Ransomware groups grow revenue by almost 40% in Q1 2026

News
By published

Initial Access Brokers are removing a major pain point

A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it
(Image credit: Getty Images)
  • Ransomware revenue rose nearly 40% year-on-year
  • Groups leverage dark web access brokers
  • Criminal operations show surprising resilience

In the first quarter of the year, ransomware groups increased their revenue by almost 40%, compared to the same period last year. This is according to a new report from cybersecurity researchers Rapid7, who said the increase is partly due to a maturing cybercriminal industry.

Rapid7 based its findings on its research telemetry, which showed that in Q1 26, ransomware groups made an estimated $529.2 million. The Qilin ransomware group made an estimated $193 million between July 2025 and March 2026, while the Gentleman ransomware group made an estimated $52 million between July 2025 and March 2026, it was said.

Compared to Q1 25, that’s a 39% increase, and is partly due to ransomware operators having an easier time accessing their targets’ infrastructure.

Latest Videos From

Resilient operations

“The revenue growth reflects the rise of initial access brokers, which has shifted cybercrime from technically specialised malware development to a mature underground marketplace where access, tooling, and full attack services are now commercially available to almost anyone,” Rapid7 said in a press release shared with TechRadar Pro.

In other words, instead of working to break into their target’s networks, ransomware groups just buy access on a dark web marketplace, from someone who’s already done the heavy lifting for them.

Rapid7 also compares ransomware operators to legitimate businesses, saying that no FTSE 350 organization achieved the same results (which makes sense, otherwise criminals would do legitimate business, instead). However, the researchers hinted that legitimate businesses have a lot to learn from ransomware groups, specifically in business resilience:

“The problem is they are demonstrating, very publicly, that ransomware can be a successful criminal enterprise, and ironically, in some ways, they’re more resilient than businesses themselves,” said Thom Langford, CTO EMEA at Rapid7. “Removing one group, one server, or one piece of infrastructure rarely collapses the wider operation because the ecosystem is designed to keep functioning around the damage.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.