Q1 2026 ransomware quarterly synthesis — Emsisoft / ReliaQuest / ZeroFox / Comparitech convergence

annual-report · annual-report:q1-2026-ransomware-quarterly

Coverage timeline

first 2026-05-10 → last 2026-05-10

Briefs

1 distinct

Sources cited

4 hosts

Sections touched

weekly_annual_reports

Co-occurring entities

see Related entities below

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_annual_reportsFirst coverage. W1 horizon synthesis: three independent Q1 2026 datasets converge — Qilin and Akira lead globally; The Gentlemen surged 588% QoQ to #2/#3 in Europe (192 attacks Q1, 32% EU); Germany #2 most-targeted country (Emsisoft); SAFEPAY 25% of German data-leak posts; ReliaQuest documents emergence of fraudulent leak sites (0APT, ALP-001) publishing unverified victim claims for extortion without proven compromise — raises evidential bar required before IR escalation. Healthcare remains the only growing sector in April 2026 (Comparitech, +10%).

Where this entity is cited

weekly_annual_reports1

Source distribution

research.checkpoint.com2 (40%)
bankinfosecurity.com1 (20%)
emsisoft.com1 (20%)
github.com1 (20%)

Related entities

actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link
incidentitem:actions-cool-issues-helper-github-action-compromised-53-tag×1
Check Point LangGraph checkpointer SQLi->RCE chain (CVE-2025-67644 + CVE-2026-28277 + CVE-2026-27022)
vulnerability-trendcampaign:langgraph-checkpointer-sqli-rce-2026×1
Check Point Research March-April 2026 AI Threat Landscape Digest — single operator runs two AI platforms in parallel to breach nine Mexican government agencies; EvilTokens jailbreak-as-a-service
annual-reportannual-report:checkpoint-research-ai-threat-landscape-march-april-2026-mexico-nine-agencies-eviltokens×1
Check Point: TDS-gated ecosystem impersonating Ghidra/dnSpy/ILSpy delivers SessionGate, RemusStealer, AnimateClipper
campaigncampaign:tds-security-tool-impersonation-checkpoint×1
Gentlemen RaaS — operator-maintained GentleKiller EDR-killer framework (BYOVD, 48 vendors)
actoractor:gentlemen-raas-gentlekiller×1
Rust crypto clipboard-hijacker abusing VirusTotal community reputation (Check Point)
campaigncampaign:rust-crypto-clipper-virustotal-reputation×1
The Gentlemen ransomware (Storm-2697 / Phantom Mantis): self-propagating Go encryptor
campaigncampaign:the-gentlemen-ransomware-storm2697×1
The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel
actoractor:TheGentlemen×1

All cited sources (5)

Items in briefs about Q1 2026 ransomware quarterly synthesis — Emsisoft / ReliaQuest / ZeroFox / Comparitech convergence (1)

UPDATE: The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub

From CTI Daily Brief — 2026-05-14 · published 2026-05-14 · view item permalink →

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.