The 2026 Rogue's Gallery

Cl0p

The 2026 Rogue's GalleryLooking forward to see the threat on the horizon
͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     ͏     
Forwarded this email? Subscribe here for more
The 2026 Rogue's Gallery
Looking forward to see the threat on the horizon
Austin Miller
Feb 6 

READ IN APP

In 2025, cybersecurity experts continued to track an evolving landscape of financially motivated and geopolitically aligned threat groups whose operations grew in scale, coordination, and technical sophistication. Among the most prevalent were Cl0p, known for large-scale data-extortion campaigns exploiting zero-day vulnerabilities in managed file transfer platforms, and Qilin, a ransomware-as-a-service operation that refined double-extortion and partner affiliate models.
Akira sustained pressure on enterprise networks through targeted ransomware intrusions, often leveraging compromised credentials and remote access tooling. Meanwhile, emerging collectives such as CyberVolk signaled a tighter fusion of hacktivism and state-aligned objectives, blending disruption, influence, and destructive capabilities. BQT.Lock exemplified the next wave of agile ransomware operators—smaller but highly adaptive, focusing on rapid encryption, stealthy lateral movement, and data-leak leverage.
Looking ahead, we can expect these actors to accelerate supply-chain exploitation, automate intrusion workflows with AI-assisted tooling, and intensify multi-layered extortion tactics. Their continued convergence of cybercrime, espionage, and ideological operations will demand deeper intelligence sharing, resilience engineering, and proactive defense.
Cl0p
Cl0p (often styled Cl0p with a zero) is a high-impact, financially motivated ransomware-extortion organisation linked to the broader Russian-speaking TA505 criminal enterprise. Originally observed in 2019, it has evolved from traditional encryption-based ransomware to a data theft and extortion model that relies on mass exploitation of high-value vulnerabilities and publication of stolen data to pressure victims. Historically, Cl0p leveraged zero-day flaws such as those in MOVEit and other major enterprise file-transfer platforms to compromise hundreds of organisations across finance, healthcare, logistics and professional services.
Recent movements in 2026 show Cl0p continuing to exploit unpatched enterprise software vulnerabilities and listing large breaches on its dark web leak site. Notable 2025–2026 activity includes campaigns targeting Oracle E-Business Suite, with claims of multiple million-record data thefts from organisations including the University of Phoenix, and email-based extortion campaigns reportedly demanding seven- and eight-figure ransoms. Cl0p’s modus operandi emphasises aggressive data exfiltration, zero-day exploitation and extortion rather than widespread file encryption, and the group’s operators remain adaptive in their tactics.
Qilin
Qilin is a Russian-speaking ransomware-as-a-service (RaaS) group that surfaced around mid-2022 and has rapidly grown into one of the most active threat actors worldwide. This organisation recruits affiliates to deploy its ransomware tooling in exchange for a share of extortion proceeds, focusing on large enterprises and infrastructure targets. Early attacks attributed to Qilin include incidents against hospitals in London and multiple commercial and industrial entities across Asia, Europe and North America.
In 2026, reports indicate Qilin remains active, with data theft and extortion campaigns affecting critical healthcare and industrial sectors. In October-November 2025, the group claimed responsibility for high-profile breaches such as attacks on a major brewery in Japan and extensive data theft in northern France, with ongoing recovery activities reported well into 2026. Qilin’s operations typically use affiliate deployment, data exfiltration and double-extortion tactics to maximise pressure on victims to pay.
Akira
Akira is another RaaS-based ransomware operation that emerged in March 2023 and quickly became prominent due to its high volume of attacks and significant ransom demands. The group has targeted energy firms, automotive suppliers, universities, and other high-value corporate environments. Akira’s malware supports both Windows and Linux/ESXi environments and is designed to exfiltrate sensitive data before encrypting systems and threatening publication if ransoms are not met.
Recent intelligence shows Akira maintaining operational momentum into 2026, frequently exploiting network perimeter and VPN vulnerabilities to gain initial access. Affiliates commonly use publicly available exploitation tools for lateral movement and data theft, with the group’s strategy centred on double-extortion ransomware deployments, combining direct impacts with post-breach extortion.
CyberVolk
CyberVolk is a pro-Russian aligned hacktivist and RaaS collective that publicly emerged in mid-2024. Although not always classified strictly as a traditional ransomware organisation, it has leveraged ransomware deployments within broader hacktivist campaigns against government ministries, defence contractors and critical infrastructure across NATO, the EU and Indo-Pacific regions. Its operations blend ideological motives with financially driven extortion using ransomware tooling distributed via underground forums.
Activity attributed to CyberVolk in 2025 included over 120 claimed attacks on public sector and infrastructure targets across multiple continents. While law enforcement actions have disrupted some infrastructure, the collective’s ransomware-as-a-service model and hacktivist motivations suggest it will remain a notable actor in politically charged ransomware activity in 2026.
BQT.Lock
BQT.Lock (also known as BaqiyatLock) is a hybrid ransomware gang with ideological and financial motives that gained visibility in 2025. Operating from the Middle East, its affiliates use RaaS infrastructure and encrypted communications to conduct ransomware campaigns against organisations in the US, India, Saudi Arabia, UAE and Israel. What distinguishes BQT.Lock from typical financially motivated groups is its reported linkage to militant organisations, blending cybercrime with geopolitical targeting.
BQT.Lock’s modus operandi involves credential theft, data exfiltration, and hybrid extortion models that combine ransomware encryption with ideological messaging. It utilises TOR leak sites, dark web forums and cryptocurrency payments in Monero. The group’s rapid growth in volume and adaptability in its malware and tactics signals it will remain relevant in 2026, particularly where geopolitical tensions intersect with cyber extortion.
You're currently a free subscriber to Packt SecPro . For the full experience, upgrade your subscription.
Upgrade to paid

Like 