Ransomware Attacks in February 2026: Monthly Report

Which ransomware groups claimed the most victims in February 2026, which industries got hit hardest, and why one group’s 183 claims were fake.

Breachsense tracked 680 companies claimed by ransomware groups in February 2026. That’s flat compared to January and 12% above the 2025 monthly average.

We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or duplicated across groups.

54 distinct ransomware groups were active in February. A group called 0APT claimed an additional 183 victims, but multiple threat intelligence firms confirmed the claims were fake. We’ve excluded 0APT from this report entirely.

Here’s what the February 2026 numbers tell us.

February 2026 ransomware numbers at a glance

You’ll see “leak site” throughout this report. Here’s what that means. Breachsense monitors these sites continuously.

Here’s what February 2026 looked like:

• 680 victim companies claimed across ransomware leak sites
• 54 active ransomware groups (down slightly from January’s 58)
• 72 countries affected (up from 60 in January)
• 63 industries represented
• Roughly flat compared to January’s 677 victims
• 12% above the 2025 monthly average

After two months, 2026 is pacing toward roughly 8,100 victims for the year. That would be an 11% increase over 2025’s total of 7,308.

A note on 0APT: a group by that name claimed 183 additional victims in February. We excluded them from this report after multiple threat intelligence firms confirmed the operation was a scam. More on that below.

Most active ransomware groups: February 2026

Qilin held the number one spot again with 104 victims. TheGentlemen nearly doubled their January numbers.

The top 10 groups accounted for 467 victims (68.7%). The remaining 44 groups split the other 213.

Qilin posted 104 victims, consistent with their 107 in January. Two months running at 100+ victims makes them the most consistent high-volume operation right now. That usually means stable infrastructure and a reliable supply of affiliates.

TheGentlemen jumped from 41 to 78 victims. We flagged them as a group to watch in January. They’re growing fast. By the week of February 14-20, TheGentlemen hit the number-one weekly spot with 25 victims in a single week.

LockBit nearly tripled from 12 victims in January to 34 in February. That’s still well below their peak before the 2024 law enforcement disruption, but it’s a real jump. Whether this is a comeback or a one-month blip is worth watching.

Akira dropped from 71 to 39. Sinobi fell harder, from 56 in January to just 18 victims. Ransomware groups are volatile. A top-five finish one month means nothing the next.

The 0APT scam

A group calling itself 0APT appeared in late January and claimed 183 victims in February. Multiple threat intelligence firms investigated and concluded the operation was fraudulent:

• GuidePoint found no evidence supporting any victim claims. The lists contained fabricated company names mixed with recognizable organizations.
• Kela called it a “likely scam operation.”
• Data samples provided by the group contained files filled with zero bytes.
• Downloads from their leak site were throttled so severely they’d take over 7,000 days to complete.
• The group’s supposed ransomware executable was created in 2011 and last updated three years ago. No ransom notes have ever been tied to the group.

0APT charged 1 bitcoin to join their affiliate program.

This is a good reminder that not everything posted on a leak site is real. Threat intelligence requires verification, not just aggregation. We’ve excluded 0APT from all counts in this report and removed their fake claims from our database.

Countries most targeted by ransomware

The US remained the primary target by a wide margin.

Brazil entered the top ten with 23 victims. It wasn’t on the list in January. Latin America had a rough month overall. Chile (9), Mexico (12), Colombia (5), and Argentina (5) added another 34 victims on top of Brazil’s count.

Japan also cracked the top ten with 20 victims. Combined with South Korea (5), Taiwan (12), and China (9), East Asian companies accounted for 46 victims.

72 countries were hit in total, up from 60 in January. The reach keeps growing. February victims included companies in Fiji and Namibia.

Industries hit hardest

Manufacturing held the top spot. But the real story is healthcare.

Healthcare went from 40 victims in January to 93 in February. That’s a 133% increase in one month. Healthcare was the fourth most targeted industry in January. Now it’s virtually tied for first. Hospitals and clinics hold patient records and clinical systems that can’t go offline. That makes them ideal extortion targets. CISA’s StopRansomware initiative tracks these attacks across all sectors.

Legal services jumped from 32 to 48 victims. Like healthcare, law firms hold data their clients can’t afford to see published. The extortion power is the data itself, not the encryption.

IT companies (46 victims) are worth watching because they’re often a vector into their clients’ environments. Compromising an MSP or IT services firm can lead to dozens of downstream victims.

New and rising groups

DragonForce (30 victims): Not new, but 30 victims is a big month for them. DragonForce started as a hacktivist operation but has shifted to ransomware for money.

INSOMNIA (25 victims): Tied with NightSpire at 25 victims. A newer group that’s growing steadily.

NightSpire (25 victims): We flagged them in January when they had 20 victims. They kept it up in February.

ShinyHunters (10 victims): Previously known primarily as a data theft and sales operation rather than a ransomware group. Their appearance on leak sites suggests they’ve added encryption to their playbook, or they’re partnering with ransomware affiliates.

Month over month: what changed

The victim count held steady while the geographic spread widened. Fewer groups were active but they hit more countries. Qilin stayed on top by a wide margin.

The biggest shift was in industry targeting. Healthcare went from fourth place to a near-tie for first. Whether that holds or drops back down will become clearer in March.

What security teams should do

February’s numbers aren’t spiking, but they aren’t dropping either. This pace is normal now.

If you’re in healthcare: Your industry more than doubled in one month. That’s not a gradual trend you can plan around. Check whether your organization’s credentials or your vendors’ credentials have already been leaked. The attackers buying that access right now won’t wait for your next quarterly review.

If your name shows up on a leak site: Don’t panic. Verify first. The 0APT scam showed that fake claims happen. Check whether actual data was exposed before you spin up incident response.

Everyone else: Most ransomware starts with stolen credentials, not zero-days. Attackers buy logins from infostealer malware logs, then take days or weeks to move through your network before deploying ransomware. Dark web monitoring catches credentials in that window, while there’s still time to reset passwords and kill sessions.

Methodology

This data reflects publicly claimed victims only. The actual number of attacks is higher because:

• Many victims pay before being listed publicly
• Some groups operate private negotiation channels without public leak sites
• Not all ransomware attacks involve data theft or public claims

We excluded 0APT’s 183 claims after multiple threat intelligence firms confirmed they were fabricated. See the 0APT section above for details.

When multiple groups claim the same victim, we count it once. Industry and country are based on the company’s primary business and headquarters.

This report covers February 1-28, 2026. Data was collected from Breachsense’s continuous monitoring of ransomware leak sites.

This is part of a monthly threat brief series from Breachsense. See our January 2026 report for comparison. For real-time ransomware and credential monitoring, book a demo.