Ransomware in Asia just changed shape. New research from Check Point shows the threat is no longer fragmented across dozens of small crews. Power is consolidating into a handful of elite groups, and for the first time Thailand has cracked the list of the ten most-targeted countries globally. For Malaysian organisations watching the regional picture, that is the headline number to start with.
Editor
Val chevron_right
Table of Contents
The numbers behind the trend
Check Point Research released its State of Ransomware Q1 2026 report this week, summarising activity from across more than 70 active ransomware data leak sites. The top findings:
- 2,122 organisations were listed on ransomware leak sites in Q1 2026, the second-highest Q1 on record.
- The top 10 ransomware groups accounted for 71% of all victims, reversing 2025's fragmented landscape.
- Qilin remained the most active operation for a third consecutive quarter, posting 338 victims.
- LockBit returned with 163 victims after the 2024 enforcement disruption.
- A newer group, The Gentlemen, climbed from 40 victims in Q4 2025 to 166 in Q1 2026, landing third globally.
"Ransomware in 2026 is no longer a numbers game. It's a concentration and acceleration problem," said Sergey Shykevich, who leads threat intelligence at Check Point Software. "When fewer, more capable groups drive the majority of attacks, every incident carries greater operational and financial impact."
Why Thailand, and why Asia
Thailand's debut in the global top 10 is tied almost entirely to one operator. The Gentlemen group accounted for nearly 11% of Thailand-based victims in the quarter. Across the rest of its activity, the group focused heavily on the Asia-Pacific region and Latin America. Only 13% of its publicly extorted victims were US-based, against an ecosystem average closer to 50%.
Check Point's framing is that this is not a deliberate avoidance of the United States. The Gentlemen simply went where it already had a foothold, leaning on pre-positioned access (compromised network entry points it had stockpiled in advance) to launch attacks at volume. The same access-driven pattern explains the heavy hits on manufacturing, business services and healthcare in the quarter.
What this means for Malaysian organisations
Three takeaways are worth flagging for IT and security leads in Malaysia, where the report does not name local victim counts but the regional pattern is hard to ignore:
- Fewer attacks, bigger impact. Consolidation means each incident is more likely to come from a professional, resourced operation, with all the operational disruption that implies.
- Access is the new flag. Attackers go where they already have credentials or exposed VPN paths, not where the marketing wins are loudest. Identity hygiene and exposed-service audits matter more than ever.
- AI compresses the timeline. Check Point's report flags AI as a meaningful accelerator across the attacker lifecycle. The window between initial access and operational impact is shrinking.
The report does not project a 2026 victim count for Malaysia specifically, and Check Point has not released a Malaysia-specific dataset. The wider message, that Asia is firmly inside the target set and that pre-positioned access drives where attacks land, is the part Malaysian boards should take to their next risk review.