Ransomware-as-a-Service Ecosystem Reconsolidates Around LockBit, Qilin, and The Gentlemen

Estimated Reading Time: 4 minutes

Key Takeaways

• Ransomware groups are consolidating, with the top 10 accounting for 71% of all victims in Q1 2026.
• Qilin, The Gentlemen, and LockBit are among the leading RaaS operators, demonstrating growth in victim counts.
• The Gentlemen has integrated advanced technologies, enhancing the effectiveness of their attacks.
• India is becoming a notable target, reflecting a broader trend in vulnerability across various sectors.

Main Content

Context

In recent years, the ransomware landscape has experienced fluctuations, transitioning from a fragmented environment with numerous small gangs to a consolidated structure where several key players control a large share of the victims. Recent research by Check Point indicates that the top 10 ransomware groups accounted for a striking 71% of all victims in the first quarter of 2026, an increase from 57% just a few months prior (Q3 2025) when there were 85 active groups. The consolidation indicates a concerning trend in the ransomware industry, where a few organized entities dominate the landscape, effectively amplifying their impact on global cybersecurity.

Victim Statistics and Group Activity

In Q1 2026, the total number of ransomware victims reached 2,122, marking the second-highest Q1 on record and reflecting a 117% increase from the previous year. Notably, groups such as Qilin, Akira, and The Gentlemen collectively were responsible for 41% of all victims (source).

• Qilin established itself as the leading ransomware operation, claiming 338 victims in Q1 2026.
• Following closely, The Gentlemen emerged as a significant new player with 166 victims, marking a substantial increase from 40 victims in Q4 2025.
• LockBit, despite law enforcement pressure, rebounded to secure 163 victims, once again placing it among the top contenders.

Notably, the decline in the total number of active ransomware groups—from 85 to 71—does not correlate with a decrease in attacks, suggesting that the remaining groups are not only maintaining their volume but increasing their efficiency and reach.

Emergence of New RaaS Brands

The recent surge of RaaS brands indicates that pressure on established groups like LockBit has not diminished the overall threat. Instead, experienced operators have founded new groups, such as Hyflock, which launched in May 2026, and The Gentlemen, the latter evolving from previous connections with Qilin and LockBit to become independent but equally formidable. Hyflock’s rapid recruitment drive is noteworthy, emphasizing the collaborative nature of this criminal ecosystem where knowledge and resources are often shared.

Technical Innovations

The Gentlemen has incorporated advanced technical features into its operations, such as AI-assisted capabilities and worm-like propagation methods, which significantly enhance the speed and destructibility of their ransomware attacks (source). This evolution indicates an increasingly sophisticated approach to cybercrime tactics, equipping these groups with tools that allow them to strike faster and with greater impact.

Impact on Various Stakeholders

The resurgence of powerful ransomware groups has far-reaching implications for various sectors worldwide:

• Global Organizations: Businesses across numerous sectors, including healthcare, IT, manufacturing, and critical infrastructure, are particularly vulnerable to attacks orchestrated by these groups. The concentration of assaults among a few dominant players suggests that a breach in one organization could potentially lead to cascading impacts across international networks.
• India’s Role: Notably, India has emerged as a significant target, accounting for approximately 3.9% of The Gentlemen’s total victim count. This highlights a concerning trend for Indian organizations, particularly those in IT and critical services, which could serve as gateways for attacks on multinational clients (source). The threat persists as organizations may face heightened risks amid this consolidating RaaS environment.

What’s Next

• The continued concentration of ransomware operations suggests that disruptions, while impactful, may not significantly diminish overall ransomware activity. Instead, rapid reorganization under new banners is likely.
• As more sophisticated tooling, like AI-assisted ransomware variants, evolves, organizations worldwide will need to bolster their cybersecurity defenses to combat increasingly complex threats.
• Law enforcement and cybersecurity entities must adapt their strategies to effectively address the challenges posed by a mature and professionalized ransomware economy, emphasizing collaborative international efforts to disrupt these networks.

In summary, the ongoing reconsolidation of the ransomware sector exemplifies the need for adaptive measures in cybersecurity as dominant players reshape the landscape. The implications are profound, not only for individual companies but for global cybersecurity as a whole.

FAQ Section

What is Ransomware-as-a-Service (RaaS)?

Ransomware-as-a-Service (RaaS) is a business model that allows cybercriminals to rent or buy ransomware tools to launch attacks against targets, typically involving a profit-sharing arrangement with the ransomware developer.

Why are ransomware groups consolidating?

Ransomware groups are consolidating to strengthen their operational capabilities, increase efficiency, reduce competition, and enhance their ability to carry out attacks while maximizing profits.

What impacts does this have on cybersecurity?

The consolidation of ransomware groups leads to more sophisticated and organized cybercriminal operations, making it harder for cybersecurity measures to keep up, thereby increasing risks for organizations worldwide.

High-Severity XSS Vulnerability Discovered in WordPress Bookly Plugin

Estimated Reading Time: 4 minutes

Key Takeaways

• High-severity vulnerability: CVE-2026-5513 affects Bookly versions up to 27.2.
• Unauthenticated exploitation: Attackers can execute stored XSS attacks without needing credentials.
• Immediate risk mitigation: Disable the “Remember personal information in cookies” setting.
• Urgent updates: Update to the latest version once available to secure your site.
• Widespread impact: This vulnerability puts a range of businesses at risk, particularly in sectors reliant on appointment systems.

