State of Ransomware: February 2026

Published 1 March 2026 · ThreatVectr Intelligence

781+9%
Claimed attacks
vs 714 the month before
55
Groups active
68
Countries affected
71
Busiest day
7 February

Ransomware groups claimed 781 attacks on organisations worldwide in February 2026, up 9% on the previous month's 714. 55 distinct groups posted at least one victim during the month, across 68 countries. The busiest single day was 7 February, with 71 victims listed.

Qilin was the most active operation of the month, claiming 114 victims — 15% of all listings. The Gentlemen (84) and Cl0p (79) followed. 7 groups appeared for the first time, including Payload, Auditteam, Shadowbyt3$, Cipherforce.

Manufacturing bore the heaviest targeting, with 117 claimed victims, ahead of Technology (111) and Business Services (92). By geography, United States accounted for 360 claims — 46% of the month — with Germany (38) and Canada (35) next.

Claims per day — February 2026

Most active groups

  1. 1Qilin·114
  2. 2The Gentlemen484
  3. 3Cl0p279
  4. 4Akira263
  5. 5Play347
  6. 6NightSpire342
  7. 7INC Ransom341
  8. 8DragonForce736
  9. 9LockBit935
  10. 10Vect3020

First seen this month:Payload, Auditteam, Shadowbyt3$, Cipherforce, Prinzeugen, Kittykatkrew, Atomsilo

Most-targeted sectors

  1. 1Manufacturing117
  2. 2Technology111
  3. 3Business Services92
  4. 4Construction52
  5. 5Financial Services52
  6. 6Healthcare52
  7. 7Consumer Services48
  8. 8Transportation/Logistics38
  9. 9Agriculture and Food Production28
  10. 10Hospitality and Tourism26

Most-affected countries

  1. 1United States360
  2. 2Germany38
  3. 3Canada35
  4. 4Italy21
  5. 5Brazil19
  6. 6France19
  7. 7United Kingdom18
  8. 8Australia17
  9. 9Spain15
  10. 10India15

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: February 2026”, https://threatvectr.com/ransomware-tracker/reports/february-2026

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr