State of Ransomware: January 2026

Published 1 February 2026 · ThreatVectr Intelligence

714-11%
Claimed attacks
vs 802 the month before
56
Groups active
67
Countries affected
65
Busiest day
25 January

Ransomware groups claimed 714 attacks on organisations worldwide in January 2026, down 11% on the previous month's 802. 56 distinct groups posted at least one victim during the month, across 67 countries. The busiest single day was 25 January, with 65 victims listed.

Qilin was the most active operation of the month, claiming 112 victims — 16% of all listings. Akira (65) and Sinobi (55) followed. 3 groups appeared for the first time, including Cmdorganization, Linkc, Sicarii.

Manufacturing bore the heaviest targeting, with 112 claimed victims, ahead of Technology (94) and Business Services (80). By geography, United States accounted for 337 claims — 47% of the month — with United Kingdom (29) and Canada (25) next.

Claims per day — January 2026

Most active groups

  1. 1Qilin·112
  2. 2Akira265
  3. 3Sinobi255
  4. 4INC Ransom448
  5. 5Cl0p4346
  6. 6The Gentlemen1034
  7. 7Devman130
  8. 8Play230
  9. 9NightSpire1629
  10. 10Tengu4628

First seen this month:Cmdorganization, Linkc, Sicarii

Most-targeted sectors

  1. 1Manufacturing112
  2. 2Technology94
  3. 3Business Services80
  4. 4Healthcare51
  5. 5Construction50
  6. 6Consumer Services46
  7. 7Financial Services40
  8. 8Public Sector28
  9. 9Transportation/Logistics26
  10. 10Agriculture and Food Production23

Most-affected countries

  1. 1United States337
  2. 2United Kingdom29
  3. 3Canada25
  4. 4Germany22
  5. 5Italy22
  6. 6Spain21
  7. 7France19
  8. 8India18
  9. 9Taiwan13
  10. 10Brazil12

Every figure in this report counts a claim posted to a criminal leak site, observed via the monitoring service ransomware.live. A listing is an extortion tactic, not a confirmed breach: some claims are exaggerated, some are duplicates under new branding, and a few are outright false. Companies named in listings have not necessarily confirmed any incident, and ThreatVectr does not publish victim names from this dataset.

Cite this report

This report is free to cite and reproduce with attribution. Suggested citation:

ThreatVectr, “State of Ransomware: January 2026”, https://threatvectr.com/ransomware-tracker/reports/january-2026

Journalists and researchers: for questions about the data or methodology, contact the newsdesk.

Most ransomware starts with one email

The groups in this report overwhelmingly get in through phishing. Train2Secure runs realistic phishing simulations and short training that teach your team to spot the lure.

Start free — no card required
© 2026 Threat Vectr