The February 2026 ransomware landscape reflects a mature and highly adaptive threat ecosystem shaped by distributed operations, evolving access strategies, and targeted value extraction. Activity remained elevated, supported by sustained year-on-year growth and continued concentration on high-impact sectors, such as professional services, manufacturing, and information technology. Rather than relying solely on exploit-driven intrusions, threat actors increasingly leveraged credential compromise, remote access services, and brokered access models, operating within a fragmented cybercriminal supply chain where roles such as initial access brokers, affiliates, and extortion operators are clearly separated. Campaigns demonstrated a shift toward stealth and persistence, including the abuse of legitimate administrative tools, use of long-lived access mechanisms, and advanced defence evasion techniques, such as ‘Bring Your Own Valuable Driver’ (BYOVD). At the same time, rapid weaponization of enterprise software vulnerabilities and the use of cloud and virtualized infrastructure enabled scalable and resilient operations. Geographically, activity remained heavily concentrated in the United States and Western Europe while continuing to expand across Asia-Pacific and emerging markets, reflecting a globally distributed and opportunistic threat. Overall, ransomware in February 2026 is best characterized as a structured, service-driven criminal economy that prioritizes operational access, stealth, and monetization efficiency over purely disruptive malware deployment.
Welcome to the Feb 2026 Ransomware Threat Report. This report delivers a detailed analysis of the ransomware landscape, highlighting the emergence of new ransomware groups, evolving attack techniques, and notable shifts in targeted industries. By examining key trends, tactics, and significant incidents, this report aims to support organizations and security teams in understanding the current threat environment. As ransomware campaigns continue to grow in complexity, this report serves as a vital resource for anticipating future threats and strengthening proactive cybersecurity strategies.
Throughout February 2026, there was notable activity from several ransomware groups. Here are the trends regarding the top 10:
The January–February 2026 comparison indicates a mixed but still active ransomware landscape, characterized by selective shifts rather than uniform decline. Qilin remained the most active group with 108 incidents in February, broadly stable compared to 107 in January, suggesting sustained operational capacity. In contrast, Cl0p saw a significant drop from 90 to 35, while Sinobi declined sharply from 55 to 18 and Devman from 28 to 2, pointing to reduced activity or possible campaign pauses. Akira showed only a modest decrease from 51 to 47, and Incransom remained relatively stable at 39 to 37, indicating consistent but controlled operations. Notably, Thegentlemen exhibited a substantial increase from 47 to 87, emerging as a key growth outlier, while Play also expanded from 32 to 42, reflecting localized scaling. Other groups, such as Lynx (26 to 9) and Tengu (25 to 8), recorded declines, reinforcing the broader pattern of contraction among several actors. Overall, February reflects a rebalanced ecosystem where declines among established groups are offset by selective surges from emerging or mid-tier actors, indicating ongoing adaptation rather than a systemic slowdown.
In February 2026, ransomware activity remained concentrated on sectors that combine operational dependence with high-value data exposure. Professional Goods & Services reported the highest number of incidents at 113, indicating continued targeting of organizations where access to sensitive client and business data can be leveraged for extortion. Manufacturing (90) and Information Technology (68) also experienced substantial activity, reflecting ongoing pressure on production environments and the strategic importance of technology providers within broader supply chains. Notable levels of incidents were also recorded in Consumer Goods & Services (61) and Real Estate & Construction (52), both of which are particularly sensitive to disruptions that can quickly translate into financial losses. Additional activity was observed across Healthcare (44), Materials (40), and Government & Civic (39), demonstrating continued exposure in critical and public-facing sectors. Meanwhile, Finance (30), Telecommunications & Media (31), Energy & Utilities (25), Automotive (25), and Transportation & Logistics (21) registered comparatively moderate levels of activity, alongside 24 unidentified or obfuscated cases. Overall, the distribution reflects a consistent pattern of targeting industries where operational disruption and data compromise can be most effectively monetized.
