Ransomware Surge in January 2026: Shifting Targets and Emerging Threats
January 2026 marked a sharp rise in ransomware activity, with 711 attacks recorded down slightly from December 2025’s 783 but 33% higher than January 2025 and well above the 2025 monthly average of 620. While attacks on manufacturers plateaued, finance and tech sectors became prime targets, seeing 24% and 12% increases, respectively.
Key Trends and Impact
- Geographic Shifts: The UK saw an 83% surge in attacks (42 in January vs. 23 in December), while the US declined by 8% (329 attacks) and Germany dropped 38%. Canada and Australia also experienced increases.
- New Threat Actor: A group called 0APT claimed over 80 attacks, but most were unverified and later removed from tracking databases.
- Data Theft: Over 104 TB of data was stolen, with Sinobi leading in total volume (13.6 TB) and Everest claiming the largest single breach (1.4 TB from Iron Mountain).
Sector Breakdown
- Healthcare: Attacks fell 27% (36 vs. 49 in December), but confirmed incidents rose. Notable breaches included Mt. Spokane Pediatrics (LockBit) and Pecan Tree Dental (Sinobi), exposing 13,300 records.
- Government: Attacks remained steady (31 vs. 30 in December), with 10 confirmed. The Gentlemen targeted Spain’s Ayuntamiento de Beniel and South Africa’s Witzenberg Municipality, while Qilin hit Tulsa International Airport.
- Education: Attacks dropped 45% (16 vs. 29), with no confirmed incidents. However, delayed disclosures revealed breaches at Clackamas Community College (Medusa) and Trocaire College (INC).
- Businesses: Attacks decreased 7%, but finance and tech saw spikes. The Gentlemen breached Rogers Capital Credit (Mauritius), exposing banking data, while Rhysida demanded $392,000 from Elabs AG (Germany).
Top Ransomware Gangs
- Qilin led with 108 attacks (6 confirmed), followed by Clop (90, none confirmed) and Akira (72, 3 confirmed).
- The Gentlemen had the highest confirmation rate (5 of 48 claims), targeting businesses and governments.
Notable Incidents
- Iron Mountain (US): Everest claimed 1.4 TB stolen, though the breach was limited to market materials.
- AZ Monica (Belgium): A ransomware attack forced operation cancellations and patient transfers via the Red Cross.
- Sanxenxo (Spain): Hackers demanded $5,000, which was refused.
The data underscores evolving ransomware tactics, with gangs shifting focus to high-value sectors and leveraging delayed disclosures to obscure attack timelines.
Source: https://www.comparitech.com/news/ransomware-roundup-january-2026/
Rogers Communications cybersecurity rating report: https://www.rankiteo.com/company/rogers-communications
CyberMaterial cybersecurity rating report: https://www.rankiteo.com/company/cybermaterial
Tesseract Intelligence cybersecurity rating report: https://www.rankiteo.com/company/tesseract-intelligence
"id": "ROGCYBTES1770724900",
"linkid": "rogers-communications, cybermaterial, tesseract-intelligence",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Data Management',
'location': 'US',
'name': 'Iron Mountain',
'type': 'Business'},
{'customers_affected': '13,300 records',
'industry': 'Pediatrics',
'location': 'US',
'name': 'Mt. Spokane Pediatrics',
'type': 'Healthcare'},
{'customers_affected': '13,300 records',
'industry': 'Dental',
'location': 'US',
'name': 'Pecan Tree Dental',
'type': 'Healthcare'},
{'industry': 'Finance',
'location': 'Mauritius',
'name': 'Rogers Capital Credit',
'type': 'Business'},
{'industry': 'Tech',
'location': 'Germany',
'name': 'Elabs AG',
'type': 'Business'},
{'industry': 'Municipality',
'location': 'Spain',
'name': 'Ayuntamiento de Beniel',
'type': 'Government'},
{'industry': 'Municipality',
'location': 'South Africa',
'name': 'Witzenberg Municipality',
'type': 'Government'},
{'industry': 'Transportation',
'location': 'US',
'name': 'Tulsa International Airport',
'type': 'Government'},
{'industry': 'Higher Education',
'location': 'US',
'name': 'Clackamas Community College',
'type': 'Education'},
{'industry': 'Higher Education',
'location': 'US',
'name': 'Trocaire College',
'type': 'Education'},
{'industry': 'Hospital',
'location': 'Belgium',
'name': 'AZ Monica',
'type': 'Healthcare'},
{'industry': 'Municipality',
'location': 'Spain',
'name': 'Sanxenxo',
'type': 'Government'}],
'data_breach': {'data_exfiltration': '104 TB',
'number_of_records_exposed': '13,300 (Mt. Spokane Pediatrics '
'and Pecan Tree Dental)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': ['Personally identifiable information',
'Banking data'],
'type_of_data_compromised': ['Market materials',
'Patient records',
'Banking data']},
'date_detected': '2026-01',
'description': 'January 2026 marked a sharp rise in ransomware activity, with '
'711 attacks recorded. Finance and tech sectors became prime '
'targets, seeing 24% and 12% increases, respectively. The UK '
'saw an 83% surge in attacks, while the US and Germany '
'declined. Over 104 TB of data was stolen, with notable '
'breaches including Iron Mountain, Mt. Spokane Pediatrics, and '
'Pecan Tree Dental.',
'impact': {'data_compromised': '104 TB',
'operational_impact': ['Operation cancellations',
'Patient transfers via Red Cross'],
'payment_information_risk': ['Banking data exposed']},
'lessons_learned': 'Evolving ransomware tactics, shifting focus to high-value '
'sectors, and delayed disclosures obscuring attack '
'timelines.',
'motivation': ['Financial gain', 'Data theft'],
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '$392,000 (Elabs AG), $5,000 (Sanxenxo)',
'ransomware_strain': ['LockBit',
'Sinobi',
'Qilin',
'Rhysida',
'Medusa',
'INC']},
'references': [{'source': 'Cyber Incident Report - January 2026'}],
'threat_actor': ['Qilin',
'Clop',
'Akira',
'The Gentlemen',
'Sinobi',
'Everest',
'Rhysida',
'Medusa',
'INC',
'0APT',
'LockBit'],
'title': 'Ransomware Surge in January 2026: Shifting Targets and Emerging '
'Threats',
'type': 'Ransomware'}