026 describes a dark web infrastructure in permanent mutation. The lifespan of generalist marketplaces has shortened even further in 2025, and planned exit scams (where administrators disappear with users’ funds) remain endemic. The dismantling ofArchetyp Market in June 2025 (over 600,000 users, at least 250 million euros in transactions) triggered the voluntary closure ofAbacus Market and MGM Grand, immediately replaced by BlackOps, TorZon and Nexus Market, which had become the marketplaces with the highest number of ads by the end of the year. At the same time, specialized platforms (compromised RDP/VPN access brokering, malware services, specialized tools) are gaining ground, while limiting access to verified members to enhance their operational security.

Forums remain the main entry points for aspiring cybercriminals: onboarding, tutorials, recruitment and migration hubs when a platform goes down. In 2025, DarkForums emerged as the successor to BreachForums, enabling the exchange of stolen data and the distribution of hacking tools on both surface and Tor interfaces. Cybercriminals are no longer confined to the dark web. Europol describes a ” hybrid anonymity ecosystem ” where operations are split between dark web sites, end-to-end encrypted messaging services such as Telegram and services accessible from the classic web, complicating surveillance and attribution.

Infostealers and access brokers fuel the ecosystem

Europol confirms that infostealers have persisted in 2025 as central facilitators of all cyberattacks, fueling a market that ranges from initial access brokers (IABs) to RaaS affiliates and fraudsters. The most common initial access vectors remain phishing, infostealers, the exploitation of unpatched vulnerabilities and the purchase of access from IABs.

Kaspersky specifies that RDP, VPN and, increasingly, RDWeb are the three most commonly sold types of access. RDWeb portals, which are often poorly protected, are increasingly targeted, as efforts have focused on direct RDP exposure. The industrialization of this market is such that initial access has become a commodity: the difficulty no longer lies in compromise, but in the ability to convert this access into ransom.

Sophisticated laundering

Cryptocurrencies remain the payment method of reference, and Europol details how laundering circuits are becoming more complex. Chain-hopping (blockchain hopping via inter-chain bridges) has emerged as the dominant technique for blurring tracing, combining speed, liquidity and relative decentralization. Mixers (services that mix transactions from multiple users to blur origin and destination) have migrated to smart contract architectures (“mixer-as-a-service”) and self-settling decentralized exchanges (DEX), which bypass KYC/AML obligations. Prepaid cryptocurrency cards and crypto-to-cash desks provide the exit to the legal financial circuit.

The most concrete operation in the report concerns Cryptomixer, a mixing service active since 2016 through which over €1.3 billion in Bitcoin has passed. In November 2025, a coordinated action by Swiss and German authorities, supported by Europol, led to the seizure of three servers, the neutralization of the domain and the confiscation of over 25 million euros in cryptocurrencies as well as 12 terabytes of data.

Cryptomixer has been seized — Cryptomixer cryptocurrency mixing site shut down – Source: SecurityWeek

Hybrid players: a blurring boundary

The report also discusses the interweaving of cybercrime and state interference. Europol observes that hybrid actors linked to states are using cybercriminal networks as proxies for destabilization operations: DDoS, intrusions, data theft, ransomware attacks against strategic targets. The report’s wording is direct: ” In today’s CaaS cybercrime economy, hybrid threat perpetrators are now just another customer. “Operation Eastwood in July 2025, which disrupted the infrastructure of the NoName057(16) network before it quickly resumed activity, is cited as an example.

Opération Eastwood — Operation Eastwood – Source: IOCTA 2026 report

What organizations need to remember from IOCTA 2026

The report confirms that ransomware has become an industry in its own right, with its own access providers, service platforms, laundering tools and psychological pressure mechanisms. Law enforcement has evolved its doctrine: Europol notes that interventions against key enablers (infostealers, money-laundering services, shared infrastructures) have a more lasting impact than the dismantling of isolated groups, whose affiliates redistribute themselves to the survivors. Operations such as Endgame illustrate this target shift.

For organizations, the practical consequences converge. Exposed appliances (VPNs, firewalls) remain the most targeted structural entry point: almost all the groups documented by IOCTA(Qilin, Akira, LockBit, DragonForce) exploit vulnerabilities in FortiGate, SonicWall or Cisco. Patch these appliances as a priority, never expose RDP or RDWeb directly to the Internet, generalize multi-factor authentication and monitor compromised credentials on underground forums are the most directly effective measures.

Encryption is no longer the only lever of pressure, nor often the main one. Teams now need to watch not only for signs of encryption, but also for signs of prior silent exfiltration, as backups protect neither against data publication nor the regulatory obligations that follow. And the drop in the payment rate to 28% doesn’t mean that ransomware has disappeared: on the contrary, median amounts have soared, reflecting a polarization between small victims who don’t pay and large organizations that sometimes have no other viable option. In an ecosystem where affiliates are constantly migrating from one group to another, and where harassment can continue after payment, payment offers no guarantee, making upstream preparation all the more crucial.