Ransomware summary week 03, 2026

Executive Summary

Week 3 of 2026 witnessed continued high ransomware activity with Qilin maintaining dominance as the most active threat group, claiming victims across Asia including Vietnam Airlines and Japanese manufacturer Sugawara Laboratories. Akira ransomware conducted an aggressive campaign targeting US businesses including RJS Corporation, McCraw Oil, Paylogix, and multiple others. The Everest ransomware group made headlines with a claimed attack on Nissan Motor Corporation in Japan. Notably, IT distributor Ingram Micro disclosed that a July 2025 SafePay ransomware attack affected 42,521 employees. Healthcare remained under siege with Qilin targeting orthopedic and pediatric centers in Massachusetts. The ransomware ecosystem showed signs of geographic expansion, with analysts predicting 2026 will be the first year non-Russian ransomware actors outnumber Russian ones.

Key Statistics: - Global: 285 ransomware victims recorded in first 15 days of January 2026; 47% YoY increase in 2025 attacks - Europe: Qilin, LockBit5, and DragonForce active; Italy (40), Germany (69), Spain (28) among top Q3 targets - Asia: Qilin and Everest targeting Japan (Nissan, Sugawara Labs); Vietnam Airlines added to leak site - US: Akira aggressively targeting SMBs; Sedgwick breach affects federal agencies; Ingram Micro discloses 42K affected - Other: Latin America saw sharpest rise in cyberattacks (26% YoY); SafePay and DragonForce active globally

---

1. EUROPE

1.1 Government

No new government incidents reported this week.

Previous week’s incidents (ongoing): TridentLocker’s attack on Sedgwick Government Solutions continues to affect services to federal agencies including DHS, ICE, CBP, USCIS, and CISA.

1.2 Health, Municipalities & Non-commercial

Auforum AG (Switzerland) - Qilin Ransomware (January 2026) - Healthcare and rehabilitation supplies provider targeted - Listed on Qilin data leak site - Source: CYFIRMA Weekly Intelligence Report

European Space Agency - Data Breach (January 2026) - ESA confirmed cyberattack compromising collaborative engineering servers - Over 200 GB of data reportedly stolen including API tokens, Bitbucket repositories, source codes - Source: SharkStriker

1.3 Business

Aero-Coating GmbH (Germany) - Qilin Ransomware (January 16, 2026) - Aerospace coating company targeted - Listed on Qilin leak site - Source: Ransomware.live

Bergmanis Preyra LLP - Qilin Ransomware (January 16, 2026) - Law firm targeted by Qilin group - Source: Ransomware.live

Fluorsid Spa (Italy) - Qilin Ransomware (January 17, 2026) - Italian chemical company targeted - Source: Ransomware.live

Central Roofing South Wales (UK) - Qilin Ransomware (January 2026) - Construction company listed on leak site - Source: Ransomware.live

Depot Napoli (Italy) - LockBit (January 16, 2026) - Italian logistics company targeted by LockBit5 - Source: Ransomware.live

3GH Informatica Integral (Spain) - Incransom (January 2026) - Spanish data security provider targeted - Source: SharkStriker

JR Advertising Specialties - DragonForce (January 16, 2026) - Listed on DragonForce leak site - Source: Ransomware.live

NWIMS IT Group - DragonForce (January 16, 2026) - IT services company targeted - Source: Ransomware.live

---

2. ASIA

2.1 Government

No government incidents reported this week.

2.2 Health, Municipalities & Non-commercial

Orthopaedic Specialists of Massachusetts - Qilin Ransomware (January 17, 2026) - Healthcare provider listed on Qilin leak site - Patient data potentially compromised - Source: Ransomware.live

Cary Pediatric Center - Qilin Ransomware (January 17, 2026) - Pediatric healthcare provider targeted - Source: Ransomware.live

2.3 Business

Vietnam Airlines - Qilin Ransomware (January 18, 2026) - Major Vietnamese carrier listed on Qilin data leak site - Transportation/logistics sector target - Separate from earlier 2025 Salesforce-related breach - Source: RedPacket Security

Nissan Motor Corporation (Japan) - Everest Ransomware (January 2026) - Approximately 900 GB of data claimed stolen - Blueprints, financial records, sensitive materials allegedly compromised - Source: CYFIRMA Weekly Intelligence Report

Sugawara Laboratories (Japan) - Qilin Ransomware (January 2026) - Industrial measuring equipment manufacturer - Confidential and sensitive information compromised - Source: CYFIRMA Weekly Intelligence Report

Bina Darulaman Berhad (Malaysia) - Dire Wolf Ransomware (January 2026) - Investment holding and property development company - Approximately 500 GB of internal documents and financial records stolen - Source: CYFIRMA Weekly Intelligence Report

UGS (Technology Sector) - Qilin Ransomware (January 17, 2026) - Technology company listed on leak site - Source: RedPacket Security

SINBON Electronics Co., Ltd (Taiwan) - DragonForce (January 2, 2026) - Electronics manufacturer targeted - Source: Ransomware.live

Eros Elevators (India) - LockBit5 (January 2026) - Elevator manufacturing company (established 1947) - Source: CYFIRMA Weekly Intelligence Report

---

3. UNITED STATES

3.1 Government

Sedgwick Government Solutions - TridentLocker (December 31, 2025 - January 2026) - Federal contractor providing services to DHS, ICE, CBP, USCIS, DOL, and CISA - 3.4 GB of data allegedly stolen - Isolated file transfer system affected; claims management servers not compromised - Source: The Record, SecurityWeek

3.2 Health, Municipalities & Non-commercial

Orthopaedic Specialists of Massachusetts - Qilin Ransomware (January 17, 2026) - Healthcare provider targeted - Source: Ransomware.live

Cary Pediatric Center - Qilin Ransomware (January 17, 2026) - Pediatric healthcare facility compromised - Source: Ransomware.live

Covenant Health Breach Update (May 2025, notification ongoing January 2026) - 478,188 individuals affected - Qilin claimed theft of 850 GB of sensitive data - Impacting hospitals in Maine and New Hampshire - Source: BleepingComputer

3.3 Business

Ingram Micro - SafePay Ransomware (July 2025, disclosed January 2026) - 42,521 employees affected by data breach - Names, SSNs, passport numbers, driver’s licenses, employment evaluations exposed - 3.5 TB of documents allegedly stolen - Entry via GlobalProtect VPN using leaked credentials - Source: BleepingComputer, The Register

RJS Corporation - Akira Ransomware (January 7, 2026) - Major tire manufacturing company (USA) - Source: DeXpose

McCraw Oil - Akira Ransomware (January 9, 2026) - Leading petroleum products supplier - 40 GB of sensitive corporate data threatened for release - Employee documents, client information, contracts at risk - Source: DeXpose

Syrstone - Akira Ransomware (January 12, 2026) - US-based company compromised - Source: HookPhish

Rebars & Mesh - Akira Ransomware (January 14, 2026) - Prominent US rebar fabricator - 15 GB of sensitive corporate data threatened - Source: Malware News

Paylogix - Akira Ransomware (January 15, 2026) - Leading insuretech company - 185 GB of sensitive data allegedly obtained - Source: DeXpose

Cognesense - Akira Ransomware (January 16, 2026) - Technology company targeted - Source: Ransomware.live

Gorlick, Kravitz & Associates - Akira Ransomware (January 16, 2026) - Law firm targeted - Source: Ransomware.live

Hein Electric Supply Co. - Akira Ransomware (January 16, 2026) - Electrical supply company compromised - Source: Ransomware.live

Cirrus Aviation - INC Ransom (January 16, 2026) - Aviation company targeted - Source: Ransomware.live

Fox Architects - Shinobi Ransomware (January 2026) - Architecture firm compromised - Source: SharkStriker

M&M Auto Parts - Shinobi Ransomware (January 2026) - Auto parts company targeted - Sensitive information encrypted with publication threat - Source: SharkStriker

Aero Fabrications - Interlock (January 6, 2026) - Manufacturing company compromised - Source: SharkStriker

Brightspeed - Under Investigation (January 5, 2026) - Major US fiber broadband company - Investigating security breach and data theft claims by Crimson Collective - Source: BleepingComputer

Fortune 100 Financial Firm - PDFSider Malware (January 19, 2026) - Ransomware attackers used new PDFSider malware strain - Targeting Windows systems with malicious payloads - Source: BleepingComputer

---

4. REST OF WORLD

4.1 Government

No government incidents reported this week.

4.2 Health, Municipalities & Non-commercial

No incidents reported this week.

