Kaspersky Q1 2026 Report: 343M Web Attacks Blocked, Clop Dominates Ransomware Landscape
Kaspersky's Q1 2026 threat report reveals over 343 million web attacks blocked, 2,938 new ransomware variants, and Clop accounting for 14% of data leak site victims.
Kaspersky's Q1 2026 threat report paints a stark picture of the evolving cyber threat landscape, with over 343 million web attacks blocked and more than 77,000 users experiencing ransomware attacks. The report, based on detection verdicts from Kaspersky products, highlights a surge in ransomware activity, with 2,938 new variants detected and Clop ransomware returning to the top of the rankings, accounting for 14.42% of all victims published on data leak sites (DLS). This displaces Qilin, which held the leading position in the previous quarter.
Law enforcement made significant strides against ransomware operations in Q1 2026. In January, the FBI seized domains of the RAMP cybercrime forum, a major platform for ransomware developers to advertise RaaS programs and recruit affiliates. While no official statement was released, a RAMP moderator confirmed law enforcement control over the forum, disrupting a key element of the RaaS ecosystem. Additionally, a suspect linked to the Phobos group was arrested in Poland, and a Phobos administrator pleaded guilty to creating and distributing the Trojan used in international attacks since 2020.
The report also details the exploitation of zero-day vulnerabilities by ransomware groups. The Interlock group has been actively exploiting CVE-2026-20131, a zero-day in Cisco Secure FMC firewall management software, since at least January 26, 2026. This vulnerability allows arbitrary Java code execution with root privileges, demonstrating the ongoing reliance on zero-days for initial access and the rapid weaponization of new vulnerabilities within the ransomware ecosystem.
In terms of ransomware families, Clop led with 14.42% of DLS victims, followed by Qilin (12.34%) and a new threat actor, The Gentlemen (9.25%), which emerged no later than July 2025 and has already surpassed mainstays like Akira (7.25%) and INC Ransom (6.13%). The report also notes that Kaspersky solutions detected six new ransomware families and 2,938 new modifications, with volumes returning to Q3 2025 levels after a surge in Q4 2025.
Geographically, the highest rates of ransomware attacks were observed in Pakistan (0.79% of users attacked), South Korea (0.64%), and China (0.52%). The most common ransomware families included generic verdicts like Trojan-Ransom.Win32.Gen (33.90%) and Trojan-Ransom.Win32.Crypren (6.38%), with WannaCry still prevalent at 5.87%.
Beyond ransomware, the report covers miner activity, with 3,485 new miner modifications detected in Q1 2026. Kaspersky products blocked over 343 million web attacks and responded to 50 million unique links, while File Anti-Virus blocked nearly 15 million malicious objects. The report underscores the persistent threat from both established and emerging ransomware groups, as well as the critical role of law enforcement actions in disrupting cybercriminal infrastructure.