NordStellar’s Q2 2026 ransomware analysis puts Qilin and The Gentlemen at the center of a threat landscape that remains materially above last year’s level, even after a modest quarter-over-quarter decline. For Windows administrators, the important takeaway is not which extortion brand tops a leak site in a given week; it is that the ransomware-as-a-service ecosystem is sustaining enough scale, affiliate capacity, and operational maturity to keep enterprise networks under constant pressure.
The report, summarized this week by Manufacturing Business Technology, says ransomware incidents fell 4% from Q1 to Q2 but were still 20% higher in the first half of 2026 than during the same period in 2025. NordStellar counted Qilin as the most active group in Q2, with 299 listed attacks, while The Gentlemen logged 284 after increasing activity 39% from the prior quarter.
That is a close contest, but it should not be mistaken for a precise measure of intrusion volume. Leak-site listings are public claims from criminal operations, not independently verified incident reports; victims can be posted late, duplicated, or never named. Still, the trend is independently echoed by GuidePoint Security’s Q2 GRIT report, which identified 91 active ransomware groups—the highest number it has observed—and likewise placed Qilin first, The Gentlemen second, and DragonForce third.
Ransomware-as-a-service, or RaaS, is not a conventional contest between two fixed organizations. Core operators provide encryptors, leak infrastructure, payment handling, negotiation support, and sometimes initial-access resources. Affiliates choose campaigns, targets, and tools—and can shift to a competing platform when payout terms, operational reliability, or perceived prestige changes.
That makes the Qilin–Gentlemen matchup more consequential than a leaderboard. A rapidly growing group can attract capable affiliates, while a leading operator must demonstrate that it can protect affiliate identities, support negotiations, keep infrastructure online, and deliver reliable payloads. NordStellar senior threat intelligence researcher Mantas Sabeckis described the dynamic as a sign that the ransomware market is stabilizing and maturing rather than simply fragmenting.
The public data already shows some uncertainty in the pecking order. NordStellar’s quarterly figures gave Qilin a narrow lead in April through June, while Check Point reporting cited by ITPro said The Gentlemen overtook Qilin in June and accounted for 17% of published attacks. Those figures can coexist: one is a quarterly count, the other a monthly snapshot, and each vendor uses its own collection methods. The practical conclusion is the same—both operations have become persistent, high-volume threats.
DragonForce remains smaller by comparison, but it also reached an all-time quarterly high, according to NordStellar. That is the other warning in this data: a contest at the top can increase pressure below it, encouraging lesser-known crews to recruit more aggressively, expand access-broker relationships, and take riskier shots at larger targets.
Yet the standout number is at the other end of the market. Victims with more than $1 billion in revenue rose 74% quarter over quarter, from 23 listed incidents in Q1 to 40 in Q2. The sample is small enough that a few high-profile campaigns can shift the percentage sharply, so this should not be read as proof that every large company is now a primary target. It is, however, a reason for enterprises not to treat ransomware resilience as a problem delegated solely to branch offices, subsidiaries, or third-party suppliers.
Large organizations offer higher potential payouts, richer data sets, and a reputational prize for an affiliate trying to gain standing. Modern ransomware operations also increasingly pursue double extortion: stealing data before encryption and threatening publication if the victim declines to pay. NordStellar’s earlier negotiation research found data-leak threats in 76.8% of observed negotiations and time-limited payment discounts in 45.5%.
That changes the recovery conversation. A clean restore can bring Windows servers, file shares, and line-of-business applications back online, but it does not undo a data theft event. Legal, regulatory, customer-notification, and reputational exposure may remain even when encryption damage is contained.
Manufacturing accounted for 19.5% of the Q2 victims in NordStellar’s analysis, followed by IT at 10.7%, professional and technical services at 8.3%, construction at 7%, and healthcare at 6.2%. Manufacturing’s lead is particularly relevant to Windows-heavy environments where aging operational technology, engineering workstations, Active Directory dependencies, and flat network segments can turn a compromised endpoint into a broad operational disruption.
CISA’s #StopRansomware guidance continues to emphasize rapid patching, multifactor authentication, restricted remote access, network segmentation, offline or cloud-to-cloud backup protection, and tested recovery. It specifically advises organizations to audit Remote Desktop Protocol use, close unused RDP ports, enforce MFA and account lockouts where RDP is required, and log remote-login activity.
For Windows and Windows Server environments, the immediate operational priorities are straightforward:
Microsoft Defender for Endpoint adds a more direct containment option: administrators can isolate a Windows device from the network while retaining its connection to the Defender service. That function is only valuable if teams have rehearsed who can authorize it, what exceptions are needed for critical systems, and how they will keep a compromised endpoint from becoming a launch point for lateral movement.
For IT teams, the next milestone is not the next ransomware leaderboard. It is whether the organization can demonstrate—through evidence rather than policy language—that a stolen credential, exposed remote service, or compromised workstation will be detected, contained, and recovered without giving an affiliate the time to reach domain-wide impact.
The report, summarized this week by Manufacturing Business Technology, says ransomware incidents fell 4% from Q1 to Q2 but were still 20% higher in the first half of 2026 than during the same period in 2025. NordStellar counted Qilin as the most active group in Q2, with 299 listed attacks, while The Gentlemen logged 284 after increasing activity 39% from the prior quarter.
That is a close contest, but it should not be mistaken for a precise measure of intrusion volume. Leak-site listings are public claims from criminal operations, not independently verified incident reports; victims can be posted late, duplicated, or never named. Still, the trend is independently echoed by GuidePoint Security’s Q2 GRIT report, which identified 91 active ransomware groups—the highest number it has observed—and likewise placed Qilin first, The Gentlemen second, and DragonForce third.
