.png)
1. Executive Summary
The Middle East has seen 632 ransomware victims since 2023, on a trajectory that has roughly tripled in three years. Volume by year: 110 in 2023, 195 in 2024, 223 in 2025, and 104 in Q1 2026, which annualizes to roughly 310. December 2025 (41 victims) and March 2026 (38 victims) mark the highest monthly totals on record. The region is on track for its worst year since we began tracking.
The headline number understates the structural change that underpins it. Middle East ransomware in 2026 is no longer a single phenomenon. It is three overlapping economies operating against the same victim pool. The first is conventional financially-motivated RaaS, dominated by Qilin, LockBit, RansomHub, and a rotating cast of mid-tier operators chasing payouts. The second is hacktivist branding worn by Iranian-aligned actors, principally Handala and Toufan, that uses the ransomware aesthetic for politically motivated data destruction and public shaming with no real intent to monetize. The third, surfaced publicly by Rapid7 in April 2026, is state-sponsored espionage operations using ransomware brands as cover, with MuddyWater impersonating the Chaos brand, as documented in the case.
All three are accelerating in parallel. The Iran conflict that began in February 2026 has compounded the hacktivist channel without displacing the criminal economy, producing a 91 percent regional increase in the conflict-period victim count even as criminal RaaS continues unabated. Attribution from claims alone on data leak sites is no longer reliable. CISOs in the region should now treat any ransomware incident in Israel, Iran, or the Gulf as potentially espionage-adjacent until infrastructure analysis confirms otherwise. Augur’s Ransomware Intelligence module can help you achieve that.
1.1 Key Observations
The Middle East ransomware economy is now three overlapping channels, not one. Conventional financially-motivated RaaS (Qilin, LockBit, RansomHub, IncRansom) accounts for roughly 40 percent of regional victims and operates on the same affiliate-driven cycle as North America. Hacktivist-branded operations aligned with Iranian state interests (Handala, Toufan, Stormous) account for another 25 percent and are not subject to the same economic logic, since their objective is political messaging rather than payment. State-sponsored espionage using ransomware brands as cover (MuddyWater as Chaos, disclosed by Rapid7 in April 2026) is the smallest channel by visible volume but the highest-consequence category. Standard threat models that assume financial motivation no longer fit roughly half of ME ransomware activity.
Handala is the highest-volume ME-focused operator on record. 80 victims since 2023 makes Handala more prolific in the region than any criminal RaaS group, including LockBit at its peak. The group rarely deploys functional encryption, does not negotiate, and structures its leak posts as political messaging. We assess Handala as an Iranian-aligned hacktivist persona operating with at minimum tacit state tolerance, with operational signatures consistent with MOIS tradecraft against regime opponents and Israeli targets. Detection and response planning for organizations in Israel and Gulf public-sector roles should treat Handala as a destruction-oriented adversary rather than an extortion operator. Recovery from backup does not address the primary harm.
The Iran conflict produced a 91 percent regional surge, concentrated in Israel. 86 victims between 1 February and 7 May 2026, against 45 in the same window of 2025. Israel absorbed 21 of those 86, with Handala responsible for 14 (67 percent of Israel-targeted activity). Turkey took 20 victims, driven by opportunistic criminal RaaS rather than conflict-related targeting. The UAE and Saudi Arabia rises track global RaaS trends and show no clear conflict signal. The surge is real but narrowly concentrated, and the criminal economy continued operating in parallel rather than being displaced by hacktivist activity.
Mass Iranian targeting did not materialize. Only four Iran-resident victims have been observed since the conflict began, three of them claimed by Handala and targeting Iranian dissident media (IranWire, the VahidOnline-related domain) and regime messaging infrastructure (IDF in Farsi). This is inconsistent with a coordinated Western or pro-Israel ransomware campaign against Iranian infrastructure. The likelier explanations are deliberate restraint by aligned actors due to sanctions and political exposure concerns, lower exposure of Iranian targets to traditional RaaS reconnaissance behind state firewalls, or both. ArvinClub, historically the principal anti-regime ransomware operator, has shown no activity since the conflict began, suggesting either operational disruption or a shift to non-public channels.
Qilin is the criminal operator to watch in the region. 41 ME victims since 2023, with operational signatures indicating affiliate intake from disrupted programs and a trajectory that points to roughly 60 victims for the full-year 2026. Qilin has effectively replaced LockBit as the dominant financially motivated operator in the region. LockBit's 51 cumulative victims understate how degraded it is, since most of those cases occurred before the February 2024 disruption. Its affiliate base has migrated, primarily to Qilin and to a lesser extent RansomHub, before RansomHub itself disappeared. Detection prioritization should reflect this realignment.
