The ransomware ecosystem is undergoing significant transformation, shifting from fragmentation toward a phase of consolidation. Over the past several months, Qilin has emerged as a dominant player within the ransomware-as-a-service (RaaS) landscape. This evolution follows the disruption of major groups such as LockBit and RansomHub, which have faced increased scrutiny and law enforcement action.
### The Rise of Qilin
Despite Qilin’s newfound dominance, the rapid emergence of other groups, prominently The Gentlemen, signals that the cybercrime landscape is in a constant state of flux. Qilin, which has been operational since at least October 2022, is recognized for its technically advanced infrastructure, reportedly holding about 16% of the cybercriminal market share as indicated by Lotem Finkelstein, the VP of research at Check Point. Finkelstein noted that recent findings in Check Point’s 2026 Cyber Security Report emphasize how Qilin has solidified its position amidst the dwindling fortunes of other ransomware outfits.
In an interview with Infosecurity, Finkelstein articulated that the observation of Qilin consolidating its power was evident. “Over the last few months, we have observed that they are consolidating again and becoming major ransomware groups,” he stated. This consolidation allows them to leverage resources and talent in a way that enhances their operational effectiveness.
Recent reports from the Sophos X-Ops Counter Threat Unit (CTU) support Finkelstein’s claims. Data compiled over the last 12 months highlights that Qilin has listed a staggering 1,496 victims on its data leak site. In comparison, rivals such as Akira and The Gentlemen reported 1,205 and 763 victims respectively, indicating Qilin’s substantial lead in the current environment.
Aiden Sinnott, a principal threat researcher at Sophos X-Ops CTU, concurred with Finkelstein’s assessment, stating that Qilin’s ascendancy is primarily attributed to the widespread consolidation occurring in the ransomware sector following aggressive law enforcement actions. The allure of high payouts and well-established infrastructure has made Qilin a top choice for affiliates seeking to capitalize on this illicit marketplace. This shift coincided with the collapse of competing RaaS programs, such as LockBit and ALPHV, resulting in an influx of experienced affiliates and an increased volume of victims.
Moreover, the barriers to entry for aspiring cybercriminals have been lowered due to the availability of AI tools, allowing even those with minimal technical skills to launch sophisticated campaigns. According to Finkelstein, this technological democratization has enabled more individuals to engage in cybercriminal activities, thereby expanding the pool of ransomware operators.
### The Rise of The Gentlemen
Notably, another group, The Gentlemen, has demonstrated potential for market domination. Comparitech’s data illustrates that in June 2026, The Gentlemen surpassed Qilin in terms of victim count for the first time in months, registering 115 victims compared to Qilin’s 78. Rebecca Moody, head of data research at Comparitech, noted that while over half of Qilin’s targets were based in the United States, the same could not be said for The Gentlemen, whose victims were less concentrated in that region.
Research published by Check Point in April highlighted The Gentlemen’s rapid ascension, revealing an internal database leak that disclosed operational intricacies about their affiliates and victims. The leak included documentation of ransom negotiations, showcasing a particular case in which the group secured a payment of $190,000 after initiating contact with a demand of $250,000.
### Challenges Ahead for Qilin
As Qilin strives to maintain its position at the forefront of cybercrime, uncertainties loom regarding its future. Finkelstein cautioned that increased visibility could draw unwanted attention from international law enforcement agencies. Drawing parallels to the previous crackdown on the LockBit group, he emphasized that law enforcement would likely intensify their efforts against Qilin, given its rapid growth.
When ransomware operators were fragmented, it presented challenges for law enforcement to pinpoint specific groups. However, with Qilin’s consolidating influence, Finkelstein anticipates more concerted efforts from authorities to thwart their operations. He highlighted that Qilin has been creative in its strategies, implementing phishing campaigns while also exploiting vulnerabilities. For instance, on June 9, Check Point disclosed that a vulnerability in its Remote Access VPN and Mobile Access solution was targeted by Qilin, although only a single customer was affected.
In response to such threats, Check Point has initiated its Frontier AI Models Readiness Program, aimed at identifying vulnerabilities within its offerings. This comprehensive program includes large-scale AI-driven code scanning, rigorous security assessments, and accelerated development of protective measures, ensuring that the company remains agile in the face of emerging AI-driven threats.
As the ransomware landscape continues to evolve, both Qilin and The Gentlemen reflect the dynamic and shifting nature of cybercrime, suggesting that vigilance and proactive measures will be crucial in the ongoing fight against such illicit activities.

