What the Q1 2026 Ransomware Numbers Mean for Cybersecurity Houston Businesses

The top-line stats look almost boring. 2,135 victims. 68 active groups. About 24 new posts per day. Compare that to the 2,287 victims in Q4 2025 and the 2,063 in Q1 2025, and the ecosystem is essentially holding pattern. GRIT attributes the slight QoQ dip to two things: Qilin and Akira coming off outlier Q4 performances tied to SonicWall SSLVPN exploitation, and the usual eastern-European Orthodox Christmas slowdown in early January.

What's underneath the average is more interesting. Qilin posted 361 victims, the most of any group, but down 25% from its Q4 peak of 484. Akira fell 22% to 176. The Gentlemen, a group that posted 35 victims in Q4 and ranked 16th, jumped to 182 victims and second place overall. That kind of operational tempo from a brand-new group almost always means experienced affiliates moved over from somewhere else, not that a fresh team learned the trade in 90 days.

Clop is also still draining the tank from its 2025 Oracle E-Business Suite mass-exploitation campaign. The group dumped 54 victims in a single day in early February. That's what mass-exploitation extortion looks like on a calendar: a long quiet ramp, then a dam break. If your business runs Oracle E-Business Suite and hasn't audited exposure since late 2025, that's a Tuesday morning conversation, not a Q3 budget item.

Geographically, the U.S. accounts for over half of all victims (1,084, or 50.77%). The U.K., Canada, France, Germany, and Italy fill out the next five spots. Thailand cracked the top 10 for the first time, which tracks with how ransomware operators expand into developing economies once Western targets get harder to hit. None of this is good news for cybersecurity Houston decision-makers. The U.S. share isn't shrinking.

For context on how the most active groups stack up against each other, here's how GRIT's top five looked through Q1, with the changes that matter most for SMB defenders:

Manufacturing has been the most-attacked industry for over a year. That hasn't changed. What changed is construction moved from sixth to fourth, with 131 publicly posted victims in Q1, up from 117 in Q4 and 91 in Q1 2025. It's one of the few sectors that grew while the overall ecosystem stayed flat. Twenty-two distinct ransomware groups claimed construction victims last quarter, with Qilin, Play, Akira, and DragonForce accounting for 55% of them.

Halt a construction firm's project management system in week three of a 16-week build, and you don't just lose access to files. You lose the schedule, the bid documents, the change orders, the RFIs, and the connection to half a dozen subcontractors and one general contractor whose networks you're now potentially exposing. The pressure to pay ransoms in this sector is structural, not technical.

The other half of the equation is what doesn't exist at most mid-sized contractors. Limited regulatory pressure, no dedicated security personnel, often no EDR on field laptops, consumer-grade VPN on the trailer router, and patching schedules that revolve around whoever has time on Friday afternoon. Compare that to a healthcare practice with HIPAA, a CPA firm with FTC Safeguards, or a wealth manager with SEC requirements, and the maturity gap is obvious. Ransomware crews see it too.

One Q1 victim's leaked data explicitly referenced federal defense project work. That's a mid-sized contractor's compromise turning into a national-security-adjacent incident. For Houston firms working on energy infrastructure, port projects, federal building maintenance, or anything with a state or municipal tie, the same dynamic applies. The contract you didn't think had cyber exposure probably does.

Qilin runs an open-recruitment Ransomware-as-a-Service model. That structure is what gets them to 361 victims in 90 days. It's also what costs them on the back end: GRIT notes Qilin has higher non-payment rates than competitors like Akira, because their affiliates aren't all skilled negotiators and their targets aren't always able to pay. Volume is the strategy. Profit per victim is not.

The Gentlemen are the opposite story. Thirty-five victims in Q4 2025. 182 in Q1 2026. That kind of jump doesn't happen because a new team got better at hacking in three months. It happens because experienced affiliates rebranded after their old shop got disrupted, retired, or became unprofitable. The targeting and tradecraft for The Gentlemen looked mature from day one. Their top three sectors include manufacturing, technology, and construction, which is exactly the spread that suggests recycled affiliates with established attack playbooks.

For Houston SMBs, the practical implication is straightforward. Group names are a marketing layer. The same affiliates often work for multiple brands, sometimes simultaneously, and rebrand whenever law enforcement attention or internal drama makes the old name a liability.

