Executive Summary

In February 2026, ransomware activity remained significantly elevated, with a total of 784 reported victims worldwide, reflecting sustained operational tempo among leading ransomware groups. Activity continued to demonstrate concentration in digitally mature economies, with the United States accounting for 327 victims, maintaining its position as the most impacted geography.

Manufacturing, Technology, and Healthcare once again ranked among the most heavily targeted industries. However, a substantial portion of incidents (316 victims) lacked confirmed sector attribution, highlighting ongoing visibility gaps in underground reporting channels.

The February data indicates continued operational efficiency among ransomware operators, steady geographic diversification, and persistent targeting of operationally sensitive sectors. The ransomware-as-a-service (RaaS) ecosystem remains structurally resilient, with high-volume campaigns sustained across multiple regions.

Key Points

A total of 784 ransomware victims were recorded globally in February 2026.

Ransomware activity increased by approximately 11.7% from January to February 2026

The United States accounted for 327 victims, remaining the primary target region.

“Not Found” sector classification accounted for 316 victims, indicating incomplete attribution.

Among confirmed sectors, Technology (92 victims), Manufacturing (67), and Healthcare (57) were the most targeted.

Construction and Financial Services each recorded 38 victims.

Canada (31 victims) and Germany (30 victims) were the most impacted countries after the United States.

Ransomware activity remained concentrated in developed economies with mature digital infrastructure.

Ransomware Activity – February 2026

Ransomware activity in February 2026 demonstrated sustained global reach, with victim counts heavily concentrated in North America and Western Europe.

Ransomware activity in February 2026 was led by Qilin, which recorded the highest victim count with 115 incidents, reinforcing its position as the most dominant threat actor of the month. TheGentlemen (89 victims) and Clop (79 victims) followed, demonstrating substantial operational scale and sustained affiliate engagement. Akira (47 victims) remained active but was overtaken by higher-volume operators, while Play and Incransom each recorded 42 victims, contributing meaningfully to overall activity levels.

Several upper-mid-tier groups maintained strong momentum, including Nightspire (40 victims), Dragonforce (37), and LockBit5 (34), reflecting a competitive and densely populated threat landscape. Emerging or steadily active groups such as Insomnia (25), Vect (19), and Sinobi (18) further diversified the ecosystem, while numerous smaller collectives recorded single-digit victim counts. The distribution highlights a concentrated yet expanding ransomware environment, where a handful of high-volume operators drive the majority of incidents, supported by a broad base of mid- and lower-tier actors sustaining consistent campaign activity across multiple sectors and regions.

Ransomware Activity – January 2026 vs February 2026

Ransomware activity increased from 702 victims in January 2026 to 784 victims in February 2026, reflecting an approximate 11.7% month-over-month rise in reported incidents. Ransomware activity in February 2026 demonstrated continued consolidation among leading threat actors, alongside notable accelerations in operational tempo compared to January 2026. Qilin maintained its dominant position, increasing from 109 victims in January to 115 in February, reinforcing its status as the most active group for a second consecutive month. The most significant surge was observed from The Gentlemen, which nearly doubled its activity from 47 to 89 victims, signaling rapid affiliate expansion and growing operational capacity. Clop also recorded a substantial increase from 46 to 79 incidents, while DragonForce (9 to 37), LockBit5 (8 to 34), and NightSpire (20 to 40) demonstrated strong upward momentum, indicating aggressive campaign scaling and possible affiliate migration toward these platforms.

Conversely, some established actors experienced relative slowdowns. Akira declined from 58 to 47 victims, and Incransom showed a slight decrease from 45 to 42, suggesting either tactical recalibration or intensified defensive resistance in previously targeted sectors. Play continued its gradual rise from 35 to 42 incidents, maintaining steady operational pressure. Notably, Insomnia emerged in February with 25 recorded victims after no confirmed activity in January, highlighting ongoing ecosystem volatility and the entrance of new or rebranded actors. Overall, February 2026 reflected heightened competition, expanding affiliate realignments, and accelerating campaign volumes among leading ransomware groups, underscoring a dynamic and rapidly evolving threat landscape.