Ransomware activity demonstrates a clear year-on-year escalation, with December 2025 reaching 801 incidents, the highest monthly total across the 2023–2026 dataset, significantly surpassing December 2024 (511) and December 2023 (481), indicating structural growth rather than seasonal fluctuation. Throughout 2025, activity remained consistently elevated, with most months exceeding 500 incidents and a pronounced surge in Q4, particularly in October (738), November (657), and the December peak. This upward momentum has carried into 2026, with January recording 683 incidents and February reaching 694, compared to 511 and 961 in early 2025 and notably lower levels in 2024 and 2023. Despite February 2025 representing an outlier spike, the overall trajectory confirms sustained operational scaling, expansion of ransomware-as-a-service (RaaS) affiliate ecosystems, and improved campaign throughput, reinforcing that ransomware activity is not only persisting but continuing to mature and expand into 2026.
In February 2026, ransomware activity was overwhelmingly concentrated in the United States, which recorded 869 victims, maintaining a dominant lead over all other countries. A second tier of heavily targeted regions included Canada (86) and the United Kingdom (82), followed by Germany (55), Italy (49), and France (44), highlighting sustained focus on mature, high-value economies. Beyond this, significant activity was observed in Brazil (37), India (32), Thailand (31), Australia (28), and Spain (28), indicating continued expansion into both developed and emerging markets. Mid-level activity was distributed across countries such as Turkey (20), Switzerland (19), Mexico (19), Taiwan (18), UAE (16), and Malaysia and Singapore (15 each), while the remaining countries largely reported low double-digit or single-digit incidents, reflecting a long-tail pattern of opportunistic attacks. Additionally, 51 cases were classified as unidentified or obfuscated, underscoring ongoing attribution challenges, with the overall landscape demonstrating strong geographic concentration alongside broad global dispersion.
Fragmentation and Value Extraction Reshaping the Ransomware Economy
Recent data from the blockchain intelligence platform, Chainalysis, indicates a structural shift in ransomware operations, where the number of attacks continues to surge while victim payment rates decline significantly. In 2025, only 28% of victims paid ransom demands compared to 62.8% in 2024 and 78.9% in 2022, despite ransomware actors claiming substantially more attacks. This trend highlights a transition from reliance on high payment compliance to broader attack volume and diversified extortion strategies. At the same time, the median ransom payment increased by 368%, indicating that ransomware operators are focusing on extracting larger payments from a smaller subset of victims. The ecosystem has also become increasingly fragmented, with approximately 85 active extortion groups operating simultaneously, contrasting with earlier years when a few dominant Ransomware-as-a-Service (RaaS) groups controlled the landscape. The emergence of supporting criminal services such as initial access brokers and the continued targeting of high-value organizations in developed economies demonstrate how the ransomware ecosystem has matured into a distributed cybercrime supply chain.
ETLM Assessment:
Looking ahead, ransomware operators are likely to further refine selective targeting and extortion models to compensate for declining payment compliance. Threat actor groups may increasingly prioritize high-impact sectors and organizations with sensitive data, enabling them to demand higher ransom amounts even if fewer victims ultimately pay. The growing fragmentation of extortion groups suggests that smaller or emerging threat actor groups could adopt automation, AI-assisted reconnaissance, and data-driven victim profiling to scale operations efficiently. Additionally, the expanding role of initial access brokers and the declining cost of network access may enable ransomware actors to industrialize intrusion pipelines, potentially leading to faster attack cycles, more coordinated data-theft-driven extortion campaigns, and greater integration with other cybercrime ecosystems, such as stealer-log marketplaces and underground access-trading networks.
State-Sponsored Financial Operations Converging with the Ransomware Ecosystem
Security researchers at Symantec linked ransomware activity involving the Medusa Ransomware platform to the threat actor group Lazarus Group, specifically a subgroup believed to be Andariel. This development reflects a notable shift where state-backed cyber operators integrate financially motivated ransomware campaigns alongside espionage operations. Medusa, which has impacted hundreds of organizations since its emergence in 2021, is now being leveraged as part of North Korean revenue-generation activities targeting U.S. healthcare organizations. The operational toolkit observed in these attacks includes commodity and previously attributed Lazarus-linked tools, such as Blindingcan, credential harvesting utilities, and access mechanisms, similar to those associated with Diamond Sleet. This blending of ransomware-as-a-service infrastructure with state-sponsored intrusion tradecraft highlights how ransomware operations are no longer limited to financially motivated cybercrime groups but are increasingly integrated into geopolitical cyber strategies designed to fund broader intelligence and military objectives.
