Ransomware roundup_ January 2026

2026 kicked off with more ransomware attacks than usual: 711 in total. While slightly lower than the total recorded in December 2025 (783), January’s figure is still significantly higher than 2025’s monthly average of 620 and 33 percent higher than January 2025’s figure of 534.

Attacks on manufacturers, which have seen huge increases in recent months, plateaued in January 2026. Finance and tech companies appear to be the focus now. Attacks rose 24 and 12 percent in these sectors, respectively.

The United Kingdom saw a significant increase in attacks in January 2026 (when compared to December 2025). Here, we noted 42 attacks, which is an 83 percent increase on the figure noted in December (23). Canada also saw an increase (up 5%), while the United States saw a decline (down 8%), as did Germany (down 38%).

Please note: A new ransomware gang named 0APT started making claims in January 2026, adding over 80 victims. However, having analyzed many of its claims, many attacks couldn’t be verified. Many ransomware trackers have since removed the group, including Comparitech. Therefore, none of these claims have been included in the below stats.

Key findings for January 2026

  • 711 attacks in total — 50 confirmed attacks (confirmed by the entity involved)
  • Of the 50 confirmed attacks:
    • 34 were on businesses
    • 10 were on government entities
    • 6 were on healthcare companies
    • 0 were on educational institutions
  • Of the 661 unconfirmed attacks*:
    • 593 were on businesses
    • 21 were on government entities
    • 30 were on healthcare companies
    • 16 were on educational institutions
  • The most prolific ransomware gangs were Qilin (108), Clop (90), and Akira (72)
  • Qilin had the most confirmed attacks (6), followed by The Gentlemen (5), and Akira, INC, and LockBit (3 each)
  • Over 104 TB of data was stolen across all of these attacks
  • The US saw the most attacks (329), followed by Canada (45), the UK (42), and Germany (21 each)

*One attack was on an unknown company that couldn’t be attributed to a specific sector.

Ransomware attacks by sector

Healthcare


Attacks on healthcare providers decreased by 27 percent from December 2025 to January 2026, dropping from 49 to 36. The number of confirmed attacks increased, however, rising from five to six.

Two of the confirmed attacks on the healthcare sector were carried out in the US. Mt. Spokane Pediatrics was targeted by LockBit and Pecan Tree Dental by Sinobi. Pecan Tree Dental has already started notifying 13,300 people of a breach following this attack in which Sinobi says it stole 250 GB of data.

This month, Lynx claimed the January 2026 attack against Lakelands Public Health in Canada. The attack disrupted internal systems, including phone lines, but data breach investigations are ongoing.

Constantia Pharmacy in South Africa, AZ Monica in Belgium, and Özel Edremit Körfez Hastanesi in Turkey were also hit by unknown hackers. The attack on AZ Monica was particularly disruptive with operations being canceled and patients being transferred to other hospitals with the help of the Red Cross. AZ Monica refused to pay the ransom.

Lynx lists Lakelands Public Health on its data leak site.
Lynx lists Lakelands Public Health on its data leak site.

Government


Attacks on government entities remained almost level in January 2026 when compared to December 2025, with 30 attacks in December and 31 attacks in January. 10 attacks in January have been confirmed so far.

The Gentlemen claimed responsibility for two of the confirmed attacks – Ayuntamiento de Beniel in Spain and Witzenberg Municipality in South Africa. LockBit claimed an attack on Nagoya Port Authority in Japan and Qilin claimed an attack on Tulsa International Airport in the US. Furthermore, Senegal’s Direction de l’Automatisation des Fichiers has just confirmed its national ID card department was breached following an attack last month. The Green Blood Group claimed this attack and the theft of 139 GB of data.

Three other US entities also confirmed attacks, but none of these have been claimed by hackers at the time of writing:

  • City of Midway, Florida
  • Winona County, Minnesota
  • City of New Britain, Connecticut

German government transport company, Verkehrsgesellschaft Main-Tauber, was also targeted by unknown hackers, as was Concello de Sanxenxo in Spain. Sanxenxo’s hackers demanded $5,000, which wasn’t paid.

Education


Attacks on the education sector dropped by 45 percent from December 2025 to January 2026, falling from 29 to 16. No attacks were confirmed in January 2026, while 10 were confirmed in December 2025.

No confirmed attacks have been noted in January 2026 as of yet, but a number of significant data breaches were reported in this sector last month. They include:

  • Clackamas Community College – notifying 33,381 people of a breach from October 2025. Medusa demanded a $300,000 ransom for 1.21 TB of stolen data.
  • Trocaire College – notifying 23,436 people of a breach from March 2025. INC claimed after allegedly stealing 310 GB of data.
  • Portland Public Schools – notifying 12,128 people of a breach from February 2025. RansomHub claimed after allegedly stealing 110 GB of data.
Medusa lists Clackamas Community College on its data leak site.
Medusa lists Clackamas Community College on its data leak site.

Businesses


Attacks on businesses decreased by seven percent from December 2025 to January 2026, falling from 675 to 627. 34 attacks have been confirmed on global businesses throughout January 2026.

As previously noted, two sectors in particular became the focus of hackers throughout January 2026 – finance and tech.

Attacks on finance companies increased by 24 percent, rising from 37 in December 2025 to 46 in January 2026. Two attacks in January 2026 have been confirmed so far – Beacon Mutual Insurance Company in the US and Rogers Capital Credit in Mauritius. The Bank of Mauritius is currently warning customers of the breach on Rogers Capital with client records, including IDs, banking information, and credit details, thought to have been impacted. The Gentlemen claimed this attack on Rogers Capital, while INC claimed the attack on Beacon.

Tech companies saw a 12 percent increase in attacks with five confirmed attacks noted here:

  • CONCEPTNET GmbH, Germany – unknown hackers
  • CANVASs Co., Ltd., Japan – unknown hackers
  • Distinctive Systems, United Kingdom – claimed by INC
  • Elabs AG, Germany – claimed by Rhysida with a $392,000 ransom (unpaid)
  • Iron Mountain, US – claimed by Everest with 1.4 TB allegedly stolen. Iron Mountain confirmed the breach was mostly limited to market materials and that no ransomware was launched on its systems

Retailers also saw a seven percent increase in attacks. Four of these were confirmed: Kowa Emori Company, Ltd., Japan (hackers unknown), Cooperativa de Hostelería de Navarra, Spain (Qilin), BUHLMANN North America LP, US (Akira), and the Gady Family, Austria (The Gentlemen).

The most prolific ransomware strains in January 2026

Continuing its onslaught in 2025, Qilin dominated with the most claims in January 2026 (108 in total). Of these attacks, six were confirmed.

As well as Cooperativa de Hostelería de Navarra, Spain, and Tulsa International Airport, US (noted above), Qilin also claimed attacks on Y.C.C. Parts MFG Co., Ltd., Taiwan, HARTE-BAVENDAMM Rechtsanwälte PartG mbB, Germany, Kouei Co., Ltd., Japan, and Herren Caflisch Rutsch – Notariat & Verwaltungen, Switzerland.

Clop was close behind Qilin with 90 attacks in total, but none of these were confirmed. Akira had the third-highest number of claims (72) and three of these were confirmed. They include BUHLMANN North America LP (noted above); Zurflüh-Feller, France; and Travelmarket A/S, Denmark.

It was ransomware gang The Gentlemen that had the highest ratio of confirmed attacks to unconfirmed attacks. Targeted organizations acknowledged five confirmed attacks across 48 claims in total. In addition to those mentioned above (Ayuntamiento de Beniel, Witzenberg Municipality, Gady Family, and Rogers Capital Credit), The Gentlemen also claimed an attack on Polish manufacturer, Wamtechnik sp. z o.o.

When it comes to the amount of data stolen, Sinobi claimed the most with over 13.6 TB in total. But the biggest individual claim on a confirmed attack was Everest’s claim on Iron Mountain (1.4 TB). Interlock also alleged it had stolen 1.29 TB in its attack on UK architectural firm, Urban Edge Architecture.

January 2026 ransomware attacks by country

The US accounted for the most attacks in January 2026, with 329 in total. However, this figure declined just over eight percent on December 2025’s total of 359. This decrease follows the same trend we noticed across all of the attacks, suggesting the level of attacks in the US remains at a similar level going into 2026.

It appears to be a different story in the UK, however. Here, attacks increased significantly, rising from 23 in December 2025 to 42 in January 2026. Two of these attacks have been confirmed and are noted above (Urban Edge Architecture and Distinctive Systems). Attacks in the UK were predominantly based on business. Nine hit service-based businesses and eight struck manufacturers. Six technology companies and five educational institutions were also targeted.

Australia also saw an increase in attacks, up 50 percent from 10 in December 2025 to 15 in January 2026. None of the attacks in January have been confirmed yet.

In contrast, Germany and France saw significant decreases in attacks, dropping by 38 and 42 percent, respectively. Five attacks were confirmed in Germany. Alongside CONCEPTNET GmbH, HARTE-BAVENDAMM Rechtsanwälte PartG mbB, Elabs AG, and Verkehrsgesellschaft Main-Tauber, noted above, clothing manufacturing company, V. FRAAS GmbH, also confirmed an attack. This was claimed by Rhysida with a $320,000 demand, which wasn’t paid.

One attack was confirmed in France – Zurflüh-Feller (noted above).

Confirmed vs unconfirmed attacks

We label a ransomware attack as “confirmed” when a) the targeted organization publicly discloses an attack that involved ransomware, or b) the targeted organization publicly acknowledges a cyber attack that coincides with a claim made by a ransomware group. If a ransomware group claims that it successfully attacked an organization, but the organization never acknowledged an attack, then we label the attack as “unconfirmed”.

An attack might be unconfirmed because the ransomware group making the claim is lying, or because the targeted organization chose not to disclose the attack to the public. Ransomware groups post their attack claims on their respective websites, where the data is auctioned or released when organizations don’t meet their ransom demands.

Organizations in the US are required to disclose data breaches, which often result from ransomware attacks, to state officials when they meet certain thresholds. Not all countries have breach disclosure laws.

When an attack is confirmed, it is removed from our list of unconfirmed attacks. Therefore, we must allow for some changes in figures when comparing monthly figures, especially when using unconfirmed attacks. This is due to claims from ransomware groups often coming a month later than the attack was carried out–if not longer. For example, if a ransomware gang claims an attack in January 2026, it may later be confirmed as an attack in December 2025 and will, therefore, be attributed to a different month.

You can view all attacks, from 2018 to present via our worldwide ransomware tracker here.