SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
BlackFog says only one in nine ransomware attacks go public
Malware Data Protection Ransomware

BlackFog says only one in nine ransomware attacks go public

Fri, 8th May 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

BlackFog has published its first-quarter ransomware report, which found that only one in nine ransomware attacks became public.

The cyber security company identified 2,160 undisclosed ransomware attacks in the quarter, up 2% from a year earlier, alongside 264 publicly disclosed incidents, down 15% year on year.

The figures suggest the threat landscape remains broad even as the number of reported cases fell. Victims of undisclosed attacks were spread across 97 countries, while disclosed incidents affected organisations in 39 countries.

Among attacks that became public, the average ransom demand was USD $1,028,214. Healthcare was the most targeted sector with 72 attacks, or 27% of the total, followed by government with 32 and technology with 28.

Logistics recorded the sharpest annual increase, with attacks on the sector rising 200% from the same period a year earlier.

Sector impact

Healthcare's position at the top of the list underlines the continued pressure on sectors that manage sensitive personal data and critical services. Government bodies also remained frequent targets, reflecting the appeal of public sector systems to criminal groups seeking disruption as well as payment.

Technology companies ranked third among disclosed victims. The concentration of attacks across these sectors suggests attackers continue to focus on organisations where operational downtime and stolen data can increase leverage in extortion attempts.

Group activity

The report describes a fragmented ransomware market. In disclosed incidents, Qilin was the most active named variant with 22 attacks, equal to 8% of the total, followed by ShinyHunters with 16 and INC with 11.

A large share of cases, however, could not be tied to any known group. Unattributed incidents accounted for 38% of all publicly disclosed ransomware cases.

Across undisclosed incidents, Qilin again led the rankings with 339 attacks, or 16% of the total. The Gentlemen followed with 200 attacks and Akira with 190. In total, 79 ransomware groups claimed victims during the three-month period.

The report highlighted The Gentlemen as a fast-rising group. Since emerging in 2025 through the end of the first quarter, it has claimed 273 attacks, illustrating how quickly newer groups can scale their operations.

Data theft

BlackFog's findings suggest data theft remains central to ransomware operations. Data exfiltration featured in 96% of attacks during the quarter, a level BlackFog described as critically high.

The average volume of data stolen in each undisclosed incident reached 743GB. Victims were given an average of 7.7 days to meet ransom demands.

That combination of short deadlines and large-scale data theft reflects how extortion tactics have shifted beyond file encryption alone. Criminal groups increasingly rely on the threat of publishing or selling stolen information to force negotiations.

AI tools

The report also pointed to the use of artificial intelligence in ransomware-related operations. Attackers are using AI to automate data collection and exfiltration, with BlackFog citing campaigns such as LotAI and platforms including ClawdBot and OpenClaw.

These tools show how threat actors can use automated systems to gather, process and manage stolen data more efficiently. The trend adds to concerns that ransomware groups can increase the speed and scale of attacks without a matching rise in manpower.

The report drew in part on data collected through BlackFog's console across hundreds of organisations. The analysis covered endpoint data movement and focused on incidents that either led to ransomware or increased the risk of a data breach.

Commenting on the findings, Dr Darren Williams said: "A 15% year-on-year decline in reported attacks may suggest progress, but the reality is very different. Ransomware remains a persistent and highly active threat, with attackers increasingly using AI to automate data theft at scale. With data exfiltration now occurring in 96% of attacks, the question for every organization is no longer whether their data is at risk - but whether they can stop it leaving their systems before damage is done."

Related stories
Cyber security chiefs split on quantum threat urgency
Dell adds quantum-ready security for PCs & AI data
Xiid secures EV charging, healthcare AI & multi-cloud
GenAI misuse & ransomware drive surge in cyber attacks
Xiid & Cytex link AI governance with zero trust access
Top stories
The Death of the Firewall
UK firms urged to track hidden cyber attack surface
Object First launches Fleet Manager for backup estates
UK consumers urged to secure passwords & digital assets
Infoblox completes Axur buy to boost digital risk protection