Ransomware Attacks Soar 30% in 2026: Inside the Unprecedented Surge

Breached Company

Breached Company

11 min read
Ransomware Attacks Soar 30% in 2026: Inside the Unprecedented Surge

A deep dive into the alarming spike in ransomware attacks, the groups behind them, and what you can do to protect yourself

The Numbers Don't Lie: We're Under Siege

If you felt like ransomware headlines were everywhere in early 2026, your instincts were right. The latest data from cybersecurity researchers at Cyble confirms what security professionals feared: ransomware attacks have surged more than 30% compared to the previous nine-month average, and there's no sign of the trend slowing down.

Let's put this in perspective:

  • Q4 2025: 2,018 claimed ransomware attacks (averaging 673 per month)
  • January 2026: 679 attacks in a single month
  • Comparison: The first nine months of 2025 saw an average of just 512 attacks per month

That's not a minor uptick. That's a 31.4% increase in attack velocity, sustained over four consecutive months. If this pace continues, 2026 is on track to shatter all previous ransomware records.

The United States continues to bear the brunt of these attacks, accounting for 58% of all disclosed ransomware incidents in January 2026. But this is a truly global phenomenon—organizations across 22 countries were impacted in January alone, with the UK and Australia experiencing particularly elevated attack volumes.

What's Driving the Surge?

Before we dive into the specific groups and tactics, let's understand the "why" behind this alarming trend. Several converging factors have created the perfect storm for ransomware operators:

1. Ransomware-as-a-Service (RaaS) Has Gone Mainstream

The barrier to entry for cybercrime has never been lower. You no longer need to be a skilled hacker to deploy ransomware—you just need to be willing to pay for access to someone else's infrastructure.

Modern RaaS operations like the newly emerged DataKeeper and MonoLock are actively advertising their services, offering:

  • Ready-made ransomware payloads
  • Automated payment processing
  • Technical support for affiliates
  • Revenue sharing models (typically 70-80% to affiliates)

DataKeeper's "CrystalPartnership" model even splits ransom payments directly between operator and affiliate Bitcoin wallets at payment time, building trust with would-be attackers. MonoLock charges a $500 registration fee and takes just 20% of ransom revenue.

The result: More than 100 active ransomware groups now operate globally. When one gets taken down, three more emerge.

2. Triple Extortion Is Now Standard Operating Procedure

Ransomware isn't just about encrypting files anymore. Modern attacks follow a three-pronged approach:

  1. Encrypt - Lock up systems and data
  2. Exfiltrate - Steal sensitive information before encryption
  3. Extort - Threaten DDoS attacks, regulatory complaints, or public disclosure

Data exfiltration is now part of 74% of all ransomware incidents. This means even organizations with perfect backups still face devastating consequences if they don't pay—their customer data, trade secrets, and internal communications could end up on dark web leak sites for anyone to download.

3. AI Has Supercharged Phishing

The phishing emails of 2024 were often easy to spot: broken English, generic greetings, obvious red flags. The phishing emails of 2026 are crafted by AI assistants that can:

  • Research targets on LinkedIn and social media
  • Write personalized, grammatically perfect messages
  • Mimic the writing style of specific executives
  • Generate convincing pretexts at scale

This has made phishing—already responsible for roughly 30% of ransomware incidents—significantly more effective. Combined with remote access compromise (40% of cases), these two vectors account for the vast majority of initial access.

4. The Supply Chain Multiplier Effect

Why attack one company when you can attack their IT provider and get access to hundreds?

IT services companies, managed service providers (MSPs), and software vendors have become priority targets because they offer attackers a multiplication effect. A single successful breach can cascade across an entire customer base.

In January 2026 alone, we saw:

  • Sinobi targeting an Indian IT services company, gaining access to Hyper-V servers, virtual machines, and customer backups
  • CL0P continuing supply chain campaigns that began with Oracle E-Business Suite exploitation
  • INC Ransom compromising a manufacturer with data from a dozen+ global brands

5. Healthcare and Manufacturing Can't Afford Downtime

Threat actors have learned that targeting industries where downtime equals life-or-death situations or massive financial losses produces faster payments.