The Rivalry Matters Because Affiliates Can Move
Ransomware-as-a-service, or RaaS, is not a conventional contest between two fixed organizations. Core operators provide encryptors, leak infrastructure, payment handling, negotiation support, and sometimes initial-access resources. Affiliates choose campaigns, targets, and tools—and can shift to a competing platform when payout terms, operational reliability, or perceived prestige changes.That makes the Qilin–Gentlemen matchup more consequential than a leaderboard. A rapidly growing group can attract capable affiliates, while a leading operator must demonstrate that it can protect affiliate identities, support negotiations, keep infrastructure online, and deliver reliable payloads. NordStellar senior threat intelligence researcher Mantas Sabeckis described the dynamic as a sign that the ransomware market is stabilizing and maturing rather than simply fragmenting.
The public data already shows some uncertainty in the pecking order. NordStellar’s quarterly figures gave Qilin a narrow lead in April through June, while Check Point reporting cited by ITPro said The Gentlemen overtook Qilin in June and accounted for 17% of published attacks. Those figures can coexist: one is a quarterly count, the other a monthly snapshot, and each vendor uses its own collection methods. The practical conclusion is the same—both operations have become persistent, high-volume threats.
DragonForce remains smaller by comparison, but it also reached an all-time quarterly high, according to NordStellar. That is the other warning in this data: a contest at the top can increase pressure below it, encouraging lesser-known crews to recruit more aggressively, expand access-broker relationships, and take riskier shots at larger targets.
Big Enterprises Became a More Visible Prize
Small and medium-sized businesses remained the most frequently targeted organizations in NordStellar’s Q2 data. That is unsurprising: firms with fewer than 200 employees and under $25 million in revenue often have lean IT teams, incomplete asset inventories, uneven patching, and backups that have never been tested under real recovery conditions.Yet the standout number is at the other end of the market. Victims with more than $1 billion in revenue rose 74% quarter over quarter, from 23 listed incidents in Q1 to 40 in Q2. The sample is small enough that a few high-profile campaigns can shift the percentage sharply, so this should not be read as proof that every large company is now a primary target. It is, however, a reason for enterprises not to treat ransomware resilience as a problem delegated solely to branch offices, subsidiaries, or third-party suppliers.
Large organizations offer higher potential payouts, richer data sets, and a reputational prize for an affiliate trying to gain standing. Modern ransomware operations also increasingly pursue double extortion: stealing data before encryption and threatening publication if the victim declines to pay. NordStellar’s earlier negotiation research found data-leak threats in 76.8% of observed negotiations and time-limited payment discounts in 45.5%.
That changes the recovery conversation. A clean restore can bring Windows servers, file shares, and line-of-business applications back online, but it does not undo a data theft event. Legal, regulatory, customer-notification, and reputational exposure may remain even when encryption damage is contained.
Manufacturing accounted for 19.5% of the Q2 victims in NordStellar’s analysis, followed by IT at 10.7%, professional and technical services at 8.3%, construction at 7%, and healthcare at 6.2%. Manufacturing’s lead is particularly relevant to Windows-heavy environments where aging operational technology, engineering workstations, Active Directory dependencies, and flat network segments can turn a compromised endpoint into a broad operational disruption.
Windows Defenses Need to Limit Blast Radius
The most useful response to elevated ransomware activity is not a generic reminder to “be vigilant.” It is to verify whether the controls already licensed, deployed, and documented in a Windows estate will work when an attacker has valid credentials and administrative tools.CISA’s #StopRansomware guidance continues to emphasize rapid patching, multifactor authentication, restricted remote access, network segmentation, offline or cloud-to-cloud backup protection, and tested recovery. It specifically advises organizations to audit Remote Desktop Protocol use, close unused RDP ports, enforce MFA and account lockouts where RDP is required, and log remote-login activity.
For Windows and Windows Server environments, the immediate operational priorities are straightforward:
- Require phishing-resistant MFA where possible for privileged accounts, VPN access, remote administration, and cloud administration portals.
- Remove public RDP exposure, review VPN appliances and remote-management systems for overdue updates, and disable obsolete SMBv1 dependencies after validating affected applications.
- Separate administrative accounts from daily-use accounts, reduce standing privileges, and limit lateral movement between workstation, server, backup, and operational-technology networks.
- Protect backups from the production identity plane, retain immutable or offline copies, and perform restoration exercises that include Active Directory, critical application dependencies, and user-file recovery.
- Confirm that endpoint telemetry reaches the security team quickly enough to support isolation, containment, and forensic review during an active incident.
Microsoft Defender for Endpoint adds a more direct containment option: administrators can isolate a Windows device from the network while retaining its connection to the Defender service. That function is only valuable if teams have rehearsed who can authorize it, what exceptions are needed for critical systems, and how they will keep a compromised endpoint from becoming a launch point for lateral movement.
A Lower Quarterly Number Is Not Relief
The 4% drop from Q1 should not be read as a reversal. NordStellar’s report describes activity as declining slightly from the record-setting pace of late 2025 while remaining at an elevated baseline. GuidePoint’s finding of 91 active groups reinforces the point: the ecosystem is broad enough that the disappearance or disruption of one brand no longer guarantees a meaningful reduction in risk.For IT teams, the next milestone is not the next ransomware leaderboard. It is whether the organization can demonstrate—through evidence rather than policy language—that a stolen credential, exposed remote service, or compromised workstation will be detected, contained, and recovered without giving an affiliate the time to reach domain-wide impact.