Arete, a leader in intelligence-led ransomware and extortion response and cyber risk management, released its Q1 2026 Crimeware Report, highlighting key threat groups, attack vectors, trends in ransom demands and payments, and the evolving role of AI in cyberattacks. Arete’s global teams collect and analyze hundreds of data points across thousands of engagements to provide actionable intelligence to insurance carriers, brokers, law firms, financial institutions, and insured organizations.

Key findings within the report: 

• The Akira and Qilin ransomware groups accounted for almost a third of all ransomware and extortion incidents in Q1 2026, although this was a decline from the second half of 2025.

• The median ransom demand in Q1 was lower than in 2025, but the median payment increased, which can be partially attributed to the larger volume of Akira attacks observed. 

• Threat actors continued to adapt and refine social engineering tactics in an ongoing shift toward identity-driven compromise techniques over traditional credential theft.

• The role of AI in the cyber threat landscape is expanding, and threat actors notably leveraged AI tools to accelerate analysis of exfiltrated data in Q1.

"As AI becomes increasingly integrated into technology and business, it is also playing an expanding role in the cyber threat landscape as threat actors leverage AI tools to enhance data analysis, social engineering, and ransom strategies,” said Chris Martenson, Arete’s Chief Data Officer. “This underscores the need for an evolving, data-driven approach to cyber resilience and ransomware and extortion response," Martenson added.

Arete is committed to helping our partners and clients stay ahead of evolving cyber threats with standardized, intelligence-led detection, response, resolution, and resilience capabilities.

Download Arete’s Q1 2026 Crimeware Report.