Healthcare organizations face:

  • Patient safety risks during system outages
  • HIPAA violations and regulatory fines
  • Reputational damage from exposed medical records
  • Operational urgency that makes ransom payment the "easy" choice

Manufacturing environments face:

  • Production shutdowns costing millions per day
  • OT/ICS (operational technology/industrial control systems) vulnerabilities
  • Supply chain ripple effects affecting downstream customers
  • Lean operations with minimal tolerance for disruption

This is why healthcare led all industries in January 2026 with 27 ransomware incidents, followed by government (11) and manufacturing (10).

Understanding your adversary is the first step to defending against them. Here's a breakdown of the most active and dangerous ransomware operations as of early 2026:

🥇 Qilin: The Consistent Champion

January 2026 Victims: 115
Notable Targets: US airport authority, Taiwan semiconductor manufacturer
Threat Level: Critical

Qilin (also known as Agenda) has emerged as the most prolific ransomware group, maintaining the top spot for multiple consecutive months. Their January campaign demonstrated remarkable breadth:

  • US Airport Authority: Exfiltrated financial documents, telehealth reports, internal emails, scanned IDs, and NDAs
  • Taiwan Semiconductor Manufacturer: Claimed 275GB of data across 19,822 directories and 177,551 files

Qilin operates a RaaS model written in Rust and Go, with variants targeting both Windows and Linux/VMware ESXi environments. Their consistent high volume suggests a well-organized operation with numerous active affiliates.

🥈 CL0P: The Supply Chain Specialist

January 2026 Victims: 93 (and climbing)
Notable Targets: Australian companies across IT, banking, healthcare
Threat Level: Critical

CL0P's return to the top 5 is significant. This group is notorious for mass exploitation campaigns targeting enterprise software vulnerabilities. Their exploitation of Oracle E-Business Suite flaws in late 2025 helped drive supply chain attacks to record levels.

Their latest campaign (details still emerging) has already claimed:

  • 11 Australia-based companies across IT, BFSI, construction, hospitality, professional services, and healthcare
  • A major US IT staffing company
  • A global hotel chain
  • A major media firm
  • A UK payment processor
  • A Canadian platinum mining company

CL0P tends to claim victims in clusters, making their campaigns particularly disruptive when they hit.

🥉 Akira: The Steady Performer

January 2026 Victims: 76
Notable Targets: Various across sectors
Threat Level: High

Akira has maintained consistent top-5 placement since emerging in March 2023. CISA issued warnings about the group in 2024, highlighting their targeting of critical infrastructure.

Key characteristics:

  • Targets both Windows and Linux environments
  • Known for exploiting VPN vulnerabilities (particularly Cisco)
  • Double extortion with data leak site
  • Professionally organized ransom negotiations

🆕 Sinobi: The Newcomer

January 2026 Victims: ~50+ (estimated top 5)
Notable Targets: Indian IT services company
Threat Level: Moderate-High (escalating)

A new entrant to the ransomware scene, Sinobi has quickly made a name for itself with aggressive targeting of IT service providers.

Their attack on an India-based IT services company was particularly concerning:

  • Claimed 150GB+ of data including contracts, financials, and customer information
  • Demonstrated access to Microsoft Hyper-V servers
  • Accessed multiple virtual machines, backups, and storage volumes

This is exactly the kind of supply chain attack that keeps CISOs up at night.

🆕 The Gentlemen: Emerging Threat

January 2026 Victims: ~40+ (estimated top 5)
Threat Level: Moderate (watch closely)

Little is publicly known about The Gentlemen, but their rapid climb to top-5 status indicates a well-resourced operation. Security researchers are actively analyzing their tactics and infrastructure.

