News from the Wire

Global ransomware attacks drop 17% month-on-month in January

Wednesday, February 25, 2026 — 20:03:05 (UTC)

Global Ransomware Attacks Drop 17% Month-on-Month in January Qilin was the most active ransomware group with 17% of attacks

Industrials remain most targeted sector, with 32% of all attacks in January

North America victim to 54% of global attacks, followed by Europe with 22%

Manchester, UK, Jan. 25, 2026—Global ransomware activity fell by 17% month-on-month in January, with 741 incidents recorded, but cyber security experts warn organizations should not become complacent. According to NCC Group’s January 2026 Cyber Threat Intelligence Report, threat actors are rapidly shifting their tactics and are increasingly using messaging platforms such as WhatsApp, Signal and Telegram as primary entry points for attacks.

Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: “While ransomware attacks were lower than December, activity closely mirrors January 2025, when 696 incidents were recorded. Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organizations should not mistake the month-on-month drop for a decline in risk.”

Qilin leads the charge

Qilin maintained its dominant position in 2025, executing 108 attacks (17%) in January. In January, the group targeted several high-profile organizations, including Covenant Health, where an attack exposed the personal and medical data of approximately 478,000 patients and disrupted hospital operations. Qilin also claimed responsibility for an attack on Tulsa International Airport, leaking internal financial records and employee data after breaching its network.

The group appears to be consistently targeting organizations in critical and industrial sectors where operational disruption and sensitive data exposure can increase pressure to pay.

North American organizations remain lucrative targets

Beyond these high-profile attacks, ransomware remains widespread across industries and regions. Across sectors, Industrials remained the primary target, accounting for 32% (196) of attacks. Consumer Discretionary followed with 143 incidents, while Healthcare ranked fourth with 53 attacks despite the high-profile Covenant Health breach.

Regionally, North America accounted for 54% of global ransomware activity, with Europe representing 22%.

Hull added: “North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure. Qilin’s high-profile attacks on US-based organizations such as Covenant Health and Tulsa Airport show how top threat actors are focusing on sectors where data and disruption carry the greatest value.”

Emerging tactics are changing the game

NCC Group warns in the report that ransomware tactics will likely shift, with an increasing number of threat actors reportedly moving to messaging platforms as a primary entry point for attacks. Examples cited include device‑linking scams, fake group invites, and malicious QR codes that trick victims into granting access to their accounts

Hull continued: “The ransomware landscape is not getting any easier. Threat actors are constantly evolving, leveraging every tool and tactic to exploit vulnerabilities and maximize impact. Messaging platforms and the rise of AI add further complexity and widen attack surfaces. This creates more ways for attackers to target individuals and organizations.

“It's never been more important for organizations to remain vigilant and strengthen their security posture to stay ahead of these evolving threats.”

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research