- Ransomware revenue rose nearly 40% year-on-year
- Groups leverage dark web access brokers
- Criminal operations show surprising resilience
In the first quarter of the year, ransomware groups increased their revenue by almost 40%, compared to the same period last year. This is according to a new report from cybersecurity researchers Rapid7, who said the increase is partly due to a maturing cybercriminal industry.
Rapid7 based its findings on its research telemetry, which showed that in Q1 26, ransomware groups made an estimated $529.2 million. The Qilin ransomware group made an estimated $193 million between July 2025 and March 2026, while the Gentleman ransomware group made an estimated $52 million between July 2025 and March 2026, it was said.
Compared to Q1 25, that’s a 39% increase, and is partly due to ransomware operators having an easier time accessing their targets’ infrastructure.
Resilient operations
“The revenue growth reflects the rise of initial access brokers, which has shifted cybercrime from technically specialised malware development to a mature underground marketplace where access, tooling, and full attack services are now commercially available to almost anyone,” Rapid7 said in a press release shared with TechRadar Pro.
In other words, instead of working to break into their target’s networks, ransomware groups just buy access on a dark web marketplace, from someone who’s already done the heavy lifting for them.
Rapid7 also compares ransomware operators to legitimate businesses, saying that no FTSE 350 organization achieved the same results (which makes sense, otherwise criminals would do legitimate business, instead). However, the researchers hinted that legitimate businesses have a lot to learn from ransomware groups, specifically in business resilience:
“The problem is they are demonstrating, very publicly, that ransomware can be a successful criminal enterprise, and ironically, in some ways, they’re more resilient than businesses themselves,” said Thom Langford, CTO EMEA at Rapid7. “Removing one group, one server, or one piece of infrastructure rarely collapses the wider operation because the ecosystem is designed to keep functioning around the damage.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/x4SmwpYXk8yGgDmYCVeckL-2560-80.jpg
Source link
