Ransomware Claims Hit Near-Record Highs as Organizations Struggle With AI Governance
Ransomware attacks posted to leak sites reached 2,405 victims in the first quarter of 2026, according to Travelers' Q1 2026 Cyber Threat Report. While this represents a 2% decline from the previous quarter's all-time high, it signals that elevated attack volume has become the baseline rather than a temporary spike. Ransomware claims have increased 80% since 2022.
Threat Landscape Fragments Across 84 Groups
The number of active ransomware groups hit a five-year high in Q1 2026. Eighty-four distinct groups operated during the quarter, up from 70 a year earlier and 63 in the previous quarter. Nineteen new groups appeared on leak sites for the first time, while 20 established groups went inactive.
This fragmentation matters for risk assessment. A distributed attack ecosystem means disrupting a single dominant operator has less overall impact. The report notes that overall ransomware activity has tripled since 2022 when measured across leak site data.
Qilin remained the most prolific operator, posting 414 victims in Q1 2026. A newer group called "Gentlemen," which first appeared on leak sites in September 2025, posted 207 victims in the quarter - the second-highest total. This group targeted financial services firms, hospitals, government agencies, and IT providers across Thailand, the United States, France, Brazil, and Turkey.
Internal AI Deployment Creates Uncontrolled Risk
Organizations face a more immediate threat from unmanaged internal AI use than from AI-enabled attacks. At least 43% of U.S. workers now use AI on the job - a faster adoption rate than personal computers or the internet achieved at comparable commercial stages.
The report identifies three problematic deployment patterns. Some organizations restrict AI use, pushing employees to use tools on personal devices outside company networks with no visibility into data sharing. Others allow broad, ungoverned adoption that creates unpredictable interactions among overlapping tools. Even controlled rollouts produce unintended consequences when employees experiment with AI agents without adequate oversight.
Travelers recommends establishing formal AI governance before expanding use. Organizations should designate at least one individual or committee accountable for AI decisions, document acceptable use policies, require mandatory training for employees using generative AI tools, and implement human review for high-risk AI-assisted decisions.
The report also recommends integrating AI-specific risk criteria into third-party software procurement and conducting privacy impact assessments on AI tools already deployed.
Social Engineering Tactics Grow More Sophisticated
Social engineering and business email compromise account for 40% to 50% of all cyber claims at Travelers. Claim severity in these categories has increased more than 30% since 2023.
Attackers are combining tactics in new ways. The report details a pattern called "mail bomb + ClickFix," in which attackers flood a victim's inbox with thousands of junk messages to create confusion, then contact the victim posing as IT support. They walk the victim through pasting a malicious command into the Windows Run dialog, PowerShell, or a terminal - a sequence designed to feel like a legitimate help desk interaction.
This approach bypasses conventional phishing awareness training because it avoids suspicious links or urgent password-reset requests. The report identifies procedural controls as the most reliable defense: verify inbound IT support contacts through independently sourced channels and treat any instruction to paste commands into a system terminal as a red flag.
For insurance professionals managing cyber claims and risk, understanding these governance gaps and attack patterns is essential to underwriting decisions and claims management. AI learning resources for cybersecurity analysts can help teams stay current on threat detection and risk monitoring approaches.
Your membership also unlocks:
