The ransomware landscape continues to evolve, but one threat actor remains consistently dominant: the Qilin group. Data from January 2026, compiled by NCC Group, reveals that Qilin accounted for nearly a fifth of all observed ransomware attacks – specifically, 108 attacks representing 17% of the total 651 incidents reported that month. This confirms Qilin’s position as a leading force in the cybercrime ecosystem, building on its notoriety from a crippling 2024 attack on Synnovis, a major supplier partner to the UK’s National Health Service (NHS).
While January saw a slight dip in Qilin’s activity compared to December 2025 (170 attacks), NCC Group notes that this is a typical seasonal trend, with overall ransomware attacks generally decreasing at the start of the year. Matt Hull, NCC’s vice-president of cyber intelligence and response, cautioned against interpreting this decrease as a sign of diminishing risk. “Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path,” Hull stated. “Organisations should not mistake the month-on-month drop for a decline in risk.” This suggests that despite the temporary lull, organizations must maintain a high level of vigilance against potential attacks.
Qilin’s recent targets underscore its preference for organizations in critical infrastructure and industrial sectors. Within the past few days, the ransomware group claimed responsibility for a breach affecting the Local 100 Chapter of the Transport Workers Union of America (TWU), potentially exposing the personal data of 41,000 current and 26,000 former employees of New York City’s public transport system. This attack highlights Qilin’s strategy of targeting entities where operational disruption and sensitive data exposure can maximize pressure for ransom payments.
The Qilin Ransomware-as-a-Service Model
Qilin has been operating for approximately three and a half years, initially known as Agenda before rebranding. The group employs a standard Ransomware-as-a-Service (RaaS) model, meaning they develop and maintain the ransomware tools while recruiting affiliates to deploy them. This RaaS model allows Qilin to expand its reach and impact without directly executing all attacks. Affiliates benefit from access to sophisticated ransomware, while Qilin profits from a share of the ransom payments. This distributed approach makes attribution and disruption more challenging for law enforcement.
Geographically, the United States remains the primary target for Qilin attacks, with 333 known victims as of last autumn, according to data compiled by Cisco Talos. Canada, the United Kingdom (with approximately 24 known victims at the time of the Talos report), France, and Germany also feature prominently among affected countries. Hull explained that North America’s concentration of attacks is driven by a combination of “geopolitical factors, economic incentives and broad digital exposure,” making it a particularly attractive target for financially motivated cybercriminals.
Beyond Qilin: The Broader Ransomware Threat Landscape
While Qilin currently leads the pack, other ransomware operations remain active and pose significant threats. In January 2026, NCC Group identified Akira as the second most active group, responsible for 68 known attacks. Sinobi followed with 56 attacks, while INC Ransom and Cl0p conducted 47 and 46 attacks, respectively. The industrials sector was the most frequently victimized, accounting for 32% of all reported ransomware activity, followed by consumer discretionary (23%) and IT (11%). This sectoral breakdown underscores the vulnerability of critical infrastructure and businesses that handle large volumes of consumer data.
The Fragmented and Evolving Nature of Ransomware
A key challenge in tracking and mitigating ransomware threats is the increasingly fragmented landscape. NCC Group’s Threat Pulse report highlights the difficulties in generating accurate threat intelligence due to the proliferation of the RaaS model. Multiple threat actors can operate under the same brand, and affiliates often function with several RaaS operations simultaneously. Recent research, referenced by NCC, has even revealed shared cryptocurrency cash-out addresses linking different ransomware gangs through a common affiliate.
This decentralization is further complicated by the tendency of ransomware groups to reinvent and rebrand themselves, often in response to pressure from law enforcement or internal conflicts. The recent case of 0APT, which generated significant buzz in January, serves as a cautionary tale. NCC Group noted that 0APT’s initial claims were largely exaggerated and quickly debunked. This incident illustrates the importance of verifying information and avoiding hasty conclusions in the rapidly evolving threat landscape.
Adding to the complexity, the timing of attack reporting and discovery is often inconsistent. For example, a Qilin attack on a US healthcare system, Covenant Health, was linked to the group in January 2026, but the actual breach occurred in May 2025. These distorted timelines can misrepresent the true operational tempo of ransomware gangs and create artificial spikes in activity data. A similar situation occurred in the summer of 2023 when Cl0p’s mass publication of MOVEit victims significantly skewed NCC Group’s reporting.
To address these challenges, NCC Group is consolidating multiple threat feed aggregators into a centralized database. This database will undergo rigorous processing, filtering, deduplication, and enrichment to provide a more accurate picture of the ransomware landscape. The goal is to better distinguish between confirmed and reported listings, and to identify recycled or fabricated claims, like those initially made by 0APT.
The ongoing evolution of ransomware demands a proactive and adaptive approach to cybersecurity. Organizations must prioritize robust security measures, including regular data backups, employee training, and vulnerability management. Staying informed about the latest threats and collaborating with cybersecurity experts are also crucial steps in mitigating the risk of ransomware attacks. The threat from groups like Qilin is not diminishing, and vigilance remains paramount.
The next update from NCC Group regarding the ransomware threat landscape is scheduled for release in March 2026. This report will provide further insights into emerging trends and the evolving tactics of ransomware groups. We encourage readers to share their experiences and insights in the comments below.