ransomware-threat-debrief

Bitdefender Threat Debrief | July 2026

Share this Share on email Share on twitter Share on linkedin Share on facebook

After a Year at Number One, Qilin Ransomware Falls from the Top Spot

This edition of the Bitdefender Threat Debrief covers the latest developments in the ransomware threat landscape, including Qilin’s fall from the number one rank in Top Groups. Other events featured in this release include the arrest of a Scattered Spider operator, the criminal act of ransom negotiation, and an update on the FortiBleed campaign.

As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time.

july-bdtd-image1

For this month's report, we analyzed data from June 1 to June 30 and recorded a total of 704 claimed ransomware victims.

Featured Story: Qilin's Year at the Top Comes to an End

What Happened?

Qilin has dominated the ransomware ecosystem, earning the top ranking in Bitdefender’s Top 10 Ransomware Groups since June 2025, and claiming more than 1,600 victims in the span of one year. In June 2026, however, Qilin’s total number of victims (80) declined significantly compared with the 100+ victims in previous months. As a result, Qilin landed in the second spot in the Top Groups for June, as The Gentlemen secured the top rank, claiming 121 victims.

What Factors Might Be Linked to Qilin’s Decrease in Claimed Victims?

In some ways, the ransomware marketplace mirrors what happens in business. Key people from a successful company will sometimes leave that company to start something of their own. That’s why its interesting to note that The Gentlemen, this month’s new number one ransomware group, actually evolved from a Qilin affiliate.

It was only a matter of time before Qilin’s playbook would be recycled and even improved. Qilin created a name for themselves, racking up ransom demands in the millions and launching supply chain attacks against international enterprise organizations, most notably in technology, manufacturing, and healthcare. They’ve put a target on their back, as competing ransomware groups try to emulate them.

In the case of The Gentlemen, the group is in an interesting position. Members of their staff understand how Qilin’s initial operations work. This became apparent when a hacker group leaked a database file maintained by The Gentlemen that disclosed information about their Russian-speaking affiliations and admin handles. The Gentlemen has repeatedly demonstrated that they have the means and influence to maintain a RaaS (ransomware as a service) platform, going so far as to push for 90% profit models (the affiliates keep 90%), and excelling in areas that Qilin lacked. This is evident in The Gentlemen’s use of automation and LLM assistant add-ons to speed up infrastructure and code maintenance.

While Qilin was among the first across leading ransomware groups to take the helm in implementing Bring Your Own Vulnerable Driver (BYOVD) tactics, The Gentlemen have now taken the concept and developed their own framework, incorporating GentleKiller into their operations. GentleKiller is a toolset on the affiliate panel that enables access to custom iterations of multiple EDR killers, developed to blind modern detection solutions and disrupt more than 400 relevant defense processes.

Modular in design, GentleKiller is equipped to drop additional packages based on the target environment. This makes its use far more expansive than Qilin’s past EDR killers, which affected closer to 300 processes. Yet, EDR capabilities with layered defenses, including kernel API monitoring remain critical for organizations wishing to harden defenses against ransomware groups with developing and advanced BYOVD components.

What Does This Mean for Emerging Groups?

Bitdefender Labs has made several observations that predate the start of 2026: The days of one or two ransomware groups reigning over many are far less commonplace now compared to the still-budding ransomware ecosystem of 2023 or 2024. Today’s emerging groups have greater flexibility in deciding what affiliate program they’ll join or drop. In addition, when equipped with experience and know-how, they branch out and start their own operation. Access to toolsets, not necessarily the developers themselves, allows threat actors to thrive. And, an economy that nets profit with few opportunities to engage with a broader network of cybercriminals can spell the end to a ransomware group’s career.

How Might Qilin Operate Moving Forward?

Since Qilin emerged in the fall of 2022, they’ve been quite steady. They’re not a ransomware group with a record of major operational disruptions, and they have already claimed multiple victims at the start of July 2026. While we can wonder if the group is implementing a strategy to either re-partner or claim fewer victims, that would be surprising. The group’s current brand appears to remain focused on taking down larger organizations. Still, we will monitor Qilin to assess if this dip in victims becomes repetitive and a sign of greater changes to come.

Join the Live Discussion

We'll discuss more about this emerging situation and other notable ransomware developments during our monthly Ctrl-Alt-Decode debrief.

Screenshot 2026-07-14 133111

Other Notable Ransomware News

Now, let’s explore the notable news and findings since last month’s Threat Debrief.

