Ransomware summary week 02, 2026

ransomware
Published

January 13, 2026

Summary

Week 02 of 2026 saw continued high-volume ransomware activity with Qilin emerging as the dominant threat group. Notable incidents include attacks on Romania’s critical infrastructure (water authority and energy producer), US government contractor Sedgwick, and multiple healthcare organizations. Two US cybersecurity professionals pleaded guilty to conducting BlackCat/ALPHV ransomware attacks, highlighting insider threats in the industry. The ransomware landscape continues evolving toward exfiltration-only attacks, with publicly reported attacks rising 47% year-over-year to 7,200 in 2025.

Key Statistics: - Global: 8,000+ ransomware victims claimed in 2025 (50%+ increase from 2023); 7,200 publicly reported attacks - US: Multiple government contractors and healthcare organizations targeted; North Carolina saw 50% surge in attacks - Europe: Romania’s water authority (~1,000 systems encrypted) and Oltenia Energy hit in coordinated holiday campaign - Automotive: JLR continues recovery from September 2025 attack affecting 5,000+ supply chain businesses - Medical Devices: 89% of healthcare organizations have IoMT devices with known exploitable vulnerabilities

1. RANSOMWARE INCIDENTS

1.1 United States

Active Incidents This Week

Sedgwick Government Solutions - TridentLocker Attack (December 31, 2025 - January 2026) - TridentLocker ransomware gang claimed attack, alleging 3.4 GB of data stolen - Provides claims and risk management services to DHS, ICE, CBP, USCIS, Department of Labor, and CISA - Incident limited to isolated file transfer system; no evidence of claims server access - Source: The Record

Dartmouth College - Clop Oracle E-Business Suite Exploitation (August 2025, disclosed January 2026) - Over 40,000 individuals affected including Social Security numbers and bank account information - Russian ransomware group Clop claimed responsibility via dark web leak site - Part of broader Oracle E-Business Suite zero-day campaign affecting 100+ organizations - Source: The Dartmouth

University of Hawaii Cancer Center (August 2025, disclosed January 12, 2026) - Ransomware gang breached Cancer Center, stealing research participant data - Documents from the 1990s containing Social Security numbers compromised - Source: BleepingComputer

US Bank Vendor Breach - Marquis Software (August 2025, disclosed January 2026) - Artisans’ Bank and VeraBank disclosed customer data exposure - Vendor breached via SonicWall vulnerability - Estimated 1.35 million people affected across dozens of financial institutions - Source: Integrity360

1.2 Europe

Critical Infrastructure Attacks

Romania National Water Authority - BitLocker Attack (January 2026) - Administrația Națională ‘Apele Române’ hit by ransomware attack - ~1,000 computer systems locked out (workstations and servers) - Attackers used legitimate Windows BitLocker tool for encryption - Hydrotechnical infrastructure (dams, flood defenses) unaffected - Source: The Record

Oltenia Energy Complex - Gentlemen Ransomware (December 26, 2025) - Romania’s largest coal-based energy producer (30% of national electricity) - 19,000+ employees; 4 power plants with 3,900 MWh capacity - ERP systems, document management, email, website disrupted - Power supply and National Energy System remained stable - Systems restored from backups on new infrastructure - Attack timing: Christmas period for reduced operational readiness - Source: BleepingComputer

Hartford (France) - Lynx Ransomware (January 4-5, 2026) - French fashion retailer listed on Lynx data leak site - Threat to publish stolen data - Lynx: rebranded evolution of INC ransomware, active since mid-2024 - Source: CYFIRMA

European Hospitality Sector - PHALT#BLYX Campaign - Sophisticated ClickFix campaign targeting hospitality via fake Booking.com emails - Uses fake BSOD screens, PowerShell and MSBuild abuse to deploy DCRat - Lures tailored to hotel operations - Source: Check Point Research

Additional European Victims

Qilin Ransomware Victims (January 2026): - Bouygues Energies & Services (France) - January 10, 2026 - Cressi (Italy) - diving equipment manufacturer, Genoa-based - Multiple additional organizations across Europe

