February 2026 Ransomware Roundup Shows Persistent Escalation

Author

Taylor Hawes
March 04, 2026

From the Editor’s Desk

Ransomware groups are not slowing down. Even when takedowns happen, new operators appear within weeks using recycled tools and playbooks. The question security teams should ask now is simple: are we prepared for repeat attacks, not just first-time breaches?

🔎 Deep Brief

February 2026 Ransomware Roundup Shows Persistent Escalation

February may be the shortest month, but ransomware activity stayed high with 685 recorded attacks, only slightly below January’s 718. Of these, 38 were confirmed by victims. Healthcare attacks rose 30 percent month over month, while transportation saw the sharpest rise, up 39 percent. Manufacturers remained the most targeted sector with 120 attacks, though this marked a continued decline compared to earlier months.

The most active group was Qilin with 104 claims, followed closely by The Gentlemen with 84. Both had five confirmed attacks. While Qilin focused heavily on U.S. targets, The Gentlemen showed broader geographic reach, with notable activity in Thailand and Brazil. In total, over 89.5 terabytes of data were reportedly stolen in February.

Takeaway

  • Healthcare and transportation are rising targets. Healthcare attacks increased 30 percent, while transportation saw the sharpest growth at 39 percent, suggesting attackers are prioritizing sectors where downtime is costly.

  • Manufacturing is still heavily targeted with 120 attacks, though the sector is seeing a gradual decline compared to earlier months.

  • The United States remains the primary target, accounting for nearly half of all recorded incidents.

  • Data theft remains central to extortion, with more than 89.5 TB reportedly stolen across February’s attacks

Go from AI overwhelmed to AI savvy professional with Superhuman AI

AI will eliminate 300 million jobs in the next 5 years. Yours doesn't have to be one of them.

Here's how to future-proof your career:

  • Join the Superhuman AI newsletter – read by 1M+ professionals working at Google, Meta, and OpenAI

  • Learn AI tools, tutorials and news in just 3 minutes a day

  • Become the go-to AI expert on your team

🧠 Strategy in Action

U.S. Cyber Defense Posture Responds to Escalating Iran Tensions

Following warnings of potential cyber retaliation linked to geopolitical tensions with Iran, U.S. agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), increased monitoring and issued guidance to critical infrastructure operators. The focus has been on hardening industrial control systems, strengthening authentication, and reviewing third-party vendor access.

Federal advisories emphasized phishing resilience, multi-factor authentication, and incident reporting coordination between public and private sectors. Organizations in energy, water, and transportation sectors were urged to reassess contingency plans and conduct tabletop exercises.

Takeaways: 

Geopolitical risks require a proactive approach that shifts toward anticipatory defense rather than reactive recovery, especially when nation-state actors are involved.

🕵️ Threat Actor Spotlight

The Gentlemen

The Gentlemen ransomware is a sophisticated and highly adaptive threat actor that emerged in August 2025, quickly establishing itself as a significant, well-resourced ransomware operation. Unlike opportunistic "spray-and-pray" groups, The Gentlemen focus on targeted, "big-game hunting" attacks against medium-to-large organizations, employing double-extortion tactics.

🛠️ Tool Check

RMM Software Comparison

Remote Monitoring and Management (RMM) tools help IT teams oversee endpoints, automate patching, and manage distributed systems.

For managed service providers and internal IT teams alike, selecting the right RMM platform directly impacts response time, patch consistency, and visibility across remote environments.

Some top choices are:

  • NinjaOne RMM: Best for cloud-hosted remote monitoring and endpoint management

  • Syncro: Best for smaller MSPs needing simple PSA and RMM with built-in billing

  • SuperOps: Best for MSPs managing lots of client systems or a very large network

  • Atera: Best for MSPs needing automated monitoring, patching, and ticketing

  • N-able N-sight: Best for smaller MSPs and in-house teams

  • ManageEngine RMM Central: Best for hybrid deployments on Windows Server, AWS, or Azure

  • ManageEngine Endpoint Central: Best for endpoint management where network monitoring isn't required

  • Site24x7 MSP Edition: Best for pricing based on number of assets under management

🗣️ Community Signal

AI is accelerating nation-state espionage. CrowdStrike's 2026 Global Threat Report confirms Russia's FANCY BEAR is deploying AI-enhanced malware (LAMEHUG) that automates reconnaissance and exfiltration. Breakout times averaged 29 minutes. Data theft began in as little as four. AI weaponized attacks are up 89% year-over-year. Donald H. Yanoti-Duncan, Senior ISSO at SOSi.

📚 Don’t Miss This

Advertise with Comparitech
Does your business offer services or products in cybersecurity? Get your product seen by IT leaders and professionals.

Advertise with us →

Until Friday’s edition - Let’s keep that zero-day count at zero!