John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
If a business analyst saw a market where three players held 34% of total volume, they’d call it mature. Consolidated. Dominant incumbents who’ve squeezed out the weaker competition and settled into their positions.
The problem here is that the incumbents are ransomware gangs.
In 2025, ransomware accounted for roughly 45% of all recorded North American cyber incidents. And within that, three groups took a disproportionate share: Qilin at around 12.4%, Akira at 11.5%, Clop at 10%. Together, one in three publicly recorded North American ransomware incidents. That’s not chaos. That’s a concentrated market.
Here’s the counterintuitive part: concentration is actually useful information for defenders. You can study three groups. You can map their preferred initial access vectors, their negotiation patterns, the industries they prioritize, the tools they use after they’re in. Chaos is genuinely hard to defend against. Predictability, even criminal predictability, is something you can work with.
Clop especially is worth understanding because their model is completely different from the rest. They don’t buy access from brokers or phish employees. They mass-exploit zero-days in widely deployed enterprise software, hit hundreds of organizations at once before patches deploy, and then process victims in bulk. As of March 2026, Clop claims access to more than 234 victim environments sitting in storage, waiting. That’s not a backlog. That’s inventory.
Defense against Clop isn’t about being an unattractive target. It’s about not being exposed when the next campaign wave hits.
On March 27 alone, Akira claimed six new victims and Qilin claimed six new victims. Same day. These groups are not winding down.
Most organizations haven’t done specific research on how Qilin, Akira, and Clop actually operate. That’s the gap worth closing.
Read the full analysis of North American ransomware concentration and what to do about it