Iberia Airlines - Everest Ransomware (December 2025, ongoing) - Hackers demanding $6 million - 596 GB internal data + 430 GB booking-related files allegedly stolen - 77 GB of technical safety data and fleet information - Claim of long-term access including ability to edit bookings - Source: SecurityWeek

1.3 Asia

Major Incidents

Sekisui House (Japan) - Infostealer Campaign - Japan’s largest homebuilder compromised via ShareFile portal - Part of broader campaign affecting 50+ global enterprises - No MFA enforcement enabled the attack - Source: The Register

Manage My Health (New Zealand) (January 3, 2026) - Healthcare software provider discovered unauthorized access - 400,000 medical documents of 120,000 patients compromised - Hospital discharge summaries, specialist referrals exposed - Source: SharkStriker

Qilin Ransomware Victims - Asia (January 2026): - Telstar-Hommel (South Korea) - automotive inspection equipment - PTS Goldkist Industries Sdn Bhd (Malaysia) - poultry processing - CSV Group (disclosed January 2, 2026)

LockBit5 Victims: - Eros Elevators (India) - elevator manufacturer

Regional Statistics

  • Asia-Pacific: $11.5 billion in potential ransomware losses
  • DEVMAN ransomware group reports victim concentration in Asia and Africa
  • CrazyHunter ransomware repeatedly targeting Taiwan healthcare (6+ organizations)
  • Source: CybersecurityAsia

1.4 Other Regions

Global Infostealer Campaign

Zestix/Sentap Threat Actor - Stole data from 50+ global organizations via cloud credentials from infostealer malware - Victims include: - Pickett and Associates (US) - utility engineering - Sekisui House (Japan) - homebuilding - Iberia (Spain) - airline - CRRC MA, GreenBills, CiberC, K3G Solutions - All victims lacked MFA enforcement - Source: The Register

Lynx Ransomware Victims (January 5, 2026)

  • Burdette Dental Laboratory (Birmingham, AL)
  • Black Dog Salvage
  • Crawford Orthodontics
  • St. Charles Prep
  • Source: Dark Web Informer

2. CYBER-PHYSICAL SYSTEMS (CPS) & ICS

2.1 Romania Critical Infrastructure Campaign

Coordinated attacks during Christmas period targeted: 1. Oltenia Energy Complex (December 26) - Gentlemen ransomware 2. Administrația Națională ‘Apele Române’ (December 20) - Water authority

This suggests deliberate timing during holiday periods of reduced operational readiness. While OT systems remained unaffected in both cases, the attacks demonstrate persistent threat actor interest in critical infrastructure. - Source: Industrial Cyber

2.2 Manufacturing Sector Surge

  • Manufacturing: 72% of Q3 2025 ransomware cases in industrial sectors
  • 61% increase in ransomware attacks on manufacturing YoY
  • 87% increase in ransomware attacks against industrial organizations overall
  • Critical manufacturing received 46% of all CISA ICS security advisories
  • Source: Industrial Cyber

2.3 2026 ICS/OT Threat Forecast

  • By 2026: 1/3+ of global energy and utilities infrastructure will have experienced cyber pre-positioning activity
  • 90% of top 10 CVEs in H1 2025 impacting OT have been actively exploited
  • 70% exploited by APTs
  • VoltRuptor malware: ICS/SCADA malware with multi-protocol support, persistence, anti-forensics
  • Source: SC Media

3. AUTOMOTIVE CYBERSECURITY

3.1 Jaguar Land Rover Recovery Update

  • Attack began September 2025; full recovery ongoing through January 2026
  • 5,000+ businesses affected across global supply chain
  • Minimum five-week production shutdown at three UK plants
  • ~1,000 vehicles/day production halt
  • £2 billion estimated cost - UK’s most financially damaging cyber event
  • Attributed to Scattered Lapsus$ Hunters collective
  • Source: Automotive Manufacturing Solutions

3.2 Angstrom Automotive Group - Pear Ransomware (December 15, 2025)

  • Leading US automotive supplier targeted
  • Ransomware group Pear threatening to leak sensitive data
  • Source: DeXpose