Bashe (publicly tracked as APT73) is the wildcard. The 27 April burst of 8 victims in a single day spanning UAE, Saudi, Iranian, Turkish, and Palestinian targets across energy, finance, and government has the operational signature of either a mass exploitation event or a coordinated dump of previously staged victims. The breadth and uniform timing are unusual for a sustained operator. We assess Bashe as a watch item rather than a confirmed sustained threat. Decision point will be whether comparable bursts occur in the next 60 to 90 days. If yes, Bashe enters the top-tier ME operator list. If no, the 27 April activity should be reclassified as a one-time campaign.
False-flag risk has structurally changed regional attribution. Rapid7's April 2026 disclosure that MuddyWater is using the Chaos ransomware brand as cover for espionage operations is the first publicly documented case of an Iranian state actor wearing a criminal ransomware identity. We assess this is unlikely to be the only such operation. For any ransomware incident in Israel, Iran, or the Gulf with anomalous victimology (uncommon target geography, atypical sector for the claimed group, or technical artifacts inconsistent with the named brand), infrastructure-level attribution should be required before accepting leak site claims at face value. The strategic implication is that data leak sites have become an attribution vector rather than an attribution source.
Cross-region infrastructure reuse is now observable and actionable. 194.87.31.0/24 appears under Qilin in ME, Babuk2 in ME, The Gentlemen in ME, and Medusa in NA. 5.188.86.0/24 appears under BabukRansomware in ME and Cl0p in NA. 79.124.58.0/24 appears under RansomHub in ME and across RansomHub, Medusa, and Play in NA. These overlaps indicate either shared bulletproof hosting providers or affiliate movement between operator brands. Infrastructure-based detection at the prefix level now produces meaningful cross-group coverage in a way that single-IP or single-brand indicators do not.
Tempo correlates with kinetic events. Handala operational tempo, and to a lesser extent Toufan and Stormous tempo, has historically tracked Middle East escalation cycles within a 24 to 72 hour window. Detection engineering, IR staffing, and external communications functions in regional organizations should treat regional kinetic events as ransomware leading indicators and posture accordingly during escalation periods. This is the only ME ransomware pattern in this report with a predictable trigger that can be planned against in advance.
2. Country Breakdown
Israel and UAE together absorb nearly half of all regional victims. The drivers differ. Israel's 27% share is disproportionate to its economic size and reflects targeted political activity by Iranian-aligned hacktivists, principally Handala. The UAE's 22% share tracks the country's role as a regional digital and financial hub with deep exposure to the global RaaS economy. Turkey, at 17%, is opportunistic targeting of a large industrial economy with patchy security maturity outside the financial sector.
Iran's 4.4 percent figure understates actual victimization. Iranian organizations are underrepresented on data leak sites because Western and Western-aligned RaaS operators historically avoid them under sanctions exposure concerns, and because much of Iran's critical infrastructure is air-gapped or behind state firewalls that complicate reconnaissance. The 28 Iran-resident victims observed since 2023 are likely a floor, not a ceiling.
3. Most Active Threat Groups
The actor mix tells the same three-channel story as the executive summary. Handala's 80 victims since 2023 make it the highest-volume Middle East-focused operator on record, but it is not a ransomware group in any conventional sense. It does not negotiate, rarely deploys real encryption, and its leak posts read as political messaging. We assess Handala as an Iranian-aligned hacktivist persona that benefits from at minimum tacit state tolerance and likely active state coordination, consistent with MOIS tradecraft against regime opponents and Israeli targets.
LockBit's 51 victims continue to accumulate post-Operation Cronos, but its tempo is roughly half its 2023 peak and its affiliate base has migrated. The actual successor to LockBit's ME presence is Qilin, which has tripled its regional output since mid-2024 and is now the dominant financially-motivated operator, with recent victims in Turkish construction (Kolin) and Palestinian energy.
RansomHub's 31 victims were largely accumulated before its disappearance from leak sites in early 2026, the most recent in a series of post-ALPHV affiliate disruptions. Its operators have not gone home. They have surfaced under Qilin and a handful of newer banners.
Toufan, Stormous, and FunkSec round out the political channel. Toufan al-Aqsa is Palestinian-aligned and emerged after October 2023, targeting Israeli and Gulf entities in support of the broader anti-Israel hacktivist coalition. Stormous's pro-Russian posture maps onto Russian foreign policy alignment with Iran and produces consistent Gulf and Israeli targeting. FunkSec is the outlier, a younger group that combines financial extortion with anti-Western political language, operating primarily against Saudi and UAE targets. The line between these groups and pure criminal RaaS is fuzzy by design. Several appear to share infrastructure with state-aligned operators, which is consistent with the shared bulletproof hosting evidence detailed in the Infrastructure Attribution section.
