LockBit was the name on every tabletop exercise for two years. Law enforcement disrupted it in early 2024. Since then, the ransomware ecosystem has rotated fast, and most IR plans haven’t kept up.
That’s not a minor gap. When your team runs a tabletop, the threat actor they’re modeling shapes everything: the entry point, the timeline, the containment steps, who you call first. If the group you practiced against isn’t the group hitting organizations right now, your muscle memory is built around the wrong scenario.
What’s actually active right now
Qilin is currently the most active ransomware group globally, with 338 confirmed victims in Q1 2026 alone. That’s a 578% increase year over year. The group aggressively absorbs affiliates from disrupted operations and disproportionately targets healthcare. If you haven’t updated your threat model since the LockBit era, you’ve missed the dominant actor entirely.
The Gentlemen is #2. They’ve claimed 478 victims since emerging in mid-2025, with growth that Check Point Research says is faster than any RaaS group on record. They reached the same victim count in five months that it took Akira twelve months and Qilin eighteen months to reach. Operators have documented connections to LockBit alumni, which means they brought institutional knowledge of what worked.
LockBit did return as version 5.0, landing at #4 with 163 victims in Q1. It’s still active. But it’s no longer the dominant threat, and the groups now ahead of it operate differently.
Why this matters for community banks
The entry point The Gentlemen favor is internet-facing devices: VPNs and firewalls. That’s not a novel technique. But it’s the same infrastructure that sits at the perimeter of almost every community bank network, often managed by a small team or a third-party vendor, and sometimes running firmware that hasn’t been updated since the last regulatory exam flagged it.
The timeline is the other piece your IR plan probably has wrong. The Gentlemen compress initial access to full network encryption into hours, not days. Most tabletop scenarios assume a dwell time measured in days, which is where the detection and containment steps get calibrated. If the attacker is encrypting within hours of initial access, your detection window assumptions don’t hold.
The worm-like spread capability they recently added makes lateral movement faster and less dependent on manual operator steps. That affects your network segmentation assumptions and changes how quickly an isolated incident can become an enterprise-wide event.
None of this is theoretical. These groups are actively hitting organizations in financial services, manufacturing, and healthcare right now.
The specific problem with stale IR plans
Some IR plans name a threat actor or two for reference, and some include a threat intelligence section. Almost none get updated when the landscape rotates, because updating the plan requires someone to own it, someone to approve the change, and usually a scheduled review cycle that runs annually at best.
Regulators review IR plans. Examiners check whether you have one. What they generally don’t check is whether your threat actor assumptions reflect the current environment. That gap is your problem to close, not theirs.
The practical issue is that threat actor matters for the playbook. A group using VPN credential theft as an entry point requires different detection logic than one using phishing or software vulnerabilities. A group that moves from access to encryption in hours requires a faster containment trigger than one with a week-long dwell time. If your playbook was built around the wrong entry point and the wrong timeline, it will slow you down at exactly the moment speed matters most.
Three things worth updating this quarter
Swap the threat actor references. Pull out the LockBit-specific references and replace them with Qilin and The Gentlemen. Read what’s publicly available about their TTPs. Check Point Research and Securelist both publish detailed analysis. This takes a few hours and makes your tabletop scenarios materially more realistic.
Revisit your detection timeline assumptions. If your IR plan assumes you have 24 to 48 hours between initial access and impact, test that assumption against a scenario where you have four to six hours. What breaks? What alerts would you miss? What containment steps can’t happen fast enough? The answer tells you where to invest in detection tooling or process changes.
Review your VPN and firewall patch posture. The Gentlemen and several other active groups are systematically targeting internet-facing devices as their primary entry point. If your perimeter devices are running outdated firmware or unpatched software, you are in the target profile for the two most active ransomware groups operating right now. This is a short list to check and a fast fix if the patches exist.
The broader point
Ransomware groups are not static. They get disrupted, rebrand, and relaunch with affiliates and institutional knowledge from the last operation. The group that dominated eighteen months ago is not the group your team should be practicing against today.
Keeping your threat model current means reading what the security community already publishes and making sure your IR plan reflects it. That’s the whole job. Do it before you need the playbook, not after.
If you want a second set of eyes on your IR plan or a tabletop that reflects the current threat environment, book a call.
