The ransomware groups targeting healthcare in 2026 are more capable than the ones that dominated breach data two years ago, and understanding why requires going back to how the law enforcement disruptions of 2024 and 2025 actually played out. When LockBit, ALPHV, and RansomHub were taken down in succession, the expectation was that the ransomware problem would shrink. It did not. The affiliates who had been running attacks through those platforms migrated to whichever surviving operations offered the best infrastructure, bringing their established network access and refined techniques with them. When RansomHub went dark in April 2025, the MS-ISAC tracked the immediate consequence, with Qilin's share of reported government sector ransomware incidents nearly tripling in a single quarter as former RansomHub affiliates moved across. The disruptions had concentrated the threat rather than reduced it, and the data shows that outcome. The Verizon 2026 Data Breach Investigations Report, which analyzed over 22,000 security incidents, found ransomware present in 48% of all confirmed breaches, the highest proportion in its 19-year history, and the FBI's 2025 Internet Crime Report confirmed healthcare as the most targeted critical infrastructure sector for the second consecutive year.

 

What the consolidation means in practice

For healthcare organizations, the practical consequence of that concentration is that the groups now running campaigns against the sector are more organized, more resilient, and harder to disrupt than the fragmented collection of smaller operators that preceded them.

Qilin has become the most prominent example, absorbing waves of displaced affiliates from multiple disrupted platforms over three consecutive years and running campaigns at a volume that smaller operators from the fragmented period could not sustain. Healthcare has been consistently among its most targeted sectors across multiple quarters. Medusa has followed a similar path, repeatedly hitting US healthcare facilities and municipal governments through early 2026, driven by the same dynamic of experienced operators finding new homes on surviving platforms after disruptions elsewhere. The joint FBI, CISA, HHS, and MS-ISAC advisory on Interlock ransomware described the broader pattern directly, noting that the criminal market was absorbing displaced affiliates following major platform disruptions, and the growth of both Qilin and Medusa across healthcare is exactly what that absorption looks like in practice.

 

The other groups behind Q1 2026

The Gentlemen reached third place globally in Q1 2026 despite not having existed as a recognized criminal operation before August 2025, with its founder a former affiliate who departed a larger platform following a financial dispute and launched the new operation using a stockpile of previously compromised network devices he took with him. Healthcare incidents across the quarter included confirmed attacks on hospitals in New Zealand, Brazil, and Puerto Rico, with the geographic distribution following where the founder's pre-existing access happened to be located rather than any deliberate targeting strategy.

LockBit returned to meaningful activity after the disruption it experienced from Operation Cronos in early 2024, directing a smaller proportion of attacks at US targets than it had historically. Anubis targeted healthcare at more than twice the baseline rate of most ransomware groups across the quarter. Cl0p took a different approach entirely, exploiting a vulnerability in Oracle's enterprise business software to conduct pure data theft across more than 100 victims rather than deploying encryption, with the sector distribution determined by which organizations happened to use the affected software rather than any deliberate targeting decision.

 

Why size and profile no longer reliably predict risk

The more practically useful observation to emerge from 2026 data is that which organizations end up getting hit depends on where attackers already have access, rather than where they would strategically prefer to target. The Gentlemen's victim concentration in Thailand, Brazil, and India follows the geographic footprint of its founder's pre-existing access cache, not a considered choice about which countries deserved attention. Cl0p's victims skewed toward Canada and Australia because of where the affected software was most heavily deployed, and the joint CISA, FBI, and MS-ISAC StopRansomware advisory series consistently identifies exposed and unpatched internet-facing infrastructure as the primary entry condition determining which organizations end up in criminal access inventories.

A regional hospital with an unpatched remote access appliance, a specialty clinic with a credential sold by an initial access broker months earlier, or a small practice with a vulnerable internet-facing device may already appear in a ransomware group's access inventory without any way to know it. HHS's 405(d) program and the Health Sector Cybersecurity Coordination Center have both stressed exposure-driven risk as the central concern for healthcare organizations heading into 2026, with HC3 threat briefings repeatedly identifying compromised credentials and unpatched public-facing applications as the dominant initial access routes across documented healthcare breaches.

 

Where healthcare can actually intervene

Phishing remains the most consistently documented way those initial gaps get created across Qilin, LockBit, and Medusa operations, which makes the inbound email layer one of the few practical points at which a healthcare organization can intervene before a credential ever enters the criminal market. Paubox's 2025 Healthcare Email Security Report puts the employee reporting rate at just 5% of known phishing attacks in healthcare, meaning the emails establishing initial access for these groups go undetected by staff in the overwhelming majority of cases. Paubox's 2026 Healthcare Email Security Report tracked a 47% increase in attacks avoiding native email defenses in 2025, which says the default filtering in Microsoft 365 and Google Workspace is not catching what it needs to catch.

Pre-delivery filtering closes that gap by removing phishing attempts before clinical or administrative staff encounter them, which is why Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and contextual signals across every inbound message rather than relying on signature-based rules that modern phishing campaigns are explicitly designed to bypass.

Learn more: Paubox Inbound Email Security

 

FAQs

What does ransomware consolidation mean for healthcare?

Fewer groups now control more of the attacks, and the ones gaining ground are better resourced than the smaller operators they replaced, which makes them harder to disrupt and more capable of sustained campaigns against healthcare.

 

How did The Gentlemen grow so quickly?

Its founder left a larger platform with pre-existing access to thousands of already-compromised devices, which meant the new operation could run attacks at scale immediately rather than spending months building infrastructure.

 

Does size or profile still predict whether an organization will be targeted?

Many groups now select victims based on which organizations they already have access to, which means exposure matters more than prominence, and smaller healthcare organizations are not below the threshold of attack just because they assume they are.

 

What can a healthcare organization realistically do about this?

Close the most common initial access paths by filtering phishing before it reaches staff, requiring multi-factor authentication on remote access systems, and patching internet-facing systems against CISA's Known Exploited Vulnerabilities catalog.