Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named

Surfaced this week for its CH/EU-specific findings, Check Point's Q1 2026 ransomware report (published 11 May, not covered in the dailies) documents a structural consolidation: the top 10 groups now hold 71.1% of all leak-site victims, the highest concentration since early 2024 and a reversal of two years of fragmentation — meaning defenders face fewer but more professionalised adversaries (Check Point Research; corroborated by Emsisoft). The Gentlemen grew +315% quarter-on-quarter (explaining this week's Mackay Sugar and GentleKiller coverage in § 2) and LockBit 5.0 resurged +106% on a Rust rewrite. The geography is the operative detail for this audience: Switzerland — Check Point notes Akira accounts for roughly 31% of Swiss ransomware victims, and Germany is the #2 country globally for ransomware victims (Emsisoft). The synthesis a Swiss SOC should take: Akira is the dominant ransomware threat to model against domestically, and the consolidation trend favours investing detection effort against a smaller set of high-capability operators (Qilin, Akira, The Gentlemen, LockBit 5.0).