3.3 Industry Statistics

  • 409 documented incidents in 2024 (39% increase from 295 in 2023)
  • Incidents affecting millions of vehicles tripled: 5% (2023) to 19% (2024)
  • 100+ ransomware attacks targeted automotive sector in 2024
  • 214 incidents resulted in data breaches
  • SafePay, Qilin, and Lynx actively targeting automotive organizations
  • Source: VicOne

3.4 Pwn2Own Automotive 2026

  • Dates: January 21-23, 2026, Tokyo, Japan
  • Prize Pool: Over $1 million
  • Sponsors: Alpitronic joins Tesla as title sponsor
  • Focus: Connected car vulnerabilities, software-defined vehicles
  • Source: VicOne

4. MEDICAL DEVICE CYBERSECURITY

4.1 Active Incidents

Covenant Health - Qilin Ransomware (May 2025, disclosed January 2026) - 478,188 individuals affected - Qilin claimed theft of 850 GB of sensitive data - Impact on hospitals in Maine (St. Joseph, St. Mary’s Health System) and New Hampshire (St. Joseph) - Source: The Record

HealthBridge Chiropractic - Qilin Ransomware (January 6, 2026) - Systems and data compromised - Nature and quantity of data under investigation - Source: CYFIRMA

CrazyHunter Ransomware Targeting Taiwan Healthcare - Go-developed malware with advanced encryption - At least 6 known Taiwan healthcare organizations victimized - Specifically targets medical infrastructure - Source: CyberSecurityNews

4.2 IoMT Risk Statistics

  • 89% of healthcare organizations have top 1% riskiest IoMT devices on networks
  • These devices contain KEVs linked to active ransomware campaigns + insecure internet connections
  • 22% of healthcare organizations experienced cyberattacks directly impacting medical devices
  • 75% of medical device attacks disrupted patient care
  • 24% required patient transfers to other facilities
  • Source: Help Net Security

4.3 FDA Regulatory Update

FDA Quality System Regulation amendment (21 CFR Part 820) takes effect February 2, 2026: - Shift from pre-market paperwork to active operational execution auditing - Section 524B: Security controls in design, vulnerability management, SBOM required - Source: Medical Device Network

4.4 Healthcare Threat Landscape 2026

  • 93% of US healthcare organizations experienced at least one cyberattack (avg 43 incidents/org)
  • 72% said at least one incident disrupted patient care
  • Shift from ransomware to “fast, quiet data-extortion attacks”
  • Steal sensitive information in minutes, pressure with regulatory/reputational fallout
  • Source: MedCity News

5. KEY TAKEAWAYS

For Security Teams

  1. Critical Infrastructure Timing: Romania attacks demonstrate holiday period targeting - maintain vigilance during reduced staffing
  2. Insider Threat Reality: BlackCat convictions show cybersecurity professionals can be threat actors
  3. MFA Critical: 50+ organizations breached via infostealer credentials due to missing MFA
  4. Exfiltration Focus: Many attacks now skip encryption entirely - detection of data exfiltration paramount

For Strategic Planning

  1. Healthcare Under Siege: 89% of organizations have high-risk IoMT devices; FDA enforcement intensifying February 2026
  2. Supply Chain Risk: JLR attack affected 5,000+ businesses; Marquis Software breach impacted 1.35M people
  3. Automotive Sector Alert: 39% increase in incidents; Pwn2Own Automotive 2026 may reveal new vulnerabilities
  4. Regional Coordination: Romania campaign suggests state-level or organized targeting of national infrastructure

For Threat Intelligence

  1. Qilin Dominance: Most active group with 40+ cases monthly; 700+ attacks in 2025
  2. Emerging Groups: Gentlemen (August 2025), Pear, Ripper - new variants emerging rapidly
  3. RaaS Evolution: Affiliates earning less; groups adding DDoS services as differentiator
  4. Geographic Shift: First year non-Russia ransomware actors may outnumber Russian ones

Sources

Primary Sources

Intelligence Reports

RSS Feed Sources