Industry Impact in February 2026 – Ransomware Continues to Target Critical Sectors

In February 2026, ransomware attacks continued to concentrate on high-value and operationally essential industries.

Technology recorded the highest confirmed victim count (92), followed by Manufacturing (67) and Healthcare (57). These sectors remain attractive due to reliance on uptime, regulatory obligations, intellectual property exposure, and supply-chain interdependencies.

Construction and Financial Services each recorded 38 victims, indicating continued targeting of capital-intensive and compliance-heavy environments. Transportation/Logistics (30 victims) and Business Services (28 victims) also experienced notable disruption.

Public Sector (24 victims) and Education (17 victims) remained consistent secondary targets, reflecting the persistent vulnerability of government and academic institutions.

A significant proportion of incidents (316 victims) fell under “Not Found,” highlighting ongoing limitations in publicly disclosed sector data.

Overall, the distribution reinforces attackers’ preference for industries where operational disruption directly translates into increased ransom leverage.

Geographical Distribution of Victims

The United States remained the most targeted country in February 2026, accounting for 327 victims. North America continued to represent the epicenter of ransomware activity.

Western Europe also experienced sustained targeting, particularly Germany (30 victims), Italy (22), France (16), and the United Kingdom (17). Asia-Pacific regions, including Japan (15), Australia (15), India (14), and China (7), maintained consistent exposure.

Latin America saw measurable activity in Brazil (16), Mexico (9), Chile (8), and Colombia (4). Middle Eastern nations such as the United Arab Emirates (6) and Saudi Arabia (3) also recorded incidents.

A total of 61 countries were impacted globally. However, 126 incidents were categorized as “Not found/others,” reflecting incomplete geographic attribution in public leak disclosures.

Threat actors continued prioritizing regions with advanced digital infrastructure, higher ransom payment capacity, and mature enterprise environments.

Major Ransomware Breaches Across Global Sectors – February 2026

During February 2026, ransomware activity spanned multiple critical industries and regions:

Technology & Software Services – North America & Europe 
Technology firms remained primary targets, particularly managed IT providers, SaaS platforms, and digital service companies. Exposed credentials, misconfigured cloud services, and VPN vulnerabilities were frequently cited access vectors.

Manufacturing & Industrial Operations – United States & Germany 
Industrial organizations faced continued extortion campaigns involving theft of engineering documentation, supplier contracts, and production system data. Operational disruption remained a primary pressure mechanism.

Healthcare & Medical Services – Multi-region 
Healthcare institutions experienced breaches involving patient data, billing systems, and administrative records. Phishing and remote access exploitation were commonly observed attack methods.

Financial Services & Construction – Global 
Financial institutions and construction firms were targeted for access to transactional data, project documentation, and internal financial records. Supply-chain dependencies amplified extortion leverage.

These incidents underscore ransomware groups’ ongoing emphasis on data exfiltration, operational disruption, and reputational pressure to maximize financial return.

Recommendations – February 2026 Ransomware Outlook

To mitigate ongoing ransomware threats, organizations should continue strengthening defensive resilience through layered controls:

Deploy advanced EDR/XDR solutions and continuously monitor for indicators of compromise.

Enforce rapid patch management for VPNs, cloud services, and exposed applications.

Implement strong MFA and least-privilege access controls.

Segment enterprise networks to limit lateral movement.

Maintain offline, encrypted, and regularly tested backup systems.

Conduct regular incident response and ransomware simulation exercises.

Conclusion

The ransomware landscape in February 2026 reflected continued operational stability and sustained targeting of digitally mature economies. The United States remained disproportionately affected, while Western Europe and Asia-Pacific regions experienced consistent activity.

Sectoral distribution confirms ongoing prioritization of Technology, Manufacturing, and Healthcare, alongside strong targeting of Financial Services and Construction.

Although comprehensive threat group data for February was not included in this dataset, victim distribution patterns indicate sustained campaign activity and persistent exploitation of exposed services and access control weaknesses.

Ransomware remains a persistent, adaptive, and strategically driven threat, continuing to evolve in geographic reach and sectoral focus.

Ransomware Report - February 2026