IT threat evolution in Q1 2026. Non-mobile statistics

The report presents key trends and statistics on malware that targeted personal computers running Windows and macOS, as well as Internet of Things (IoT) devices, during Q1 2026.

IT threat evolution in Q1 2026. Non-mobile statistics IT threat evolution in Q1 2026. Mobile statistics The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data. Quarterly figures In Q1 2026: Kaspersky products blocked more than 343 million attacks that originated with various online resources. Web Anti-Virus responded to 50 million unique links. File Anti-Virus blocked nearly 15 million malicious and potentially unwanted objects. 2938 new ransomware variants were detected.

More than 77,000 users experienced ransomware attacks. 14% of all ransomware victims whose data was published on threat actors’ data leak sites (DLS) were victims of Clop. More than 260,000 users were targeted by miners. Ransomware Quarterly trends and highlights Law enforcement success In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized.

In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers. A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system.

In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020. In March, the U. S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations.

Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation. In a separate development this March, a U. S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U. S. Department of Justice , the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss.