Ransomware attacks dip but NCC warns threat evolving

Global ransomware activity fell 17% from December to January, with 741 incidents recorded in January, according to new research from NCC Group.

The figures come from the group's latest monthly cyber threat intelligence report, which tracks publicly reported incidents and activity by major ransomware groups. NCC Group cautioned that the month-on-month decline does not signal lower underlying risk, as attackers continue to change their methods.

Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said: "While ransomware attacks were lower than December, activity closely mirrors January 2025, when 696 incidents were recorded. Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organisations should not mistake the month-on-month drop for a decline in risk."

Group Activity

Qilin was the most active ransomware group in January, accounting for 17% of reported incidents. Its share fell from December, and its activity was 36% lower month on month, according to NCC Group.

Akira ranked second, with activity down 13% from December. Sinobi followed in third, with activity up 4% month on month, NCC Group found.

Qilin carried out 108 attacks in January, according to NCC Group. The report highlighted several incidents the group claimed during the month, including an attack on Covenant Health that exposed personal and medical data relating to about 478,000 patients and disrupted hospital operations. Qilin also claimed an attack on Tulsa International Airport, with internal financial records and employee data reportedly leaked after a network breach.

NCC Group said Qilin targets organisations where operational disruption and sensitive data can increase pressure during extortion attempts, particularly in critical and industrial sectors.

Sector Targets

Industrials remained the most targeted sector in January, accounting for 32% of incidents, or 196 attacks, according to the report. Consumer Discretionary followed with 143 incidents.

Healthcare ranked fourth with 53 attacks. That position contrasted with the scale of the Covenant Health incident highlighted in the report.

The figures suggest ransomware operators continue to target a wide range of organisations, even as specific groups rise and fall in prominence. The sector split also points to sustained interest in businesses where downtime can have immediate operational and financial consequences.

Regional Patterns

North America accounted for 54% of global ransomware activity in January, according to NCC Group, with Europe at 22%.

Hull said: "North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure. Qilin's high-profile attacks on US-based organisations such as Covenant Health and Tulsa Airport show how top threat actors are focusing on sectors where data and disruption carry the greatest value."

The regional split reflects long-running reporting patterns, with North American organisations often featuring heavily in disclosed incidents and victim lists published by ransomware groups. The figures also underline continued exposure for European organisations, even as North America remains the primary focus.

Messaging Platforms

The report also points to messaging platforms as an emerging attack vector, with threat actors increasingly using services such as WhatsApp, Signal, and Telegram as entry points.

It highlighted several methods linked to this shift, including device-linking scams, fake group invites, and malicious QR codes. NCC Group said these techniques can trick victims into granting account access, which can then be used to move deeper into an organisation.

The report linked these tactics to a broader trend of attackers adopting new tools and refining social engineering. It warned that widespread use of messaging apps across personal and professional contexts is creating more routes into organisations.

"The ransomware landscape is not getting any easier. Threat actors are constantly evolving, leveraging every tool and tactic to exploit vulnerabilities and maximize impact. Messaging platforms and the rise of AI add further complexity and widen attack surfaces. This creates more ways for attackers to target individuals and organizations. It's never been more important for organizations to remain vigilant and strengthen their security posture to stay ahead of these evolving threats," Hull said.