Ransomware roundup: February 2026

Despite February being the shortest month of the year, ransomware attacks across the globe remained high. 685 attacks were recorded in February 2026, following 718 in January 2026.

Attacks on the healthcare sector jumped last month, rising by 30 percent from 37 in January to 48 in February. But it was the transportation sector that saw the biggest influx in attacks last month, increasing by 39 percent from 23 in January to 32 in February.

Manufacturers remain a key target (120 attacks in February), but the sector continues to see a decline in attacks this year. This perhaps suggests that hackers are also shifting their focus toward transport companies who, like manufacturers, can ill afford system downtime.

Even though there was no change when it comes to the most dominant group (Qilin), there is one gang that’s gaining notoriety and credibility through its claims – The Gentlemen. While it was just behind Qilin with total claims (84 compared to 104), both Qilin and The Gentlemen each had five of their attacks confirmed by their targets.

The Gentlemen appears to have a wider global focus. Over half of Qilin’s attacks (55) were carried out on US organizations last month, but only six attacks on US organizations were claimed by The Gentlemen. Rather, the most targeted country for The Gentlemen was Thailand with 11 attacks in total. The Gentlemen was also confirmed as the gang behind three attacks on the Brazilian education sector.

Key findings for February 2026

• 685 attacks in total — 38 confirmed attacks (confirmed by the entity involved)
• Of the 38 confirmed attacks:
  • 24 were on businesses
  • 4 were on government entities
  • 5 were on healthcare companies
  • 5 were on educational institutions
• Of the 647 unconfirmed attacks*:
  • 572 were on businesses
  • 19 were on government entities
  • 43 were on healthcare companies
  • 11 were on educational institutions
• The most prolific ransomware gangs were Qilin (104) and The Gentlemen (84)
• Qilin and The Gentlemen had the most confirmed attacks (5 each)
• Over 89.5 TB of data was stolen across all of these attacks
• The US saw the most attacks (333), followed by Canada (33), Brazil (24), and Italy (23)

*Two attacks were on unknown companies that couldn’t be attributed to a specific sector.

Ransomware attacks by sector

Healthcare

One of last month’s most disruptive attacks was carried out on the University of Mississippi Medical Center in the United States. It was targeted on February 19 with clinics only reopening yesterday (March 2). At this moment in time, UMMC’s hackers remain unknown.

Another US healthcare entity, Lymphedema Therapy Specialists, Inc., also confirmed it had suffered an attack in February and started notifying patients of a breach. INC claimed the attack at the time.

Elsewhere, Nippon Medical School Musashi Kosugi Hospital in Japan confirmed over 130,000 people had been impacted in a breach last month following an attack via NetRunnerPR. The gang is said to have demanded 15 billion yen (USD $10 million), which the hospital refused to pay.

Unknown hackers also targeted a Turkish healthcare company (Maremar K.Maraş Manyetik Rezonans Teşhis Merkezi ve Sağlık Hizmetleri Tic. ve San. AŞ), while Qilin claimed an attack on a German senior care company, RENAFAN GmbH.

Government

Unknown hackers targeted a German municipal company, Werkstatt Bremen. The attack also impacted the work of the Bremen police as the organization is responsible for maintaining the computer technology of the police evidence unit.

Medusa issued the Italian municipality, Comune di Battipaglia, with a $200,000 ransom following its attack last month. And The Gentlemen claimed an attack on Chile’s ⁠Instituto Nacional de Derechos Humanos.

Romania’s national oil pipeline operator, CONPET S.A., also confirmed it had been targeted in an attack. Qilin claimed this and alleged to have stolen 1 TB of data. While its business IT infrastructure was impeded by the attack, its operations continued as normal.

Education

Three of last month’s confirmed attacks were on Brazilian educational institutions. Centro Universitário Filadélfia (UniFil) and Universidade Federal de Sergipe were both targeted by The Gentlemen, while an attack on ​Fundação Getulio Vargas was claimed by DragonForce at the start of this month.

The Gentlemen was also said to be responsible for an attack on CHS Villach in Austria. The school said the attack was stopped quickly, therefore allowing it to prevent a data breach. The Gentlemen has yet to publicly claim the attack – but if data wasn’t stolen, it may not add the school to its data leak site.

Lastly, servers were blocked at Italy’s Sapienza Università di Roma for over two weeks following an attack at the start of February, which was attributed to Bablock.

Businesses

As we’ve already noted, one sector saw a significant increase in attacks last month – transportation.

32 attacks in total were recorded on transport companies last month, which is a 39 percent increase on January’s figure of 23. Three of February’s attacks were confirmed:

• Graneles de Chile S.A. – Qilin claimed this attack
• Air Côte d’Ivoire – INC claimed this attack after allegedly stealing 208.35 GB of data
• Hegelmann Group, Germany – Lynx claimed this attack

Other sectors with noticeable increases are healthcare companies (those operating within the healthcare sector but not providing direct care) and construction companies.

Healthcare-based businesses saw an 18 percent increase overall. One attack on medical device manufacturer UFP Technologies was confirmed. Some IT systems were disrupted and files were stolen. The hackers remain unknown.

37 attacks on construction companies were registered in February, up from 33 in January. None have been confirmed, though.

In contrast, manufacturers saw a significant decline in attacks again last month, dropping by 19 percent from 148 in January to 120 in February. Five of February’s attacks were confirmed, including an attack on global semiconductor manufacturer Advantest Corporation in Japan.

The most prolific ransomware strains in February 2026

Qilin continues to take the top spot, but one gang is hot on its tail – The Gentlemen.

Qilin claimed 104 attacks in February 2026 with five of these being confirmed. The Gentlemen was just behind with its total number of claims (84) but equalled Qilin’s number of confirmed claims.

As well as the three confirmed attacks noted above (CONPET S.A., Graneles de Chile S.A., and RENAFAN GmbH), Qilin was also responsible for attacks on Anabuki Housing Service Co., Ltd. in Japan and Kroll International, LLC in the US.

The Gentlemen had three of its attacks confirmed on the education sector (noted above) and one on a government organization (⁠Instituto Nacional de Derechos Humanos – also noted above), but it also claimed an attack on Taiwan’s five-star hotel, the Grand Hotel Taipei.

Akira, Play, and INC followed Qilin and The Gentlemen for the most claims last month (just over 40 each). No attacks have been confirmed for Akira or Play but INC had three of its attacks confirmed. As well as Air Côte d’Ivoire and Lymphedema Therapy Specialists, Inc., INC also claimed an attack on Japan-based company, JA Akita Kita Life Service Co., Ltd.

February 2026 ransomware attacks by country

The US remained the top target last month with attacks also remaining consistently high (327 noted in February, compared to 328 noted in January).

Significant increases in attacks were noted in Brazil (up 140 percent), Thailand (up 80 percent), and India (up 73 percent).

The Gentlemen was responsible for the highest number of attacks in Brazil (6), Thailand (11), and India (3) last month. VECT also claimed a high number of attacks in Brazil and India.

In contrast, attacks in the UK dropped significantly last month (falling from 42 in January to 14 in February). This followed a sharp rise in attacks in January from December (up to 42 from 23 in December 2025).

Attacks in Canada (down 28 percent), Germany (down 26 percent), and Spain (down 20 percent) also saw significant declines.

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2026, it may later be confirmed as an attack in December 2025 and will, therefore, be attributed to a different month.

You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.