The Qilin ransomware group, responsible for a severe cyber attack on a major NHS supplier in 2024, has retained its position at the top of the ransomware ecosystem as of January 2026. According to data from NCC Group, Qilin was implicated in nearly 20% of all documented attacks during the month, which amounted to 108 incidents despite a modest drop from 170 in December 2025.
NCC Group's recent report indicated a general decline in cyber attack volumes, a trend that occurs typically at the beginning of the year. Matt Hull, vice-president of cyber intelligence and response at NCC, highlighted the significance of the ongoing threat. "Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path," he stated. Hull cautioned organizations, saying, "They should not mistake the month-on-month drop for a decline in risk."
In addition to the recent statistics, Qilin’s activities include a notable breach of the Local 100 Chapter of the Transport Workers Union of America (TWU), impacting over 67,000 employees of New York City's public transport system. This incident underscores the gang’s strategic focus on critical industries, where its extortion attempts can exert maximum pressure due to the sensitivity of data and operational disruptions.
%20(1)%20(1).webp)
Operating for approximately three and a half years, Qilin, which was previously recognized as Agenda, employs a ransomware-as-a-service (RaaS) model. This model allows the group to distribute its malware through a network of affiliates who execute attacks on its behalf.
In terms of geographic impact, Qilin has primarily targeted the United States, with 333 confirmed victims. Canada, the UK, France, and Germany follow in terms of reported incidents, with only 24 known victims in the UK noted in a recent Cisco Talos report. Hull elaborated on the regional targeting, saying, "North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure."
Among the various ransomware operations, NCC reported that other active groups included Akira with 68 attacks, Sinobi with 56, INC Ransom with 47, and Cl0p with 46 in January. Interestingly, the industrial sectors bore the brunt of these attacks, comprising 32% of all incidents, while consumer discretionary and IT sectors faced 23% and 11% of known attacks respectively.
The evolving landscape of ransomware threats is becoming increasingly fragmented and decentralised, presenting challenges for accurate threat intelligence, a phenomenon noted in NCC’s Threat Pulse report. This shift is attributed to the rise in popularity of RaaS models among cybercriminals, creating a scenario where multiple threat actors can operate under one brand and affiliates can collaborate across different RaaS groups.
NCC cited research demonstrating that shared crypto cash-out addresses have linked various ransomware gangs, including Qilin, showing a complex web of cooperation and collusion. Meanwhile, the heightened operational risks from law enforcement crackdowns and competition among gangs lead to groups frequently changing their identities and branding.
Furthermore, the overwhelming levels of ransomware activity contribute to a cacophony of noise from dark web forums, leak sites, and social media, complicating the situation further. For instance, a January emergence of a group named 0APT initially created a buzz that led security researchers to quickly analyze its claims, only to find the assertions were largely overstated just days later.
As ransomware operations evolve and adapt to external pressures, the cybersecurity landscape remains under threat, with organizations needing to stay vigilant and prepared for potential incidents. The consistent activity of Qilin and similar gangs highlights the crucial need for enhanced protective measures and intelligence sharing among industries to combat these persistent cyber threats effectively.