Qilin, the ransomware gang behind a crippling 2024 cyber attack on a major NHS supplier partner, maintained its status as ‘top dog’ in the ransomware ecosystem during January 2026, accounting for nearly a fifth of all observed attacks, according to data gathered by NCC Group for its regular monthly cyber barometer.
In its latest update, NCC said it saw 108 Qilin attacks, 17% of the total, in January, although this was down slightly on its December tally of 170 attacks – NCC noted that general attack volumes do tend to ebb at this time of year, and this was the case in January, with activity falling by 17% to 651 reported incidents.
NCC vice president of cyber intelligence and response, Matt Hull, said this activity pattern closely mirrored that seen last year.
“Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organisations should not mistake the month-on-month drop for a decline in risk,” he said.
As for Qilin, its attacks show no signs of stopping – within the past few days it has claimed a breach of the Local 100 Chapter of the Transport Workers Union of America (TWU), affecting 41,000 current and 26,000 former employees of New York City’s public transport system. NCC said the gang was consistently targeting organisations in critical and industrial sectors where operational disruption and sensitive data exposure can increase the pressure to give in to its extortion demands.
Active for about three and a half years, Qilin – which went by the name Agenda for a time – operates a standard ransomware-as-a-service (RaaS) model, distributing its tools to a network of trusted affiliates who do its dirty work for it.
By some margin, its greatest number of recorded victims is in the US, with 333 known victims, followed by Canada, the UK, France and Germany – according to data compiled last autumn by the Cisco Talos team. At the time, Talos said there were approximately 24 known Qilin victims in the UK.
“North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure. Qilin’s high-profile attacks on US-based organisations … show how top threat actors are focusing on sectors where data and disruption carry the greatest value,” said Hull.
The other most active ransomware operations NCC observed last month were Akira, which conducted 68 known attacks, sinobi with 56, INC Ransom with 47, and Cl0p with 46. The industrials sector remained the most victimised, accounting for 32% of activity, followed by consumer discretionary, which was hit by 23% of known attacks, and IT, with 11%.
Fragmented landscape
In this month’s Threat Pulse report, NCC lamented how the rapidly decentralising ransomware landscape – also observed by other market watchers in recent weeks – was making it harder and harder to generate accurate threat intelligence reporting.
This is undeniably the result of the popularity of RaaS ‘business’ models among cyber criminals. For example, multiple threat actors can conduct operations under the same brand, and affiliates can easily work with several RaaS operations at once, and NCC referenced recent research that identified shared crypto cash-out addresses linking multiple ransomware gangs, including Qilin, through a shared affiliate.
At the same time, challenges faced by ransomware gangs, such as operational security risks from angry rivals, or pressure from law enforcement, is increasing the rate at which groups reinvent and rebrand themselves.
Matters are not helped by the continuing high levels of ransomware activity and the sheer volume of noise generated by sources ranging from dark web forums to leak sites and social media.
NCC noted the recent case of 0APT, which made a huge splash in January and prompted many in-house threat researchers at multiple security suppliers and service providers to hastily bash out some new analysis for their customers to read, only to find that the gang’s claims were exaggerated junk a couple of days later.
A further challenge facing research teams in 2026 is the frequent variance between when and how attacks are reported, discovered, and disclosed. For example, in January Qilin was linked to an attack on a US healthcare system, Covenant, which actually unfolded in May 2025.
These distorted timelines further complicate analysis by potentially misrepresenting the true operational tempo of ransomware gangs, which can in turn lead to situations where ‘artificial’ activity spikes show up in the data. This happened in the summer of 2023, when Cl0p’s bulk publication of MOVEit victims dramatically skewed NCC’s report data.
All this combines to make it challenging for analysts to get a handle on tactics, techniques and procedures (TTPs) and risks the good guys making duplicate or inaccurate attributions.
NCC’s teams are working to overcome some of these limitations going forward. Key to this work is the consolidation of multiple threat feed aggregators into a central database that serves as high-fidelity single source of truth and is now subject to repeated processing, filtering, deduplication and enrichment to try to build a more accurate picture of the ransomware landscape.
It said this enabled it to better distinguish between confirmed and reported listings, and those which – like 0APT’s bizarre claims, are recycled, or outright fabrications.