That means defensive resources are better spent on the techniques (phishing-resistant MFA, patched perimeter devices, EDR with behavioral detection, tested backups) than on tracking which group is "trending" this quarter.

This is also why the Q1 announcement that Scattered LAPSUS$ Hunters was "retiring" between August and October 2025 should be filed under "watch what they do, not what they say." ALPHV/BlackCat, DarkSide, REvil, and Conti all announced retirements before either rebranding or coming back. The infrastructure, the tools, and the affiliates persist. The names just get repainted.

NightSpire is one of the more aggressive newer ransomware operations, posting 74 victims on its data leak site in Q1 2026 alone. Over 40% of their victims are in the United States.

Manufacturing, technology, and construction are their top sectors, which is the same target profile that tends to land in Houston. What makes NightSpire worth paying attention to isn't sophistication. It's the access vector.

NightSpire's primary entry point is CVE-2024-55591, an authentication bypass in FortiOS and FortiProxy that lets an unauthenticated attacker get super-admin privileges on the device. Fortinet disclosed it on January 14, 2025. Hundreds of thousands of internet-facing Fortinet devices were exposed at disclosure. A meaningful share haven't been patched 13 months later. NightSpire is one of several groups walking through that door.

If your business runs a Fortinet firewall, FortiProxy, or any FortiGate appliance with web admin exposed to the internet, this is a check-it-this-week task, not a quarterly review item. Secondary access vectors NightSpire uses are RDP brute force and phishing campaigns. Once they're in, they move laterally with PowerShell, PsExec, and WMI, then exfiltrate data through MEGA before posting victims to their leak site.

• Patch CVE-2024-55591: Confirm your Fortinet appliances are running a fixed version. Don't assume your IT provider did it.
• Restrict Admin Access: Web admin interfaces on perimeter devices should be on a management VLAN, not the internet.
• Require MFA Everywhere: Every remote service. SSL VPN, RDP, admin portals, no exceptions.
• Deploy EDR Across All Endpoints: Workstations and servers. NightSpire's lateral movement uses tools (PowerShell, PsExec) that EDR can flag in real time.
• Restrict RMM Tools: AnyDesk, Chrome Remote Desktop, and similar utilities should be allowlisted, not "available."

For most of 2025, Iran-aligned cyber operations stayed regionally focused. That changed after the February 28, 2026, U.S. and Israeli strikes on Iran. The Handala Hack Team, a hacktivist persona with assessed ties to Iran's Ministry of Intelligence and Security, claimed responsibility for a destructive malware attack against Stryker, a Michigan-based medical technology firm, on March 11, 2026. The attack reportedly disabled tens of thousands of systems.

Most cybersecurity Houston SMBs are not Stryker. The threat profile from these operations is opportunistic, not targeted. Iran-aligned crews look for accessible vulnerabilities and weak credentials, then pick a justification afterward (a 2019 acquisition of an Israeli company, U.S. headquarters, defense industry adjacency). The defensive playbook against opportunistic targeting is the same playbook against ransomware, with one upgrade: backup integrity becomes existential.

If your only backup is a Veeam repository sitting on the same network as your production servers, a wiper takes both. If your backups are in a separate, immutable cloud target with credentials that aren't stored on workstations, you have a recovery path. The principle is the same one that's been on the recommendation list for ransomware for five years. The consequence of getting it wrong is just less forgiving.

This one is the leading indicator nobody asked for. VirusTotal documented the first confirmed large-scale supply chain attack against an agentic AI platform in February 2026. A threat actor uploaded 314 malicious skills to OpenClaw's ClawHub marketplace, disguised as benign tools like "Yahoo Finance" and "Crypto Analytics." The skills themselves contained no malware. The malicious behavior was emergent: the skills instructed the AI agent to download and execute external payloads as part of a "setup procedure," and trusted users following trusted AI agent instructions ended up running info-stealers on their own machines.

The attack worked because traditional malware detection looks for code signatures. The skill files didn't have any. The threat lived in the workflow, in the human acting as interpreter between benign-sounding instructions and a malicious command line.

For Houston SMBs adopting AI tools, copilots, or agentic platforms, this isn't a "down the road" concern anymore. It's a Q2 governance conversation. The fundamentals: where can the AI agent execute code? What can it read or send? Who reviews extension and skill installs? Is there an audit log? Most companies adopting AI agents this year have answered exactly none of those questions, which is why this is going to keep happening.