Emerging Groups to Watch

Beyond the top 5, several new operations bear monitoring:

Green Blood

  • Newly launched onion leak site
  • Claimed victims in India, Senegal, Colombia
  • Uses .tgbg file extension for encrypted files
  • Ransom note: !!!READ_ME_TO_RECOVER_FILES!!!.txt
  • Active malware samples observed in the wild

DataKeeper (CrystalPartnership RaaS)

  • Innovative split-payment model builds affiliate trust
  • Windows-focused with RSA-4096 encryption
  • Features: in-memory execution, shadow copy deletion, network share targeting
  • Emphasizes security evasion capabilities

MonoLock

  • Revolutionary Beacon Object File (BoF) approach
  • Full in-memory execution reduces forensic artifacts
  • Custom Linux ELF-based BoF loader
  • "Zero Panel" model—no leak sites, silence as leverage
  • 20% revenue share, $500 entry fee
  • Active affiliate recruitment (runs through March 2026)

By the Numbers: Ransomware's Financial Reality

Understanding the economics of ransomware helps explain why it's so prevalent—and why defense is so critical.

The Attacker's Perspective

Metric Value
Global ransomware revenue (2024) $814 million
Average ransom payment (US, 2024) ~$490,000
Median ransom demand (2025) $1.3 million
Median actual payment (Q2 2025) $400,000
Payment rate 26-32% of victims

Even with declining payment rates, the numbers work overwhelmingly in attackers' favor. If an affiliate launches 100 attacks and only 26 victims pay an average of $400,000, that's still $10.4 million in revenue—likely with minimal overhead.

The Defender's Perspective

Metric Value
Global ransomware protection market (2024) $32.6 billion
Projected market (2034) $123 billion
Annual growth rate ~14%
Organizations with recovery costs >$1M 35%
Organizations with recovery costs >$5M 20%

The asymmetry is stark: organizations collectively spend tens of billions on protection, yet attackers continue to extract hundreds of millions annually.

The Human Cost

Beyond dollars, ransomware exacts a devastating human toll:

  • 100% of organizations with encrypted data report direct human impact
  • 48% of IT/security staff experience stress or anxiety about future attacks
  • 43% feel guilt for not stopping the attack
  • 40% face increased pressure from leadership
  • 36% see increased workloads post-incident
  • 31% have staff absences tied to stress or mental health
  • 25% of organizations replace leadership after an incident

Industry Impact Analysis

Not all sectors are equally targeted. Here's how ransomware is affecting different industries:

Healthcare: The Prime Target 🏥

January 2026 Incidents: 27 (highest of any sector)

Healthcare remains ransomware's favorite target for three reasons:

  1. Data value: Medical records sell for 10x more than financial data on dark web markets
  2. Operational urgency: Hospitals can't simply "go offline" without risking patient lives
  3. Limited security budgets: Many healthcare organizations operate on thin margins with outdated systems

Recent attacks:

  • ManageMyHealth (New Zealand): Kazu ransomware group breached the patient portal, exposing 120,000+ records including Medicare details and medical histories. Ransom demand: ~$60,000.
  • Denton County MHMR Center (US): Disclosed that a year-old attack exposed PHI of 108,967 patients including medical history, treatment info, insurance data, and biometric identifiers.
  • Laidley Family Doctors (Australia): Anubis group claimed access to names, gender, Medicare details, and medical histories.

Government: High-Value Targets 🏛️

January 2026 Incidents: 11

Government entities offer attackers access to sensitive citizen data, critical infrastructure controls, and entities that often lack the budget or technical expertise to mount robust defenses.

Recent attacks:

  • Leduc County (Canada): Christmas Day attack disabled email and IT systems
  • Italian Port Authority: Anubis claimed incident reports, logistics data, port infrastructure layouts, and audit results
  • Sedgwick Government Solutions (US): TridentLocker stole 3.4GB from a federal services contractor

Manufacturing: Supply Chain Ground Zero 🏭

January 2026 Incidents: 10+

Manufacturing combines high-value intellectual property (designs, blueprints, patents) with operationally critical systems that can't tolerate downtime.

Recent attacks:

  • US Telecom Equipment Manufacturer (Everest): 11GB of electrical schematics, PCB layouts, 3D design files
  • China Electronics Manufacturer (RansomHouse): CAD models, Gerber files, data affecting major tech and automotive brands
  • Hong Kong Components Manufacturer (INC Ransom): 200GB including data from 12+ major global brands
  • US Automotive Components (Nitrogen): 71GB of CAD drawings, accounts, invoices

IT Services: The Multiplier 💻

IT service providers, MSPs, and software vendors continue to be attractive targets due to their access to downstream customer environments.

