Global ransomware attacks drop 17% month-on-month in January
- Qilin was the most active ransomware group with 17% of attacks
- Industrials remain most targeted sector, with 32% of all attacks in January
- North America victim to 54% of global attacks, followed by Europe with 22%
25 February 2026 – Global ransomware activity fell by 17% month-on-month in January, with 741 incidents recorded, but cyber security experts warn organisations should not become complacent. According to NCC Group’s January 2026 Cyber Threat Intelligence Report, threat actors are rapidly shifting their tactics and are increasingly using messaging platforms such as WhatsApp, Signal and Telegram as primary entry points for attacks.
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said:
“While ransomware attacks were lower than December, activity closely mirrors January 2025, when 696 incidents were recorded. Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organisations should not mistake the month-on-month drop for a decline in risk.”
Qilin leads the charge
Qilin maintained its dominant position in 2025, executing 108 attacks (17%) in January. In January, the group targeted several high-profile organisations, including Covenant Health, where an attack exposed the personal and medical data of approximately 478,000 patients and disrupted hospital operations. Qilin also claimed responsibility for an attack on Tulsa International Airport, leaking internal financial records and employee data after breaching its network.
The group appears to be consistently targeting organisations in critical and industrial sectors where operational disruption and sensitive data exposure can increase pressure to pay.
North American organisations remain lucrative targets
Beyond these high-profile attacks, ransomware remains widespread across industries and regions. Across sectors, Industrials remained the primary target, accounting for 32% (196) of attacks. Consumer Discretionary followed with 143 incidents, while Healthcare ranked fourth with 53 attacks despite the high-profile Covenant Health breach.
Regionally, North America accounted for 54% of global ransomware activity, with Europe representing 22%.
Hull added: “North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure. Qilin’s high-profile attacks on US-based organisations such as Covenant Health and Tulsa Airport show how top threat actors are focusing on sectors where data and disruption carry the greatest value.”
Emerging tactics are changing the game
NCC Group warns in the report that ransomware tactics will likely shift, with an increasing number of threat actors reportedly moving to messaging platforms as a primary entry point for attacks. Examples cited include device‑linking scams, fake group invites, and malicious QR codes that trick victims into granting access to their accounts
Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said:
“The ransomware landscape is not getting any easier. Threat actors are constantly evolving, leveraging every tool and tactic to exploit vulnerabilities and maximise impact. Messaging platforms and the rise of AI add further complexity and widen attack surfaces. This creates more ways for attackers to target individuals and organisations.
It's never been more important for organisations to remain vigilant and strengthen their security posture to stay ahead of these evolving threats.”
Contact
NCC Group Press Office
All media enquires relating to NCC Group plc.