Dynamic Business Logo

via pexels

Manufacturing and IT sectors bear brunt as ransomware attacks reach new baseline

NordStellar’s Q2 2026 analysis reveals ransomware attacks up 20% year-over-year, with rival groups Qilin and The Gentlemen competing for criminal dominance.

The latest ransomware landscape analysis reveals a deepening rivalry between The Gentlemen and Qilin as ransomware activity remains elevated in Q2 2026.

The findings from NordStellar, a threat exposure management platform, reveal that ransomware attack volumes remained high from April to June 2026, sustaining the elevated baseline. The analysis also points to an intensifying fight for dominance between the two most active ransomware groups, as well as a notable shift in victim targeting.

Attack volumes remain elevated

According to findings from NordStellar, 2,581 ransomware incidents were recorded during April-June 2026. The number reflects a slight 4% decrease from 2,676 incidents recorded in Q1 2026. However, the attacks remain at a heightened baseline, indicating sustained threat activity.

“The slight decrease in attacks shouldn’t be a sign to relax just yet,” says Vakaris Noreika, cybersecurity expert at NordStellar. “Ransomware accelerated in the last quarter of 2025, reaching record highs, and although the number of attacks has been slightly decreasing every quarter this year, we are now seeing a new alarming baseline of about 2,500 attacks per quarter.”

A total of 5,257 ransomware attacks were recorded during January-June 2026. This marks a 20% increase from the 4,387 attacks recorded during the same period last year, signalling that the ransomware threat is growing despite quarterly fluctuations.

Rival groups intensify competition

Qilin emerged as the most active ransomware group in Q2 2026 with 299 attacks, followed closely by The Gentlemen with 284 attacks. Activity from other groups trailed significantly, with DragonForce ranking third at 147 attacks.

“While Qilin’s activity declined slightly from the previous quarter, The Gentlemen accelerated its operations with a 39% increase in attacks, further deepening the rivalry between the two groups,” says Mantas Sabeckis, senior threat intelligence researcher at Nord Security. “Even though DragonForce remains significantly less active than the top two, it is steadily scaling up, last quarter’s attack volume marked an all-time high for the group.”

According to Sabeckis, the fact that Qilin and The Gentlemen have managed to establish themselves as the two dominant ransomware groups and more or less maintain their positions highlights a concerning trend, the ransomware threat landscape is stabilising and maturing.

“Established ransomware groups have refined tools, affiliate networks, and negotiation infrastructures. The more sophisticated and established a group becomes, the greater the threat it poses,” explains Sabeckis. “This competition between Qilin and The Gentlemen could potentially drive an even higher baseline of activity. Each group is likely ramping up operations and casting a wider net to come out on top, and as affiliates move between groups, the balance of power could shift in the coming months.”

He adds that in a landscape like this, smaller groups such as DragonForce are under growing pressure to scale. They’re more likely to accelerate their operations to prove themselves among more dominant players, further inflating the overall threat landscape.

Enterprises face growing targeting

NordStellar findings reveal that small and medium-sized businesses, those with up to 200 employees and revenues under $25 million, bore the brunt of ransomware activity. However, attacks against large enterprises with revenues exceeding $1 billion surged by 74%, rising from 23 incidents in the first quarter to 40 incidents during the second.

“Ransomware actors historically target SMBs because these organisations often lack comprehensive defenses, which can increase the likelihood of a successful attack. This recent spike in enterprise targeting is unusual and may be a temporary fluctuation,” says Noreika. “This shift likely stems from the rivalry between dominant threat actors, a successful hit on a major corporation is a badge of honour that boosts a group’s reputation within the cybercriminal underground.”

The data also reveals that ransomware actors continue to primarily target companies in the US, with 769 recorded ransomware cases in Q2 2026. The US was followed by Canada with 97 cases, then Germany with 83 cases, the United Kingdom with 74 cases, and France with 51 cases.

Manufacturing sector hit hardest

As seen in previous quarters, companies in manufacturing were hit the hardest, making up for 19.5% of all attacks. The information technology sector came second at 10.7% of attacks, followed by professional, scientific, and technical services at 8.3%, construction at 7%, and healthcare at 6.2%.

“Companies in the US experienced a slight decline in attacks compared to the previous quarter, while attacks on companies in Canada increased by 13%, suggesting that attackers might be shifting their geographical focus,” says Noreika. “Businesses operating in the manufacturing and information technology sectors continue to be hit hardest by the attacks. However, the healthcare industry recorded the smallest quarterly decline among major sectors, signalling that ransomware actors continue to prioritise it due to its high-value data and the operational sensitivity of critical services, where even limited downtime can create intense pressure to restore systems quickly.”

Defending against sophisticated threats

According to Noreika, the increasing maturity of the current ransomware landscape calls for companies to stay on high alert. Businesses can expect more refined and complex attacks, making it critical to identify and patch vulnerabilities before attackers can exploit them.

“The current ransomware ecosystem is growing and expanding. Groups like Qilin and The Gentlemen don’t operate like amateur hackers, they operate like well-structured organisations,” says Noreika. “They have extensive resources that allow them to scale their operations, broaden their victim pool, invest in more efficient initial-access methods, and escalate pressure tactics such as double and triple extortion.”

Previous findings from NordStellar reveal that ransomware actors utilise various schemes to coerce victims into payment, with 76.8% of ransomware negotiations including threats to publish or leak the data, and limited-time price discounts being offered in 45.5% of the negotiations.

“As leading ransomware groups compete for dominance and scale their operations, no company is immune. Abandoning the ‘it won’t happen to us’ mindset has never been more critical,” says Noreika. “Companies should strengthen their defenses by focusing on basic cyber hygiene, which is too often overlooked. This includes enforcing multi-factor authentication, implementing strong password management policies, regularly patching systems and applications, and adopting a zero trust approach to limit lateral movement.”

Noreika emphasises the importance of early threat prevention and detection, ransomware actors can use data leaked on the dark web to gain initial access, and catching these leaks early alerts the organisation to take action by resetting passwords and revoking access keys before it’s too late. He adds that backing up critical data is crucial to reduce downtime in the event of a successful ransomware attack, while having a recovery plan in place is essential to speed up incident mitigation.

Keep up to date with our stories on LinkedInTwitterFacebook and Instagram.

Yajush Gupta

Yajush Gupta

Yajush writes for Dynamic Business and previously covered business news at Reuters.

View all posts