Bashe (publicly tracked as APT73 in some reporting) is the wildcard. The group's 8-victim burst on 27 April, hitting UAE, Saudi, Iranian, Turkish, and Palestinian targets in a single day across energy, finance, and government, has the operational signature of either a mass exploitation event or a backlog dump from a prior compromise campaign. We are watching for follow-on activity to determine whether Bashe is a sustained operator or a one-off campaign brand.
4. Industry Targeting
Business Services and Technology lead the count, consistent with global ransomware patterns and reflective of the high density of attractive mid-market targets in those sectors. Three sector signals deviate from the global baseline and warrant specific attention.
The public sector at 57 victims is roughly double the global proportional rate. This concentration is the clearest sectoral signature of the hacktivist channel. Handala, Toufan, and Stormous all preferentially target government and government-adjacent organizations because the political messaging value of those targets exceeds their extortion value.
Energy at 34 victims is also elevated relative to global averages and tracks the strategic importance of oil and gas infrastructure to Gulf state revenues, with Bashe's 27 April burst hitting GEDCO Palestine in this sector.
Healthcare at 37 is low compared to North America (954 over a comparable window), reflecting both the smaller absolute scale of regional private healthcare and what we assess to be deliberate avoidance by some operators of religiously sensitive targets in Gulf states. The pattern is not consistent across the threat landscape, however, and Qatar Biomedical Research Institute was hit by Crypto24 in late April.
5. Year-over-Year Trend
The region is on track for its worst year in 2026.
6. Recent Activity
Notable recent victims include:
- Qatar Biomedical Research Institute (crypto24), healthcare/research
- UAE Ministry of Climate Change (moccae.gov.ae, Bashe), government
- Al Gosaibi Group (Saudi, Bashe), financial services
- Kolin Turkey (qilin), major construction and infrastructure firm
- GEDCO Palestine (Bashe), energy sector
Bashe (also tracked as APT73 in some external reporting) has been particularly active with a burst of 8 Middle East targets in a single day (27 April), hitting UAE, Saudi, Iran, Turkey, and Palestine across energy, finance, and government sectors. The breadth and uniform timing of the burst is consistent with either a mass exploitation event against a shared upstream target or a coordinated dump of previously staged victims.
7. Ransomware and the Iran Conflict
Period of analysis: 1 February to 7 May 2026. This section isolates ransomware activity tied to the Iran conflict and compares it against the same window in 2025. The headline finding is a 91 percent increase in regional victims, concentrated in Israel and driven almost entirely by hacktivist activity rather than a broader expansion of criminal RaaS targeting.
7.1 Regional Overview
The Middle East recorded 86 ransomware victims between 1 February and 7 May 2026, compared with 45 in the same period in 2025. Israel and Turkey absorb most of the increase. The Gulf states show smaller absolute numbers but follow a similar upward trend.
We assess the regional surge as real but narrowly concentrated. Israel and Turkey account for the majority of the increase. The UAE and Saudi Arabia increases appear opportunistic and consistent with global RaaS trends rather than conflict-driven.
7.2 Iran: Direct Targeting
Iran itself recorded only four ransomware victims since the conflict began. The composition is more telling than the count.
Handala accounts for three of the four Iran-resident victims. None of these are conventional ransomware extortion. IranWire and the VahidOnline-related domain are diaspora opposition media, and the IDF in Farsi page is regime messaging infrastructure. We assess this activity as Iranian state or state-aligned operations against regime critics, branded under a hacktivist persona. This is consistent with prior MOIS-aligned tradecraft against opposition voices abroad.
ArvinClub, historically the principal anti-regime ransomware operator with eight all-time Iran victims, has shown no activity since the conflict began. Whether this reflects deliberate restraint, operational disruption, or a shift to non-public channels is unclear.
7.3 Israel: Hacktivist Firestorm
Israel has absorbed 21 victims in the analysis period, the highest in the region. One actor accounts for two thirds of the activity.
Handala is responsible for 67 percent of Israeli ransomware activity in the period. The group is not profit-motivated. Its tradecraft consistently emphasizes data destruction and exfiltration with public shaming, packaged in a ransomware aesthetic. Targeting spans Israeli government, military-adjacent organizations, and critical infrastructure.
8. Key Conflict-Driven Observations
Handala dominates the regional landscape. Handala produced 14 Israeli and three Iranian dissident victims in the period, totaling 17 of 86 regional victims, or 20 percent. A single hacktivist persona aligned with Iranian state interests is now the most prolific Middle East-focused ransomware brand of 2026.
Mass Iranian targeting has not materialized. Despite the conflict, only four Iran-resident victims have been observed. This is inconsistent with a coordinated Western or pro-Israel ransomware campaign against Iranian infrastructure. The likelier explanations are deliberate restraint by aligned actors, lower exposure of Iranian targets to traditional RaaS reconnaissance, or both.