Recent attacks:

  • India IT Services (Sinobi): Access to Hyper-V, VMs, backups—full infrastructure compromise
  • Global-e Payment Processor: Third-party breach exposed Ledger hardware wallet customers

Chart Data: Visualizing the Threat

For those creating presentations or reports, here's the data in chart-friendly format:

Ransomware Attacks by Month (Late 2025 - Early 2026)

Month         | Attacks | Change
--------------|---------|--------
January 2025  |   487   |   -
February 2025 |   512   |   +5%
March 2025    |   498   |   -3%
April 2025    |   523   |   +5%
May 2025      |   541   |   +3%
June 2025     |   509   |   -6%
July 2025     |   534   |   +5%
August 2025   |   498   |   -7%
September 2025|   506   |   +2%
October 2025  |   651   |   +29%  ⚠️
November 2025 |   689   |   +6%
December 2025 |   678   |   -2%
January 2026  |   679   |   +0%

Top Ransomware Groups (January 2026)

Group         | Victims | Market Share
--------------|---------|-------------
Qilin         |   115   |   17%
CL0P          |    93   |   14%
Akira         |    76   |   11%
Sinobi        |   ~50   |    7%
The Gentlemen |   ~40   |    6%
Other groups  |  ~305   |   45%

Industries Targeted (January 2026)

Industry               | Incidents | Percentage
-----------------------|-----------|------------
Healthcare             |    27     |   30%
Government             |    11     |   12%
Manufacturing          |    10     |   11%
IT/Technology          |     9     |   10%
Construction           |     8     |    9%
Professional Services  |     7     |    8%
Financial Services     |     6     |    7%
Retail                 |     5     |    5%
Other                  |     8     |    8%

Geographic Distribution (January 2026)

Country       | Percentage
--------------|------------
USA           |    58%
UK            |     8%
Australia     |     6%
Canada        |     5%
Germany       |     4%
France        |     3%
India         |     3%
Other (15+)   |    13%

Defense Strategies: Protecting Your Organization

Knowing the threat is only useful if you take action. Here's what security professionals recommend:

Immediate Actions (This Week)

  1. Verify Your Backups Actually Work
    • When did you last test a full restore?
    • Are backups air-gapped or immutable?
    • Do backups include critical system configurations, not just data?
    • How long would a full restoration take?
  2. Enable MFA Everywhere
    • Email accounts (primary phishing target)
    • VPN access (40% of attacks start here)
    • Admin portals and privileged accounts
    • Cloud services and SaaS applications
  3. Patch Critical Systems
    • VPN appliances (Cisco, Fortinet, etc.)
    • Exchange servers
    • Remote desktop services
    • Any internet-facing systems

Short-Term Improvements (This Quarter)

  1. Implement Network Segmentation
    • Separate IT and OT networks
    • Isolate sensitive data stores
    • Limit lateral movement potential
    • Consider zero-trust architecture
  2. Deploy Endpoint Detection and Response (EDR)
    • Signature-based antivirus is insufficient
    • Need behavioral analysis for novel threats
    • Ensure coverage across all endpoints
    • Include servers, not just workstations
  3. Establish Incident Response Plan
    • Document who to call (legal, PR, insurance, law enforcement)
    • Define decision authority for ransom payment
    • Identify critical systems and recovery priorities
    • Conduct tabletop exercises quarterly

Long-Term Strategy (This Year)

  1. Security Awareness Training
    • Regular phishing simulations
    • Focus on recognizing social engineering
    • Emphasize reporting over punishment
    • Include executives (they're high-value targets)
  2. Third-Party Risk Management
    • Audit vendor security practices
    • Require security certifications (SOC 2, ISO 27001)
    • Limit vendor access to necessary systems only
    • Include security requirements in contracts
  3. Consider Cyber Insurance
    • Understand coverage limitations
    • Document security controls (insurers require this)
    • Know your deductible and coverage limits
    • Have pre-approved incident response vendors
  4. Adopt Zero Trust Principles
    • "Never trust, always verify"
    • Continuous authentication and authorization
    • Micro-segmentation
    • Least-privilege access

What to Do If You're Hit

Despite best efforts, attacks can still succeed. Here's a response framework:

First 30 Minutes

  1. Isolate affected systems - Disconnect from network but don't power off (preserves forensic evidence)
  2. Activate incident response team - Internal and external contacts
  3. Preserve evidence - Don't delete ransom notes or encrypted files
  4. Assess scope - What systems are affected? What data may be compromised?

