TelcoNews Asia - Telecommunications news for ICT decision-makers
Asia
Ransomware shifts to fewer groups as Thailand targeted
VPNs Ransomware IAM

Ransomware shifts to fewer groups as Thailand targeted

Wed, 13th May 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Check Point Research has published a report showing ransomware activity consolidated around fewer groups in early 2026. The findings also identify Thailand as one of the 10 most-targeted countries globally for the first time.

In the first quarter, 2,122 organisations were listed on ransomware data leak sites, making it the second-highest first quarter on record. Check Point tracked more than 70 active ransomware leak sites during the period, with more than 700 victims a month on average.

After a fragmented period in 2025, the report says the ransomware market has shifted toward greater concentration. The top 10 ransomware groups accounted for 71% of all victims in the quarter, as a smaller set of operators absorbed more activity.

Qilin remained the most active ransomware operation for the third straight quarter, with 338 victims. The Gentlemen was the fastest-growing group, rising from 40 victims in the final quarter of 2025 to 166 in the first quarter of 2026. LockBit returned to the top tier with 163 victims.

Thailand targeted

Thailand's entry into the global top 10 was linked to The Gentlemen, which accounted for nearly 11% of all victims in the country.

The group's expansion in Asia Pacific and Latin America stood out because only 13% of its publicly extorted victims were based in the United States. That contrasts with the wider ransomware market, where US organisations represented almost half of all reported victims.

Rather than relying mainly on fresh intrusions, The Gentlemen was described as using a stock of previously compromised network access points. This allowed the group to launch attacks at scale through existing entry routes instead of spending time searching for new ones.

The report says this pattern shows attackers increasingly operating where they already have access rather than choosing targets primarily by industry or market size. In practice, exposure in local networks, remote access systems and connected infrastructure can shape which countries and sectors face the greatest pressure.

Shift in tactics

Overall ransomware activity in the quarter remained near historic highs, even if year-on-year comparisons appeared softer. The report says comparisons with the same period a year earlier were distorted by a single mass-exploitation campaign that inflated the earlier figures.

Setting that anomaly aside, activity still showed underlying growth at a persistently high level. That leaves businesses facing a threat defined not only by short-lived spikes, but by a steady baseline of attacks.

The report also pointed to a geographic shift in LockBit's activity. Historically more focused on the United States, the group's recent victims were spread more evenly across Europe, Latin America and other regions.

That broadening suggests some ransomware operators are reducing their dependence on jurisdictions with stronger law enforcement pressure. For multinational companies, this means a wider spread of risk rather than any reduction in it.

Industry exposure

Manufacturing, business services, healthcare and industrial sectors continued to appear frequently among victims. These sectors often combine complex environments with high downtime sensitivity, making disruption especially costly.

Even so, industry trends do not always reflect deliberate sector selection. In many cases, victims appeared where exploitable infrastructure, exposed virtual private networks or pre-positioned access already existed.

The United States still accounted for 49.6% of all reported victims, reflecting its large business base and concentration of enterprises. Western developed economies remained the clear majority of targets overall, even as some groups shifted more activity into other regions.

For companies in Asia, Thailand's rise in the rankings is likely to draw particular attention because it suggests established access routes can quickly alter the regional threat picture. The findings indicate that a single group with ready-made access can move a country higher up the target list within a short period.

Check Point also said artificial intelligence is beginning to shorten parts of the attacker cycle, from initial access to exploitation. Combined with a smaller number of stronger groups, that means each successful breach may carry greater operational and financial consequences.

A spokesperson for the research team described the shift as one of concentration rather than volume. "Ransomware in 2026 is no longer a numbers game-it's a concentration and acceleration problem. When fewer, more capable groups drive the majority of attacks, every incident carries greater operational and financial impact. At the same time, AI is beginning to compress the attacker lifecycle, from access to exploitation, making existing exposures more dangerous than ever. Organisations need to shift from reacting to ransomware incidents to proactively reducing exposure by closing access gaps, strengthening identity and network controls, and limiting lateral movement before attacks can be operationalized at machine speed," said Sergey Shykevich, Threat Intelligence Group Manager, Check Point Software.

Related stories
Lumen warns of malware-backed proxy networks in APAC
AI to transform business risk, trust & compliance by 2026
8x8 adds AI tools & live analytics to Platform for CX
Singapore firms face AI security incidents despite controls
Saviynt names Tim Wedande APJ Field Chief Technology Officer
Top stories
NTT DATA & HTX to co-develop AI for Singapore security
Malaysia's Budget 2027 could shape AI future, says Chmiel
Tech Mahindra & Cisco launch cyber resilience fabric
Gammon uses Equinix for AI construction push in Asia
Asia Pacific governments boost sovereign AI priorities