Context / Background

CVE-2026-5513 is categorized as a high-severity vulnerability that may lead to severe consequences for affected WordPress sites. Specifically, it exploits insufficient input sanitization and output escaping of data derived from the bookly-customer-full-name cookie. Attackers can inject persistent malicious JavaScript, which is executed in the browsers of users visiting the compromised pages.

Key Details

The vulnerability is notable for several reasons:

• Affected Product: The vulnerability resides in the Bookly WordPress plugin versions up to 27.2.
• Vulnerability Type: Classified as an unauthenticated stored XSS flaw (CWE-79).
• Attack Vector: Occurs when the Bookly plugin’s configuration “Remember personal information in cookies” is enabled.
• Conditions for Exploitation: The affected site must be running a vulnerable version of Bookly with the aforementioned setting enabled.

Impact

The implications of CVE-2026-5513 are significant, particularly considering the nature of the data handled through Bookly:

• Risk to Businesses: Exposure of customer data can severely impact operations and user trust.
• Unauthenticated Exploitation: Allows attackers to operate without needing credentials.
• Administrative Access: Attackers could hijack accounts and compromise site functionality if accessed by admin users.

What’s Next

Site administrators using the Bookly plugin are advised to take immediate action:

1. Update Bookly: Users should update to the latest patched version of the plugin as soon as it becomes available.
2. Review Settings: Temporarily disable the “Remember personal information in cookies” setting.
3. Monitor Site Activity: Stay vigilant for unauthorized access or changes within WordPress environments.

FAQ Section

What is CVE-2026-5513?

CVE-2026-5513 is a high-severity XSS vulnerability affecting the Bookly WordPress plugin, allowing unauthenticated attackers to execute malicious scripts.

How can I protect my site from this vulnerability?

Update to the latest version of the Bookly plugin and disable the “Remember personal information in cookies” feature to mitigate risk.

What types of attacks can occur due to this vulnerability?

Attackers can hijack accounts, steal sensitive data, and compromise site functionality.

Estimated Reading Time: 3 minutes

Key Takeaways

• Critical zero-day vulnerability (CVE-2026-0300) identified in Palo Alto Networks’ PAN-OS.
• Flaw allows unauthenticated attackers to execute commands as root.
• Active exploitation is ongoing, particularly targeting internet-exposed portals.
• Security fixes will be released between May 13 and May 28, 2026.
• Organizations should restrict access to vulnerable components immediately.

Context / Background

Palo Alto Networks has announced a critical zero-day vulnerability affecting its PAN-OS firewalls, which allows unauthenticated attackers to execute arbitrary commands as the root user on vulnerable devices. This major security flaw is already being actively exploited in the wild.

Details of the Vulnerability

The vulnerability stems from a buffer overflow flaw in the User-ID Authentication Portal component of PAN-OS, the operating system used on Palo Alto Networks’ PA-Series and VM-Series firewalls. This flaw permits remote, unauthenticated attackers to send specially crafted packets that enable remote code execution (RCE) with root privileges.

Key Details

On May 5, 2026, Palo Alto Networks internally identified the zero-day and publicly disclosed it the following day, recognizing limited exploitation at the time. By May 6, 2026, the company released a full security advisory detailing the buffer overflow vulnerability and outlining affected PAN-OS versions.

The vulnerability has a critical CVSS v4 score of 9.3, reflecting its severe impact. Additionally, shortly after the announcement, a public proof-of-concept (PoC) exploit was released, further amplifying the risks associated with this vulnerability.

Affected Devices

As specified in the advisory, only PA-Series hardware firewalls and VM-Series virtual firewalls are affected if they have the User-ID Authentication Portal enabled and susceptible configurations in place. Specifically, these devices must have an interface management profile with “response pages” enabled attached to an L3 interface that can receive untrusted or internet traffic. Affected PAN-OS versions include various releases across branches 10.2, 11.1, 11.2, and 12.1.

Impact

The implications of this zero-day vulnerability are significant for any organization using vulnerable Palo Alto firewalls, particularly those with publicly exposed User-ID portals. If compromised, attackers could gain complete control over the firewalls, manipulate security rules, and execute lateral movement within networks.

The attack requires no user interaction or valid credentials, posing a risk to a wide array of organizations, from large enterprises and service providers to government institutions.

In the context of India, where Palo Alto Networks’ firewalls are widely deployed in sectors such as banking, telecommunications, and government agencies, the potential for devastating breaches is pronounced. The recent disclosure points to possible exploitation by state-sponsored actors, escalating national security concerns, especially given the ongoing geopolitical tensions.

What’s Next

Palo Alto Networks has announced that security fixes for the vulnerability will be rolled out in stages between May 13 and May 28, 2026. Organizations are urged to monitor for updates and apply patches as soon as they are available to mitigate the risks associated with this critical vulnerability.

Furthermore, it is advisable to review the configurations of firewalls and restrict access to the User-ID Authentication Portal to trusted internal IPs or disable it entirely where feasible, ensuring that these systems remain safe from potential exploitation.

Organizations must remain vigilant and prepare for the possibility of mass exploitation, especially considering the convergence of rapid weaponization and the presence of public exploit codes available on the internet.

FAQ

What is the CVE number for this vulnerability?

The CVE number for this vulnerability is CVE-2026-0300.

How can organizations protect themselves?

Organizations should apply security patches as soon as they are available and restrict access to the User-ID Authentication Portal.

When will security fixes be available?

Security fixes will be rolled out in stages between May 13 and May 28, 2026.