ETLM Assessment:
The involvement of a state-backed threat actor group such as Lazarus in ransomware operations suggests that financially driven extortion campaigns may increasingly serve as strategic funding mechanisms for sanctioned regimes. In the future, state-aligned threat actors could further leverage RaaS ecosystems to obscure attribution, outsource parts of the intrusion lifecycle, and scale revenue-generating attacks while maintaining plausible deniability. This convergence may also lead to hybrid campaigns where ransomware intrusions simultaneously enable data exfiltration, intelligence collection, and financial theft. Additionally, targeting patterns may continue to expand across critical infrastructure sectors, such as healthcare, defense contractors, and technology providers, as these environments provide both sensitive data and the financial pressure necessary to drive higher ransom demands.
Rapid Weaponization of Enterprise Remote Access Vulnerabilities in Ransomware Intrusions
The exploitation of CVE-2026-1731 in BeyondTrust Remote Support demonstrates how ransomware operators increasingly capitalize on newly disclosed vulnerabilities in enterprise access platforms to accelerate intrusion campaigns. The vulnerability, a pre-authentication remote code execution flaw affecting Remote Support and BeyondTrust Privileged Remote Access, was rapidly weaponized following disclosure, with exploitation observed even before public proof-of-concept code became widely available. According to the Cybersecurity and Infrastructure Security Agency, the flaw was added to the Known Exploited Vulnerabilities catalog after evidence showed it was being leveraged in ransomware operations. This pattern reflects a broader shift in ransomware tradecraft where threat actors prioritize high-impact enterprise software vulnerabilities to gain immediate privileged access to internal networks, enabling faster lateral movement and large-scale deployment of ransomware payloads.
ETLM Assessment:
The operational use of critical remote access vulnerabilities in ransomware campaigns suggests that future actors will increasingly monitor vulnerability disclosures and rapidly operationalize exploits within days or even hours of public release. Ransomware operators and affiliated access brokers may automate vulnerability scanning against exposed enterprise management platforms to identify unpatched systems at scale. As organizations continue to rely on remote administration and privileged access solutions, these systems are likely to remain high-value targets for initial access operations, potentially leading to faster intrusion timelines and more opportunistic ransomware deployments that exploit patching delays across enterprise environments.
International Law Enforcement Pressure Targeting Distributed Ransomware Affiliate Networks
The arrest of a suspect linked to the Phobos Ransomware during the multinational investigation known as Operation Aether highlights the decentralized structure that characterizes modern ransomware ecosystems. Phobos operates as a RaaS platform in which affiliates conduct network intrusions and deploy ransomware while core operators maintain the infrastructure and tooling. According to Europol and national authorities, coordinated investigations have increasingly targeted multiple operational layers, including administrators, infrastructure operators, and intrusion affiliates. Evidence recovered from the arrested individual, including stolen credentials, credit card data, and server access information, demonstrates how ransomware campaigns rely on supporting criminal resources such as credential theft and illicit access markets. This case illustrates how ransomware operations have evolved into distributed cybercrime networks where affiliates, access brokers, and infrastructure operators collectively enable large-scale attacks across thousands of organizations.
ETLM Assessment:
Sustained international law enforcement actions against ransomware affiliates and infrastructure are likely to push ransomware ecosystems toward greater operational resilience and decentralization. Threat actor groups operating RaaS platforms may increasingly adopt compartmentalized operational structures, anonymous communication channels, and rotating infrastructure to reduce the risk of disruption. At the same time, affiliates may rely more heavily on underground marketplaces for stolen credentials, network access, and exploit kits to maintain attack pipelines even when core operators are disrupted. These developments suggest that ransomware ecosystems could become more modular and fragmented, allowing threat actor groups to rapidly reconstitute operations despite arrests or infrastructure seizures.
Operational Camouflage Through Legitimate Administrative Tooling in Ransomware Intrusions
Investigations by Huntress revealed that the threat actor group Crazy Ransomware Gang leveraged legitimate enterprise software such as Net Monitor for Employees Professional and SimpleHelp to maintain persistent access within compromised corporate environments. Instead of relying solely on custom malware, the attackers installed legitimate monitoring and remote administration tools using native utilities such as msiexec.exe, enabling them to remotely observe user activity, transfer files, execute commands, and monitor sensitive behaviors, such as cryptocurrency wallet usage. This approach reflects a growing ransomware tactic often referred to as “living-off-the-land,” where adversaries rely on legitimate tools and administrative utilities to blend into normal network activity and evade traditional security controls. The attackers also implemented redundancy by deploying multiple remote access tools and disabling security mechanisms such as Windows Defender, demonstrating how ransomware operators increasingly prioritize stealthy persistence and operational visibility before deploying encryption payloads.