  • Teenager Arrested and Accused of being a Scattered Spider member: Last month Peter Stokes, a dual-citizen of the United States and Estonia, was extradited from Finland to the United States. Stokes, who is 19 years old, faces multiple federal charges. Whether Stokes will receive a sentence similar to his peers, like the 20 year old Noah Urban, who received a 10-year prison sentence for his role in supporting Scattered Spider, remains to be seen. According to the U.S. Department of Justice, Scattered Spider has collected approximately $100 million in ransom payments from its victims.
  • FortiBleed campaign runs rampant alongside massive credential leaks: Threat actors have launched campaigns impacting more than 70,000 FortiGate products including firewall and VPN appliances and their configurations and corresponding credential sets. This FortiBleed campaign is associated with the ransomware groups INC Ransom and Lynx. The threat actors did not leverage a unique CVE as the basis for exploitation in their operations. Instead, they performed fingerprinting at scale to identify active FortiGate products, cross-referencing them against lists of systems already exposed with leaked credentials online and against other matches identified in infostealer logs. Automation enabled the threat actors to conduct synchronous initial access attempts, cycling through credentials from the leaked lists. Organizations affected by the FortiBleed campaign are advised to terminate all remote sessions, ensure patches are up to date, and rotate admin console passwords across all FortiGate devices. Then, organizations can assess the admin credentials for systems with FortiOS versions 7.2.11, 7.4.8, and 7.6.1, ensuring that they are stored using PBKDF2.
  • Ransom negotiators still reap benefits: Ransom negotiations are supposed to be performed by a trusted, knowledgeable third-party. However, negotiations also present opportunities for others outside the immediate ransomware group to profit; some earn tens of thousands, while others may earn several hundred thousand dollars. Several former negotiators have been arrested in recent months. One former negotiator received a prison sentence of more than five years for aiding BlackCat in extorting the very victim they were tasked with representing. Many organizations do not uncover this problem with negotiators swaying the agreement in the operator’s favor until years after a ransom payment is submitted, when a ransomware operator outs their connections in the legal proceedings that follow a successful investigation, arrest, and extradition. This phenomenon emphasizes the importance of vetting negotiators to build a team more likely to produce an outcome that reduces consequences rather than creating additional issues and financial hardships.

Top 10 Ransomware Families

july-bdtd-image3

Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method captures the number of victims claimed, not the actual financial impact of these attacks. Here’s the Top 10 ransomware groups.

Top 10 Most Attacked Regions

july-bdtd-image4

Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.

Germany surpasses Canada in the Top 10 Regions: In June, Germany ranked in the 2nd Top Regions rank, surpassing Canada. Germany usually ranks in 3rd or 4th place. One third of Germany’s victim population (14 of the 42 claimed victims) were claimed by the groups The Gentlemen and Qilin.

Top 10 Most Attacked Industries

july-bdtd-image6

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications associated with specific industries, and how specialized services and clientele are impacted is crucial for assessing risk. Here are the Top 10 industries affected by ransomware attacks.

In June, the manufacturing and construction industries continue to represent the top industries impacted by ransomware. During the same month, healthcare surpassed financial services, ranking in the 4th position of industries most affected by ransomware.

MDR Insights

Bitdefender's MDR Insights consolidates key findings each month captured from real-world incidents.

In June 2026, our MDR teams found that hallmarks of threat actor activity included:

  • The expansion of campaigns that target systems beyond enterprise Windows systems persists, spanning Linux, macOS, web applications, and CI/CD environments
  • The continued targeting of software supply chains presents challenges for organizations
  • Web shell deployment and the repeated exploitation of vulnerable applications are leveraged for high-impact attacks
  • Defense evasion activities such as log clearing and security control bypass are widespread tactics used by threat actors   

The MDR team shared key insights after analyzing patterns across multiple incidents.

“Credential theft remains an essential objective for threat actors conducting intrusions, making it all the more important to continuously secure and audit a broad spectrum of identity-based services. Establishing visibility and security parameters is necessary not just for privileged accounts and typical IAM platforms, but also GitHub repositories, cloud applications, and developer environments."

Bitdefender MDR technology:

  • Detects both Active Directory attacks and software supply chain attacks
  • Detects and removes persistence mechanisms
  • Detects Linux privilege escalation mechanisms
  • Identifies and blocks attack infrastructure and malware.
  • Detects and prevents the execution of multiple attacks, stopping them from becoming ransomware incidents that impact the enterprise at large

Visit MDR and read the Bitdefender Ransomware white paper for more information on protecting against ransomware.

We'll discuss more about this emerging situation and other notable ransomware developments during our monthly Ctrl-Alt-Decode debrief.
Screenshot 2026-07-14 133111

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discovers 400+ new threats each minute and validates 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.

We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Nikki Salas for their help putting this report together.