# Ransomware reconsolidates around Qilin and 'The Gentlemen' as healthcare takes the hits
> After two years of fragmentation, the top 10 crews drive 71% of victims; a Qilin-defector brand scales faster than any on record

**Meta:** type: story · date: 2026-06-23 · heads: O que quebrou, Como a vida muda · 12 takes · 4 lenses · 6 regions

## Summary

[Ransomware](/pt/entity/ransomware) reconsolidated in Q1 2026, reversing two years of fragmentation: the top
10 crews now drive 71.1% of victims (highest since Q1 2024) as active groups fell from
85 to 71. Qilin led with 338 victims; the breakout was "The Gentlemen" (tracked as
LARVA-368 / "hastalamuerte"), a [Russian](/pt/entity/russia)-speaking brand spun out of Qilin
after a July 2025 payment dispute, which has hit nearly 300 victims across 66 countries.
Healthcare attacks rose ~10% year-on-year, with named hits on hospitals and clinics
across Switzerland, India and the US. The surge runs in parallel with takedowns like
[Operation Endgame](/pt/n/operation-endgame-stealc-amadey-2026), disruption and growth at once.

## By the numbers

- 71.1%, share of victims claimed by the top 10 groups in Q1 2026.
- 338, Qilin victims in Q1 2026, its third straight quarter on top.
- ~300, The Gentlemen victims across 66 countries since mid-2025.
- 85 → 71, drop in active groups; 21 new entrants, mostly under 10 victims.
- ~10%, year-on-year rise in healthcare-sector ransomware attacks.

## Why it matters

Consolidation concentrates extortion in fewer, better-resourced [crypto](/pt/entity/crypto-laundering)-
funded crews that are harder to disrupt and quicker to rebrand after a defection. The
healthcare tilt turns IT extortion into patient-safety risk, the front line where
ransomware now most visibly changes lives.

## What to watch

- Whether takedowns push affiliates into new spin-off brands again.
- Healthcare and critical-infrastructure victim counts through H2 2026.
- Laundering routes after [Garantex/Grinex](/pt/n/garantex-grinex-crypto-sanctions-2026).

## Regional takes (batched by bias / lens)

### ransomware-research
- **Halcyon** (United States, en) — Profiles 'The Gentlemen' (LARVA-368 / 'hastalamuerte'), a Russian-speaking crew that split from Qilin over a July 2025 payment dispute and has claimed nearly 300 victims across 66 countries, scaling faster than any group on record.
  > "The Gentlemen have claimed nearly 300 victims across 66 countries, scaling faster than any group on record."
  Source: https://www.halcyon.ai/ransomware-research-reports/threat-assessment-the-gentlemen-ransomware-group

### OT/ICS security
- **Industrial Cyber** (Global, en) — Documents the structural reversal: the top 10 groups now drive 71.1% of victims, the highest concentration since Q1 2024, as active groups fell from 85 to 71 and 21 new entrants mostly failed to gain scale.
  > "The top 10 groups now account for 71.1% of all victims, the highest concentration since early 2024."
  Source: https://industrialcyber.co/ransomware/ransomware-sector-reconsolidating-as-qilin-lockbit-and-the-gentlemen-expand-influence-in-q1-2026/

### threat-intelligence
- **Group-IB** (Singapore, en) — Technical breakdown of The Gentlemen's tactics and the 'hastalamuerte' operator's lineage from the Qilin affiliate crew ArmCorp, illustrating how shared TTPs transcend group branding after a defection.
  > "Hastalamuerte ran the ArmCorp crew inside Qilin before launching The Gentlemen independently."
  Source: https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/

### unlabelled
- **National Law Review** (United States, en) — 
  Source: https://natlawreview.com/article/ransomware-attacks-keep-climbing
- **Dark Reading** (United States, en) — 
  Source: https://www.darkreading.com/threat-intelligence/gentlemen-rapidly-rise-ransomware
- **The Record (Recorded Future)** (United States, en) — 
  Source: https://therecord.media/ransomware-gang-takedown-proliferation
- **BlackFog** (United States, en) — 
  Source: https://www.blackfog.com/the-state-of-ransomware-2026/
- **Ransomware.live** (France, en) — 
  Source: https://www.ransomware.live/
- **Industrial Cyber (May tracker)** (Global, en) — 
  Source: https://industrialcyber.co/ransomware/global-ransomware-activity-rises-modestly-in-may-as-qilin-the-gentlemen-and-dragonforce-lead-attacks/
- **SOCRadar** (Turkey, en) — 
  Source: https://socradar.io/blog/top-10-ransomware-groups-2025/
- **Rescana** (Israel, en) — 
  Source: https://www.rescana.com/post/covenant-health-qilin-ransomware-breach-technical-analysis-of-2025-attack-impacting-478-188-patient/
- **TRM Labs** (United States, en) — 
  Source: https://www.trmlabs.com/resources/blog/new-disruption-opportunities-in-the-evolving-ransomware-ecosystem

## Across the graph
- Related: [[operation-endgame-stealc-amadey-2026]], [[garantex-grinex-crypto-sanctions-2026]], [[north-korea-crypto-theft-it-workers-2026]]
- Entities: Ransomware, Crypto Laundering, Russia, United States

---
Canonical: https://rbtfl.xyz/pt/n/ransomware-surge-fragmentation-2026