ETLM Assessment:
The increasing abuse of legitimate remote monitoring and administrative software suggests that ransomware operators may continue shifting toward tool-based intrusion strategies that minimize the need for custom malware. Threat actor groups could expand this approach by leveraging widely used enterprise IT management platforms, remote support applications, and cloud-based monitoring services to disguise malicious activity within legitimate administrative workflows. Additionally, attackers may increasingly integrate credential theft, session monitoring, and behavioral triggers such as detecting cryptocurrency wallet usage or security tool activity to optimize the timing of ransomware deployment or financial theft. As a result, future ransomware campaigns may rely more heavily on credential-based access, trusted software abuse, and layered persistence mechanisms, making detection more challenging for organizations relying primarily on signature-based security controls.
Supply-Side Software Weaknesses Enabling High-Impact Ransomware Intrusions
The breach of SmarterTools by the threat actor group Warlock Ransomware Group demonstrates how ransomware operators increasingly exploit vulnerabilities in enterprise communication platforms to gain privileged access and stage network-wide attacks. In this incident, attackers leveraged CVE-2026-23760 affecting SmarterMail to reset administrator credentials and obtain full control over an unpatched virtual machine. After gaining access, the attackers performed lateral movement through Active Directory and deployed legitimate administrative and digital forensics utilities such as Velociraptor and SimpleHelp to maintain persistence and expand network control before attempting ransomware deployment. Security researchers at ReliaQuest linked the activity with moderate-to-high confidence to the threat actor Storm-2603, illustrating the growing convergence of vulnerability exploitation, legitimate tool abuse, and ransomware deployment in sophisticated intrusion campaigns.
ETLM Assessment:
The exploitation of enterprise software vulnerabilities for ransomware operations indicates that attackers will continue prioritizing widely deployed business applications such as email servers, remote access platforms, and collaboration systems as initial access vectors. Future campaigns may increasingly chain multiple vulnerabilities and built-in administrative features to achieve stealthier privilege escalation and lateral movement. Threat actor groups could also expand the use of legitimate security and forensic tools to persist within networks while blending into routine administrative activity, making detection significantly more challenging. As ransomware operations increasingly intersect with state-linked threat actors and advanced intrusion techniques, organizations may face more hybrid campaigns that combine vulnerability exploitation, espionage-style persistence, and financially motivated extortion.
Unpatched Enterprise Collaboration Platforms Emerging as High-Value Ransomware Entry Points
The exploitation of CVE-2026-24423 in SmarterMail highlights how ransomware operators increasingly weaponize vulnerabilities in widely deployed business communication platforms to obtain immediate system-level access. According to the Cybersecurity and Infrastructure Security Agency, the flaw caused by missing authentication in the ConnectToHub API allows attackers to execute operating system commands remotely without prior authentication. Because SmarterMail is commonly deployed by managed service providers and hosting providers, exploitation of such vulnerabilities can provide attackers with privileged access across multiple organizational environments simultaneously. The rapid inclusion of this vulnerability in the Known Exploited Vulnerabilities catalog indicates that ransomware actors are actively integrating newly disclosed enterprise software flaws into their intrusion pipelines to accelerate initial access and large-scale compromise.
ETLM Assessment:
The active exploitation of collaboration and messaging infrastructure suggests that ransomware operators may increasingly prioritize vulnerabilities in platforms that provide centralized communication, authentication, and administrative functionality. Future campaigns may focus on managed service providers and shared hosting environments where compromising a single platform can potentially expose multiple downstream organizations. In addition, attackers may automate scanning for exposed enterprise services and rapidly deploy exploit chains targeting newly disclosed vulnerabilities, reducing the time between vulnerability disclosure and active ransomware exploitation. This trend indicates a growing reliance on vulnerability-driven initial access strategies that enable ransomware actors to scale attacks across interconnected business ecosystems.
