Ransomware Attacks in February 2026: Monthly Report

Ransomware Attacks in February 2026: Monthly Report

Josh Amishav · Last updated Mar 1, 2026 · 7 min read

Which ransomware groups claimed the most victims in February 2026, which industries got hit hardest, and why one group’s 183 claims were fake.

• Qilin claimed 104 victims for the second straight month. That consistency means they have stable infrastructure.
• TheGentlemen nearly doubled from 41 to 78 victims. New groups can scale fast.
• Healthcare jumped from 40 to 93 victims in one month. If you’re in healthcare, review your credential exposure now.
• A group called 0APT claimed 183 victims but was exposed as a scam operation with made up data. We excluded them from this report.

Breachsense tracked 680 companies claimed by ransomware groups in February 2026. That’s flat compared to January and 12% above the 2025 monthly average.

We compiled this data from ransomware groups’ own leak sites where they publicly list victims. The numbers reflect claimed victims, not confirmed breaches. Some claims are exaggerated or duplicated across groups.

54 distinct ransomware groups were active in February. A group called 0APT claimed an additional 183 victims, but multiple threat intelligence firms confirmed the claims were fake. We’ve excluded 0APT from this report entirely.

Here’s what the February 2026 numbers tell us.

February 2026 ransomware numbers at a glance

You’ll see “leak site” throughout this report. Here’s what that means. Breachsense monitors these sites continuously.

Ransomware leak sites are dark web pages where ransomware operators publish stolen data from victims who refuse to pay. Most modern ransomware groups use double extortion. They steal your data before encrypting it, then threaten to leak it publicly.

Here’s what February 2026 looked like:

  • 680 victim companies claimed across ransomware leak sites
  • 54 active ransomware groups (down slightly from January’s 58)
  • 72 countries affected (up from 60 in January)
  • 63 industries represented
  • Roughly flat compared to January’s 677 victims
  • 12% above the 2025 monthly average

After two months, 2026 is pacing toward roughly 8,100 victims for the year. That would be an 11% increase over 2025’s total of 7,308.

A note on 0APT: a group by that name claimed 183 additional victims in February. We excluded them from this report after multiple threat intelligence firms confirmed the operation was a scam. More on that below.

Most active ransomware groups: February 2026

Qilin held the number one spot again with 104 victims. TheGentlemen nearly doubled their January numbers.

RankGroupVictims% of Total
1Qilin10415.3%
2TheGentlemen7811.5%
3CL0P497.2%
4Play446.5%
5INC_RANSOM395.7%
6Akira395.7%
7LockBit345.0%
8DragonForce304.4%
9INSOMNIA253.7%
10NightSpire253.7%

The top 10 groups accounted for 467 victims (68.7%). The remaining 44 groups split the other 213.

Qilin posted 104 victims, consistent with their 107 in January. Two months running at 100+ victims makes them the most consistent high-volume operation right now. That usually means stable infrastructure and a reliable supply of affiliates.

TheGentlemen jumped from 41 to 78 victims. We flagged them as a group to watch in January. They’re growing fast. By the week of February 14-20, TheGentlemen hit the number-one weekly spot with 25 victims in a single week.

LockBit nearly tripled from 12 victims in January to 34 in February. That’s still well below their peak before the 2024 law enforcement disruption, but it’s a real jump. Whether this is a comeback or a one-month blip is worth watching.

Akira dropped from 71 to 39. Sinobi fell harder, from 56 in January to just 18 victims. Ransomware groups are volatile. A top-five finish one month means nothing the next.

The 0APT scam

A group calling itself 0APT appeared in late January and claimed 183 victims in February. Multiple threat intelligence firms investigated and concluded the operation was fraudulent:

  • GuidePoint found no evidence supporting any victim claims. The lists contained fabricated company names mixed with recognizable organizations.
  • Kela called it a “likely scam operation.”
  • Data samples provided by the group contained files filled with zero bytes.
  • Downloads from their leak site were throttled so severely they’d take over 7,000 days to complete.
  • The group’s supposed ransomware executable was created in 2011 and last updated three years ago. No ransom notes have ever been tied to the group.

0APT charged 1 bitcoin to join their affiliate program.

This is a good reminder that not everything posted on a leak site is real. Threat intelligence requires verification, not just aggregation. We’ve excluded 0APT from all counts in this report and removed their fake claims from our database.

Countries most targeted by ransomware

The US remained the primary target by a wide margin.

RankCountryVictims% of Total
1United States441~65%
2United Kingdom446.5%
3Canada294.3%
4France274.0%
5Brazil233.4%
6Germany213.1%
7Italy213.1%
8Japan202.9%
9India192.8%
10Thailand142.1%

Brazil entered the top ten with 23 victims. It wasn’t on the list in January. Latin America had a rough month overall. Chile (9), Mexico (12), Colombia (5), and Argentina (5) added another 34 victims on top of Brazil’s count.

Japan also cracked the top ten with 20 victims. Combined with South Korea (5), Taiwan (12), and China (9), East Asian companies accounted for 46 victims.

72 countries were hit in total, up from 60 in January. The reach keeps growing. February victims included companies in Fiji and Namibia.

Industries hit hardest

Manufacturing held the top spot. But the real story is healthcare.

