Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot

Horizon research surfaced a quarterly report the dailies did not cover: Check Point's Q1 2026 State of Ransomware (published 2026-05-11). The synthesis that matters for a CH/EU public-sector SOC is structural, not the leaderboard: after two years of fragmentation driven by law-enforcement pressure on LockBit, ALPHV/BlackCat and others, the ecosystem is reconsolidating — the top ten leak-site operations now account for roughly 71% of listed victims, with Qilin holding the top spot for a third straight quarter and The Gentlemen (§ 7) entering the top three. The single most defender-relevant finding is LockBit's comeback paired with a deliberate geographic shift toward European and Latin American targets — which moves the rebuilt operation directly into this audience's threat model rather than leaving it a US-centric concern. Read alongside the Gentlemen internal-leak intelligence in § 7, the picture is a smaller number of higher-capability operations with European intent; prioritise the edge-appliance and identity hardening those operators are documented to rely on.