The ransomware ecosystem is moving from fragmentation back to consolidation, with Qilin emerging as the dominant ransomware-as-a-service (RaaS) operation after the disruption of major groups including LockBit and RansomHub.
Yet despite Qilin's strong position, the rapid emergence of other groups, such as The Gentlemen, demonstrates how quickly the cybercrime landscape continues to evolve.
Lotem Finkelstein, VP research at Check Point, highlighted that based on the cybersecurity firm’s research in their 2026 Cyber Security Report, Qilin now holds around 16% of the cybercriminal market share.
Qilin has been active since at least October 2022 and today operates a technically mature infrastructure.
Speaking to Infosecurity Finkelstein said, "Over the last few months, what we have observed is that they are consolidating again and becoming major ransomware groups."
Recent data from Sophos X-Ops Counter Threat Unit (CTU) seen by Infosecurity showed that over the last 12 months, from July 2026, Qilin has listed 1496 victims on its data leak site. Meanwhile, Akira stands at 1205 and The Gentlemen at 763.
Aiden Sinnott, principal threat researcher, Sophos X-Ops CTU, concurred with Finkelstein’s assessment, "Qilin has become dominant largely because it was the main beneficiary of ransomware market consolidation following major law enforcement activity.”
The attraction for affiliates to join the Qilin operation comes because it offered high affiliate payouts, mature infrastructure, continuous technical innovation and expanded extortion services.
This came at exactly the time that competing RaaS programs such as LockBit, ALPHV and RansomHub were collapsing.
“The result was a rapid influx of experienced affiliates and a sharp increase in victim volume," Sinnott said.
Finkelstein added that affiliates are now empowered with AI tools to conduct their campaigns, meaning the barrier to entry is lower and less technical knowhow is needed for aspiring cybercriminals.
The Gentlemen Rises
However, according to Comparitech data there is another group that looks to be vying for market domination.
The cybersecurity reviews platform found that in June 2026 The Gentlemen knocked Qilin off the top spot for the first time in many months, becoming the month's most prolific ransomware strain with 115 victims, compared to Qilin's 78.
Rebecca Moody, head of data research at Comparitech, noted that over half of Qilin’s targets tended to be US-based, however less than one in five of the Gentlemen’s June victims were from the US.
Research published by Check Point in April found that The Gentlemen was gaining

A leak of an internal database used by the group in May showed operational information about their infrastructure, affiliates and victims.
This leak included screenshots from ransom negotiations, showing a successful case where the group received $190,000, after starting with an initial demand (anchor) of $250,000.
Qilin's Growth Could Bring Challenges
Whether Qilin will retain the top-spot as the year progresses is yet to be seen. But Finkelstein highlighted that with notoriety comes unwanted attention from international authorities. He said expects law enforcement will undoubtedly look to act against Qilin in the future, as they did with LockBit.
“When [ransomware operators] were so fragmented, law enforcement wasn’t able to focus on a specific one of them, and now, when they have a group like Qilin growing so fast, we should expect [law enforcement action]."
Finkelstein noted that the group has become very creative regarding its tactics, using phishing campaigns as well as vulnerability exploitation.
On June 9, Check Point disclosed that a vulnerability in its own Remote Access VPN and Mobile Access solution was targeted by Qilin. Luckily, Finkelstein said, this only affected one customer.
“It was only a single case but it was one too many,” he said.
Check Point is using its Frontier AI Models Readiness Program to detect vulnerabilities in its own product portfolio.
As part of this program, the company has conducted large-scale AI-driven code scanning across our products, performed extensive security reviews, hardened components where needed, refined our time-to-patch procedures, and accelerated our protection development processes to meet the pace of emerging AI-driven threats.