Double extortion ransomware is an attack where criminals steal your data before encrypting it. If you restore from backups and refuse to pay, they threaten to publish the stolen data on leak sites. This makes backups alone an incomplete defense.

RankIndustryVictimsChange from Jan
1Manufacturing94+37
2Healthcare93+53
3Legal48+16
4IT46+20
5Construction44
6Technology41
7Finance37+3
8Consumer Goods33+2
9Engineering25+1
10Government23+1
11Real Estate22new in top 15
12Automotive21+2
13Logistics19new in top 15
14Metal18new in top 15
15Education17-3

Healthcare went from 40 victims in January to 93 in February. That’s a 133% increase in one month. Healthcare was the fourth most targeted industry in January. Now it’s virtually tied for first. Hospitals and clinics hold patient records and clinical systems that can’t go offline. That makes them ideal extortion targets. CISA’s StopRansomware initiative tracks these attacks across all sectors.

Legal services jumped from 32 to 48 victims. Like healthcare, law firms hold data their clients can’t afford to see published. The extortion power is the data itself, not the encryption.

IT companies (46 victims) are worth watching because they’re often a vector into their clients’ environments. Compromising an MSP or IT services firm can lead to dozens of downstream victims.

New and rising groups

DragonForce (30 victims): Not new, but 30 victims is a big month for them. DragonForce started as a hacktivist operation but has shifted to ransomware for money.

INSOMNIA (25 victims): Tied with NightSpire at 25 victims. A newer group that’s growing steadily.

NightSpire (25 victims): We flagged them in January when they had 20 victims. They kept it up in February.

ShinyHunters (10 victims): Previously known primarily as a data theft and sales operation rather than a ransomware group. Their appearance on leak sites suggests they’ve added encryption to their playbook, or they’re partnering with ransomware affiliates.

Month over month: what changed

MetricJanuaryFebruaryChange
Total victims677680+0.4%
Active groups5854-6.9%
Countries hit6072+20%
Industries hit6163+3.3%
Top group’s share15.8% (Qilin)15.3% (Qilin)-0.5pp

The victim count held steady while the geographic spread widened. Fewer groups were active but they hit more countries. Qilin stayed on top by a wide margin.

The biggest shift was in industry targeting. Healthcare went from fourth place to a near-tie for first. Whether that holds or drops back down will become clearer in March.

What security teams should do

February’s numbers aren’t spiking, but they aren’t dropping either. This pace is normal now.

If you’re in healthcare: Your industry more than doubled in one month. That’s not a gradual trend you can plan around. Check whether your organization’s credentials or your vendors’ credentials have already been leaked. The attackers buying that access right now won’t wait for your next quarterly review.

If your name shows up on a leak site: Don’t panic. Verify first. The 0APT scam showed that fake claims happen. Check whether actual data was exposed before you spin up incident response.

Everyone else: Most ransomware starts with stolen credentials, not zero-days. Attackers buy logins from infostealer malware logs, then take days or weeks to move through your network before deploying ransomware. Dark web monitoring catches credentials in that window, while there’s still time to reset passwords and kill sessions.

Methodology

This data reflects publicly claimed victims only. The actual number of attacks is higher because:

  • Many victims pay before being listed publicly
  • Some groups operate private negotiation channels without public leak sites
  • Not all ransomware attacks involve data theft or public claims

We excluded 0APT’s 183 claims after multiple threat intelligence firms confirmed they were fabricated. See the 0APT section above for details.

When multiple groups claim the same victim, we count it once. Industry and country are based on the company’s primary business and headquarters.

This report covers February 1-28, 2026. Data was collected from Breachsense’s continuous monitoring of ransomware leak sites.

This is part of a monthly threat brief series from Breachsense. See our January 2026 report for comparison. For real-time ransomware and credential monitoring, book a demo.

February 2026 Ransomware FAQ

Breachsense tracked 680 companies listed on ransomware leak sites in February 2026, from 54 distinct groups across 72 countries. We excluded 183 bogus claims from 0APT, a confirmed scam. The actual number of real attacks is likely higher since many victims pay before being publicly listed.
Qilin claimed 104 victims in February 2026, holding the top spot for the second month in a row. TheGentlemen were second with 78 victims, nearly doubling their January count of 41. CL0P placed third with 49 victims.
The United States accounted for the majority of ransomware victims in February 2026. The UK was second, followed by Canada and France. Brazil entered the top ten for the first time, as did Japan.
Manufacturing companies were the most targeted sector in February 2026 with 94 victims. Healthcare was a close second with 93, more than doubling its January total of 40. Legal services had 48 victims and IT had 46.
February’s pace was consistent with January and 12% above the 2025 monthly average of 609. After two months, 2026 is on track for roughly 8,100 victims, an 11% increase over 2025’s total of 7,308.
A group calling itself 0APT claimed 183 victims in February 2026, but multiple threat intelligence firms including GuidePoint and Kela confirmed it was a scam. The group posted fake victim lists and provided data samples filled with zero bytes. Downloads were throttled to take thousands of days. The group charged 1 bitcoin to join their affiliate program.
Most ransomware groups buy stolen credentials from infostealer malware logs rather than breaking in themselves. There’s often a gap of days to weeks between when credentials are stolen and when ransomware gets deployed. Monitoring for leaked credentials can help you catch and reset them before attackers use them.