The January 2026 edition of LevelBlue SpiderLabs ransomware tracker noted a sharp fall in the number of attacks launched compared to December 2025. Qilin remained the top attacker, but there was a reshuffling of the remaining top five attackers for the month.
January Attack Figures
The tracker recorded 730 ransomware attacks worldwide in January, down from 813 in December 2025.
The attack numbers are dynamic. As SpiderLabs uncovers information on previous attacks, it is added to the database, which means older monthly attack numbers will shift as they are updated throughout the year.
The US remained the top-targeted nation, absorbing 276 attacks, and the data noted the technology sector was the most attacked vertical, being struck 87 times.
Top 5 Threat Groups
As noted, Qilin remained the top threat group for the fifth consecutive month, but the remaining top five list has a somewhat different look compared to December.
Oapt made its first appearance in the top five, while Cl0P, which had been one of the most active ransomware groups in 2025, reappeared on the list in January after having fallen off in December. On the flipside Lockbit5, which had made a strong showing in December, has not only fallen out of the top five, but did not register a single attack during the month, according to the tracker.
Top Threat Groups for January 2026
|
Threat Groups Jan. 2026
|
Number of Attacks
|
Threat Groups Dec. 2025
|
Number of Attacks
|
|
Qilin
|
108 or 14.8%
|
Qilin
|
173 or 21.3%
|
|
Oapt
|
91 or 12.5%
|
Akira
|
71 or 8.7%
|
|
Akira
|
58 or 8%
|
Lockbit5
|
68 or 8.4%
|
|
Sinobi
|
56 or 7.7%
|
Safepay
|
67 or 8.2%
|
|
Cl0P
|
46 or 6.3%
|
Sinobi
|
54 or 6.6%
|
When examining the changes in the vertical sectors attacked, manufacturing and technology were attacked at about the same rate, and the only change noted was business services moving up into the top five, pushing consumer services off the list for the month.
Top Vertical Sectors Targeted for November 2025
|
Sector Jan. 2026
|
Number of Attacks as a %
|
Sector Dec. 2025
|
Number of Attacks as a %
|
|
Technology
|
87 or 11.9%
|
Manufacturing
|
90 or 11.1%
|
|
Manufacturing
|
84 or 11.5%
|
Technology
|
84 or 10.3%
|
|
Healthcare
|
48 or 6.6%
|
Healthcare
|
49 or 6%
|
|
Business Services
|
36 or 4.9%
|
Construction
|
27 or 3.3%
|
|
Construction
|
36 or 4.9%
|
Consumer Services
|
29 or 4%
|
2026 Ransomware Attacks to Date
|
Threat Group
|
Number of Attacks
|
Target Sector
|
Number of Attacks
|
|
Qilin
|
108 or 14.8%
|
Technology
|
87 or 11.9%
|
|
Oapt
|
91 or 12.5%
|
Manufacturing
|
84 or 11.5%
|
|
Akira
|
58 or 8%
|
Healthcare
|
48 or 6.6%
|
|
Sinobi
|
56 or 7.7%
|
Business Services
|
36 or 4.9%
|
|
Cl0P
|
46 or 6.3%
|
Construction
|
36 or 4.9%
|
Defending Against Ransomware
LevelBlue offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked.
LevelBlue Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide client security and business leaders.
The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces.
In addition, LevelBlue can help with the basic mitigations all organizations should implement, including:
-
Enhance cybersecurity hygiene and patch management
-
Implement robust backup and recovery plans
-
Employee training and awareness
-
Multi-Factor Authentication (MFA) and strong credential management
-
Incident response planning