Enterprise Messaging Infrastructure Vulnerabilities Accelerating Ransomware Initial Access
The active exploitation of CVE-2026-24423 in SmarterMail demonstrates how ransomware operators increasingly weaponize vulnerabilities in widely deployed enterprise communication platforms to gain immediate system-level access. The flaw, identified by researchers from watchTowr, CODE WHITE, and VulnCheck, allows attackers to execute operating system commands remotely through the ConnectToHub API due to missing authentication controls. According the to Cybersecurity and Infrastructure Security Agency, ransomware actors have already incorporated this vulnerability into active campaigns, leading to its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Because SmarterMail is widely used by managed service providers, hosting providers, and small-to-medium enterprises across more than 120 countries, exploitation of this vulnerability provides attackers with a scalable entry point into organizational environments, reinforcing the growing reliance of ransomware operations on vulnerability-driven initial access.
ETLM Assessment:
The exploitation of enterprise messaging and collaboration infrastructure indicates that ransomware actors will likely continue prioritizing widely deployed administrative platforms that provide centralized access to communication and identity systems. Future campaigns may increasingly automate the scanning and exploitation of exposed email servers, particularly those used by managed service providers, where compromising a single instance could provide indirect access to multiple downstream organizations. Additionally, attackers may continue chaining authentication bypass flaws, API-level vulnerabilities, and remote execution exploits to establish stealthy persistence within enterprise infrastructure before deploying ransomware payloads or conducting data-extortion operations.
Abuse of Virtual Infrastructure Platforms for Scalable Ransomware Payload Distribution
Researchers at Sophos observed ransomware operators leveraging virtual machines provisioned through VMmanager, developed by ISPsystem, to host and distribute malicious payloads at scale. The activity was identified during investigations into incidents involving the threat actor group associated with WantToCry Ransomware, where attackers deployed Windows virtual machines using default templates that reused identical hostnames and system identifiers. This infrastructure pattern was also observed across campaigns linked to other ransomware threat actor groups, including LockBit Ransomware, Qilin Ransomware, Conti Ransomware, and BlackCat Ransomware. By leveraging low-cost virtual infrastructure offered by hosting providers and bulletproof hosting environments, ransomware operators can deploy command-and-control servers and payload delivery nodes that blend into legitimate hosting environments. This reflects an ongoing shift where ransomware operations increasingly rely on scalable cloud and virtualization infrastructure to distribute malware, obscure attribution, and reduce the likelihood of rapid infrastructure takedowns.
ETLM Assessment:
The use of commercial virtualization platforms for ransomware infrastructure suggests that threat actor groups will continue leveraging legitimate cloud, hosting, and virtual machine services to scale malicious operations. Future campaigns may increasingly automate the rapid deployment of disposable infrastructure across multiple hosting providers, enabling ransomware operators to rotate command-and-control servers and payload delivery systems with minimal operational cost. Additionally, threat actors may exploit configuration weaknesses, template reuse, and automation features within virtualization management platforms to rapidly provision large infrastructure clusters that support malware distribution, staging environments, and data exfiltration. As ransomware ecosystems continue to industrialize their infrastructure operations, defenders may face increasing difficulty distinguishing malicious infrastructure from legitimate cloud workloads.
Hypervisor Vulnerabilities Emerging as Strategic Entry Points for Ransomware Operations
The exploitation of CVE-2025-22225 in ransomware campaigns highlights how attackers are increasingly targeting virtualization infrastructure to gain deeper control over enterprise environments. The vulnerability affects widely deployed platforms, including VMware ESXi and related VMware virtualization products, allowing attackers with privileges in the VMX process to perform arbitrary kernel writes and escape the virtual machine sandbox. According to Cybersecurity and Infrastructure Security Agency, ransomware actors have now incorporated this flaw into active attacks after it was previously exploited as a zero-day. Research from Huntress also suggests Chinese-speaking threat actors had been chaining VMware vulnerabilities in attacks since early 2024. This activity reflects a broader development in ransomware tradecraft where attackers prioritize hypervisors and virtualization platforms, as compromising these layers can grant control over multiple virtual machines simultaneously, dramatically amplifying the operational impact of ransomware deployment.