Growth is concentrated, not regional. The 91 percent increase is concentrated in Israel and Turkey. UAE and Saudi growth tracks global RaaS trends and shows no clear signal of conflict-driven targeting.
False-flag risk is elevated. Per Rapid7, MuddyWater is now using the Chaos ransomware brand as cover for espionage operations. Some incidents in this report carrying a ransomware label may be state-sponsored intrusions wearing criminal clothing. Attribution from data leak sites alone is no longer sufficient.
Criminal RaaS activity is additive. Qilin, IncRansom, and Bashe continued ME targeting through the period for financial motives. The conflict added hacktivist volume on top of, not in place of, existing criminal activity.
9. Watchlist Recommendations
Prioritize Handala IOCs. The group is the highest-volume Middle East-focused threat actor of 2026. Detection should prioritize its hosting prefix 146.185.216.0/22 and any dedicated leak-site infrastructure.
Cross-reference MuddyWater / Chaos indicators. The Astrill VPN, OConnect, and Donald Gay certificate signals from the Rapid7 reporting should be cross-referenced against any ransomware incident with Israeli, Iranian, or Gulf victimology before assigning attribution.
Anticipate tempo spikes around escalation. Handala operational tempo correlates with kinetic events. Expect activity spikes within 24 to 72 hours of any conflict escalation. Posture detection and IR readiness accordingly.
10. 12-Month Outlook
We forecast continued acceleration through year-end 2026. The hacktivist channel will track conflict tempo. If kinetic activity escalates, expect Handala output to spike within 24 to 72 hours and to plateau at elevated levels rather than returning to baseline. If de-escalation occurs, we assess the persona will persist but at reduced volume, since dismantling a hacktivist brand is operationally cheap to defer. The criminal channel will not slow.
Qilin's regional growth trajectory points to roughly 60 ME victims for full-year 2026, on pace to overtake Handala for the top spot if the conflict cools. RansomHub's missing affiliates will continue to surface under new banners through the second half of the year, with Bashe and TheGentlemen the most likely beneficiaries. The state-sponsored false-flag channel is the hardest to forecast and the most consequential. Rapid7's MuddyWater/Chaos disclosure is unlikely to be the only such operation.
We expect at least one additional state-sponsored actor to be publicly identified using a ransomware brand as cover within the next 12 months, most likely from the same MOIS or IRGC-aligned operator pool.
11. Infrastructure Attribution
Augur has predicted several network ranges associated with the most active groups in this report. CIDRs reflect hosting and operational infrastructure observed across recent campaigns, useful for blocklist enrichment and proactive monitoring.
Note: 194.87.31.0/24 appears across Qilin, Babuk2, and The Gentlemen, suggesting shared bulletproof hosting or affiliate overlap. Handala’s /22 is the broadest range in this set and warrants prefix-level monitoring rather than single-IP blocking.
12. Recommendations
- Israeli, UAE, and Turkish organizations should treat ransomware exposure as near-certain and shift IR planning from prevention-first to assumption-of-compromise. Tabletop exercises should explicitly include hacktivist scenarios where the attacker has no interest in negotiation, no decryption capability, and a public-shaming objective. Standard ransomware playbooks built around payment decisions do not apply.
- Gulf public sector, energy, and government-adjacent organizations should treat Handala and Toufan IOCs as priority detections regardless of whether ransomware is the suspected outcome. Both groups conduct exfiltration-then-destruction operations where the encryption stage is incidental and recovery from backup does not address the primary harm.
- Track Qilin as the primary criminal threat. Its 41 ME victims since 2023 are accelerating, with operational signatures indicating affiliate intake from the disrupted RansomHub program. Qilin-affiliated TTPs and infrastructure should be detection priorities over LockBit, which has materially declined. Treat Bashe as a watch item rather than a confirmed sustained threat. Its 27 April burst pattern is unusual and could resolve as either a one-off campaign or the start of a higher-tempo operator. Decision point will be whether comparable bursts occur in the next 60 to 90 days.
- For any ransomware incident in Israel, Iran, or the Gulf with anomalous victimology (uncommon target geography, atypical sector for the claimed group, or technical artifacts inconsistent with the named brand), require infrastructure-level attribution before accepting the leak site claim at face value. The MuddyWater/Chaos disclosure establishes that state-sponsored operators are now using ransomware brands as cover, and we assess this is unlikely to be an isolated case.
- Plan for tempo correlation with kinetic events. Handala output, and to a lesser extent Toufan and Stormous output, has historically tracked Middle East escalation cycles within a 24 to 72 hour window. Detection engineering, IR staffing, and external communications functions in regional organizations should treat regional kinetic events as ransomware leading indicators and posture accordingly during escalation periods.
For questions or additional analysis, contact: research@augursecurity.com
