IT threat evolution in Q1 2026. Non-mobile statistics

Summary

Kaspersky's Q1 2026 threat report documents 343 million blocked attacks, 2,938 new ransomware variants, and over 77,000 ransomware victims, with Clop accounting for 14% of published data. Law enforcement achieved significant wins, including FBI seizure of RAMP ransomware forum and arrests/convictions of Phobos administrators and BlackCat affiliates. The Interlock group actively exploited CVE-2026-20131, a zero-day in Cisco Secure FMC firewall management software, since late January 2026.

Full text

Table of Contents Quarterly figuresRansomwareQuarterly trends and highlightsLaw enforcement successVulnerabilities and attacksThe most prolific groupsNumber of new variantsNumber of users attacked by ransomware TrojansAttack geographyTOP 10 countries and territories attacked by ransomware TrojansTOP 10 most common families of ransomware TrojansMinersNumber of new variantsNumber of users attacked by minersAttack geographyTOP 10 countries and territories attacked by minersAttacks on macOSTOP 20 threats to macOSGeography of threats to macOSTOP 10 countries and territories by share of attacked usersIoT threat statisticsTOP 10 threats delivered to IoT devicesAttacks on IoT honeypotsAttacks via web resourcesTOP 10 countries and territories that served as sources of web-based attacksCountries and territories where users faced the greatest risk of online infectionLocal threatsCountries and territories where users faced the highest risk of local infection Authors AMR IT threat evolution in Q1 2026. Non-mobile statistics IT threat evolution in Q1 2026. Mobile statistics The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data. Quarterly figures In Q1 2026: Kaspersky products blocked more than 343 million attacks that originated with various online resources. Web Anti-Virus responded to 50 million unique links. File Anti-Virus blocked nearly 15 million malicious and potentially unwanted objects. 2938 new ransomware variants were detected. More than 77,000 users experienced ransomware attacks. 14% of all ransomware victims whose data was published on threat actors’ data leak sites (DLS) were victims of Clop. More than 260,000 users were targeted by miners. Ransomware Quarterly trends and highlights Law enforcement success In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized. In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers. A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system. In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020. In March, the U.S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations. Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation. In a separate development this March, a U.S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U.S. Department of Justice, the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss. Vulnerabilities and attacks The Interlock group has been heavily exploiting the CVE-2026-20131 zero-day vulnerability in Cisco Secure FMC firewall management software since at least January 26, 2026. The vulnerability enabled arbitrary Java code execution with root privileges on the affected device. This campaign demonstrates the ongoing reliance on zero-day vulnerabilities for initial access, a focus on network appliances as high-value entry points, and the rapid weaponization of new vulnerabilities within the ransomware ecosystem. The most prolific groups This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. This quarter, the Clop ransomware (14.42%) returned to the top of the rankings, displacing Qilin (12.34%), which had held the leading position in the previous reporting period. Following closely is a new threat actor, The Gentlemen (9.25%). Emerging no later than July 2025, the group had already surpassed the activity levels of mainstays such as Akira (7.25%) and INC Ransom (6.13%). Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download) Number of new variants In Q1 2026, Kaspersky solutions detected six new ransomware families and 2938 new modifications. Volumes have returned to Q3 2025 levels following a surge in Q4 2025. Number of new ransomware modifications, Q1 2025 — Q1 2026 (download) Number of users attacked by ransomware Trojans Throughout Q1, our solutions protected 77,319 unique users from ransomware. Ransomware activity was highest in March, with 35,056 unique users encountering such attacks during the month. Number of unique users attacked by ransomware Trojans, Q1 2026 (download) Attack geography TOP 10 countries and territories attacked by ransomware Trojans Country/territory* %** 1 Pakistan 0.79 2 South Korea 0.64 3 China 0.52 4 Tajikistan 0.40 5 Libya 0.38 6 Turkmenistan 0.36 7 Iraq 0.35 8 Bangladesh 0.33 9 Rwanda 0.30 10 Cameroon 0.28 * Excluded are countries and territories with relatively few (under 50,000) Kaspersky users. ** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory. TOP 10 most common families of ransomware Trojans Name Verdict %* 1 (generic verdict) Trojan-Ransom.Win32.Gen 33.90 2 (generic verdict) Trojan-Ransom.Win32.Crypren 6.38 3 WannaCry Trojan-Ransom.Win32.Wanna 5.87 4 (generic verdict) Trojan-Ransom.Win32.Encoder 4.68 5 (generic verdict) Trojan-Ransom.Win32.Agent 3.80 6 LockBit Trojan-Ransom.Win32.Lockbit 2.80 7 (generic verdict) Trojan-Ransom.Win32.Phny 1.99 8 (generic verdict) Trojan-Ransom.MSIL.Agent 1.96 9 (generic verdict) Trojan-Ransom.Python.Agent 1.93 10 (generic verdict) Trojan-Ransom.Win32.Crypmod 1.89 * Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat. Miners Number of new variants In Q1 2026, Kaspersky solutions detected 3485 new modifications of miners. Number of new miner modifications, Q1 2026 (download) Number of users attacked by miners In Q1, we detected attacks using miner programs on the computers of 260,588 unique Kaspersky users worldwide. Number of unique users attacked by miners, Q1 2026 (download) Attack geography TOP 10 countries and territories attacked by miners Country/territory* %** 1 Senegal 3.19 2 Turkmenistan 3.06 3 Mali 2.63 4 Tanzania 1.62 5 Bangladesh 1.06 6 Ethiopia 0.95 7 Panama 0.88 8 Afghanistan 0.79 9 Kazakhstan 0.77 10 Bolivia 0.75 * Excluded are countries and territories with relatively few (under 50,000) Kaspersky users. ** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory. Attacks on macOS In Q1 2026, Google uncovered a new cryptocurrency theft campaign. The scammers directed victims to a fraudulent video call, prompting them to execute malicious scripts under the guise of technical support fixes for connection problems. In March, researchers with GTIG and iVerify reported the discovery of an in-the-wi

Indicators of Compromise

• cve — CVE-2026-20131
• malware — Phobos
• malware — Clop

Entities