ETLM Assessment:
The targeting of virtualization infrastructure suggests that ransomware actors may increasingly focus on hypervisors, cloud orchestration platforms, and centralized infrastructure management systems to maximize attack scale. By compromising the underlying virtualization layer, threat actor groups could potentially encrypt or disrupt multiple virtualized workloads simultaneously, increasing operational leverage during extortion attempts. Additionally, attackers may continue chaining multiple virtualization vulnerabilities, such as sandbox escapes, privilege escalation flaws, and management interface weaknesses, to establish persistent control over enterprise environments. As organizations continue consolidating workloads within virtualized and cloud infrastructures, these platforms will likely remain high-value targets for both financially motivated ransomware actors and advanced intrusion groups seeking broad operational impact.
Weaponization of Vulnerable Signed Drivers to Neutralize Endpoint Defenses
Researchers at Huntress identified attackers deploying an EDR-disabling tool that abuses a legacy signed kernel driver associated with EnCase. The tool leverages the BYOVD technique to load the revoked driver EnPortv.sys, enabling kernel-level privileges that allow attackers to terminate EDR and antivirus processes. Once executed, the tool continuously targets and disables up to 59 security processes, effectively neutralizing host-based defenses prior to the deployment of additional malware. The intrusion itself began through compromised SSL VPN credentials on a SonicWall SSL VPN lacking multi-factor authentication, after which the attackers performed network reconnaissance and deployed the EDR-killer disguised as a firmware update utility. This tactic reflects a growing operational shift in ransomware intrusions where attackers prioritize disabling endpoint security controls early in the attack chain, ensuring that later stages such as lateral movement, data exfiltration, and ransomware deployment can proceed with minimal detection.
ETLM Assessment:
The continued abuse of vulnerable signed drivers suggests that ransomware operators and other threat actor groups may increasingly integrate kernel-level defense evasion tools into their standard intrusion toolkits. Future campaigns may involve larger repositories of exploitable drivers and automated mechanisms to test and deploy them against security controls across different environments. Attackers may also combine BYOVD techniques with credential-based access and legitimate administrative tools to create layered defense evasion strategies that bypass modern endpoint protections. As operating systems maintain backward compatibility for legacy drivers, this attack surface may remain attractive to adversaries seeking reliable methods to disable security monitoring before executing high-impact payloads such as ransomware.
Based on available public reports, approximately 31% of enterprises are compelled to halt their operations, either temporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond operational disruptions, as detailed by additional metrics:
Impact Assessment
Ransomware remains a major threat to both organizations and individuals, locking critical data and demanding payment for its release. The consequences extend well beyond the ransom, often leading to costly recovery efforts, extended downtime, reputational harm, and potential regulatory fines. Such disruptions can destabilize operations and erode stakeholder trust. Addressing this growing risk demands a proactive cybersecurity posture and stronger collaboration between public and private sectors to build resilience against future attacks.
Victimology
Cybercriminals are increasingly targeting industries that manage vast amounts of sensitive data, ranging from personal and financial information to proprietary assets. Sectors such as manufacturing, real estate, healthcare, FMCG, e-commerce, finance, and technology remain high on the threat radar due to their complex and extensive digital infrastructures. Adversaries strategically exploit vulnerabilities in economically advanced regions, launching well-planned attacks designed to encrypt critical systems and extract significant ransom payments. These operations are calculated to yield maximum financial returns.
Ransomware entering 2026 is no longer a discrete cyber incident but an enduring, multi-stage business threat that blends elements of cybercrime, espionage tradecraft, and economic coercion. The continued separation of access, execution, and extortion, combined with browser-based trust abuse, engineered delivery artifacts, and long-lived access infrastructure, has significantly eroded the effectiveness of exploit-centric and signature-driven defenses. At the same time, the scale and complexity of affiliate-driven operations introduce inherent fragility, creating opportunities for disruption beyond traditional endpoint containment, particularly at the levels of access brokerage, backend infrastructure, and coordination workflows. For organizations, resilience in this environment will depend less on preventing individual intrusions and more on governance readiness, third-party risk management, user interaction telemetry, and executive decision preparedness. As ransomware groups continue to evolve toward stealth, optionality, and psychological leverage, proactive external threat landscape management and cross-functional response planning will be critical in reducing both operational impact and long-term business risks.