First 24 Hours

  1. Engage legal counsel - Attorney-client privilege protects communications
  2. Notify cyber insurance - They often have pre-approved response vendors
  3. Report to law enforcement - FBI (IC3.gov), CISA (cisa.gov/report)
  4. Begin forensic investigation - How did they get in? What did they access?
  5. Communicate with stakeholders - Employees, board, customers as appropriate

Recovery Phase

  1. Evaluate ransom decision carefully
    • Payment doesn't guarantee data recovery (~80% get some data back)
    • May be legally problematic (OFAC sanctions)
    • Could fund future attacks against you or others
    • Consider alternatives: backups, decryption tools (nomoreransom.org)
  2. Restore from clean backups
    • Ensure backups aren't compromised
    • Rebuild systems rather than restoring if possible
    • Verify integrity before reconnecting to network
  3. Conduct post-incident review
    • What controls failed?
    • How can you prevent reoccurrence?
    • Update incident response plans
    • Share lessons learned (consider sharing with ISACs)

Looking Ahead: 2026 Predictions

Based on current trends, security experts anticipate:

The Bad News

  • Attack volumes will continue rising - RaaS economics remain favorable for attackers
  • AI-enhanced attacks will proliferate - Expect more convincing phishing and faster reconnaissance
  • Supply chain attacks will intensify - IT providers remain high-value targets
  • Critical infrastructure targeting will increase - Healthcare, energy, water utilities at elevated risk
  • Ransom demands may climb - Despite lower payment rates, successful payments remain lucrative

The (Somewhat) Good News

  • Law enforcement disruption operations continue - Multiple RaaS takedowns in 2024-2025
  • Payment rates are declining - Better backups and incident response reduce ransom dependency
  • International cooperation improving - Joint operations targeting ransomware infrastructure
  • Insurance requirements driving security improvements - Organizations implementing controls to qualify for coverage
  • Regulatory pressure increasing - Mandatory disclosure requirements improving transparency

Resources for Defenders

Free Tools

  • No More Ransom (nomoreransom.org) - Free decryption tools for 100+ ransomware variants
  • CISA Ransomware Guide - Federal guidance on prevention and response
  • Ransomware Task Force (IST) - Multi-stakeholder recommendations
  • ID Ransomware (id-ransomware.malwarehunterteam.com) - Identify ransomware variant from sample

Threat Intelligence

  • Cyble Research - Detailed group tracking and incident analysis
  • BlackFog State of Ransomware - Monthly disclosure tracking
  • Coveware Quarterly Reports - Payment and negotiation trends
  • Sophos State of Ransomware - Annual survey of defender experiences

Incident Response

  • FBI Internet Crime Complaint Center (IC3.gov) - Report incidents
  • CISA (cisa.gov/report) - Report vulnerabilities and incidents
  • Your cyber insurance carrier - Pre-approved response vendors

Conclusion: The New Normal Demands New Defenses

The 30% surge in ransomware attacks isn't a blip—it's the new baseline. With more than 100 active ransomware groups, AI-enhanced attack techniques, and RaaS platforms lowering the barrier to entry, organizations face an unprecedented threat landscape.

But this isn't a hopeless situation. The organizations that fare best will be those that:

  1. Accept reality - Ransomware is a "when," not "if" scenario
  2. Invest appropriately - Security budgets must match threat severity
  3. Focus on resilience - Assume breach, plan for recovery
  4. Stay informed - Monitor threat intelligence and adapt defenses
  5. Test continuously - Backups, incident response, security controls

The 679 victims in January 2026 represent real organizations—hospitals that couldn't access patient records, manufacturers whose production lines stopped, government agencies whose services were disrupted, and thousands of employees and customers whose personal information was exposed.

Don't be victim number 680.

Stay safe out there.

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company