4.3 Business

Balneario (Brazil) - Qilin Ransomware (January 18, 2026) - Brazilian company listed on Qilin leak site - Source: Ransomware.live

Soteck - DragonForce (January 15, 2026) - Listed on DragonForce leak site - Source: Ransomware.live

UBS Office - DragonForce (January 2, 2026) - Listed on DragonForce leak site - Source: Ransomware.live

---

5. THREAT ACTOR ACTIVITY

Most Active Groups This Week

Qilin Ransomware - Most prolific group with 183 victims claimed in December alone - January 2026 targets span healthcare, manufacturing, transportation, legal sectors - Notable victims: Vietnam Airlines, Sugawara Laboratories (Japan), multiple US healthcare providers - Focus expanding into East and Southeast Asia (Malaysia, Philippines, Vietnam) - Source: CYFIRMA, Barracuda

Akira Ransomware - Aggressive January campaign targeting US SMBs - Notable victims: RJS Corporation, McCraw Oil, Paylogix, Rebars & Mesh - Exploiting SonicWall VPNs with successful MFA bypass - Dwell time measured in hours - rapid encryption after initial access - Source: Arctic Wolf

LockBit5 - Returned to Top 10 with 112 victims in December 2025 - New variant with multi-platform support (Windows, Linux, ESXi) - Randomized 16-character file extensions for evasion - Source: Check Point, Bitdefender

Everest Ransomware - Major claim: Nissan Motor Corporation (Japan) - 900 GB allegedly stolen - Operating as initial access broker alongside traditional ransomware operations - Source: CYFIRMA

DragonForce - Active across multiple regions - January victims include SINBON Electronics (Taiwan), JR Advertising Specialties - Built from leaked LockBit 3.0 and Conti code - Part of alleged alliance with LockBit and Qilin - Source: S2W Blog

SafePay Ransomware - Linked to Ingram Micro breach (42K affected) - Responsible for largest record breach in 2025 (16.15 million via Conduent) - Believed to have spun out of LockBit - Source: BleepingComputer

TridentLocker - Emerging RaaS operation (since November 2025) - 12 confirmed victims including Sedgwick Government Solutions, bpost (Belgium) - Targeting manufacturing, government, IT, professional services - Focus on North America and Europe - Source: Security Affairs

Emerging/Notable Groups

Shinobi Ransomware - Targeting US businesses (Fox Architects, M&M Auto Parts)

Dire Wolf - Active in Asia with 500 GB claimed from Malaysian property developer

Interlock - Targeted US manufacturing (Aero Fabrications)

Karma (MedusaLocker variant) - Featured as ransomware of the week by CYFIRMA

---

6. KEY TAKEAWAYS

Trends Observed

1. Akira’s Aggressive Campaign: Akira ransomware showed heightened activity targeting US SMBs with rapid attack execution via SonicWall VPN exploitation. Dwell time often less than one hour.

2. Asian Expansion: Qilin and Everest groups increasingly targeting Japanese and Southeast Asian manufacturers, including high-profile claims against Nissan and Vietnam Airlines.

3. Healthcare Remains Vulnerable: Multiple US healthcare providers (orthopedic specialists, pediatric centers) targeted despite ongoing regulatory pressure.

4. Federal Contractor Risk: TridentLocker attack on Sedgwick exposes risks in government supply chain, affecting services to DHS, ICE, CISA.

5. Delayed Disclosure Pattern: Ingram Micro disclosed July 2025 breach in January 2026, highlighting gap between incident occurrence and public notification.

Defensive Recommendations

1. VPN Security: Akira campaign exploiting SonicWall VPNs - ensure firmware updated and MFA properly configured
2. Credential Hygiene: SafePay/Ingram Micro breach attributed to leaked credentials - implement credential monitoring
3. Holiday Staffing: Romania attacks during Christmas period demonstrate continued targeting during reduced operational readiness
4. Backup Verification: Multiple incidents show encryption within hours - ensure backup integrity and offline storage
5. Third-Party Risk: Federal contractor and supply chain attacks highlight need for vendor security assessment

2026 Outlook

• Analysts predict first year where non-Russian ransomware actors outnumber Russian ones
• AI-assisted attacks expected to accelerate reconnaissance and execution
• Exfiltration-only attacks (no encryption) continuing to rise
• Manufacturing, healthcare, and critical infrastructure remain top targets

---

Sources

Primary Sources

• The Record - Sedgwick Incident
• BleepingComputer - Ingram Micro
• SecurityWeek - Sedgwick
• The Register - Ingram Micro
• Security Affairs - TridentLocker
• RedPacket Security - Vietnam Airlines
• Help Net Security - Ransomware Trends

Intelligence Reports

• CYFIRMA Weekly Intelligence Report - January 16, 2026
• CYFIRMA Weekly Intelligence Report - January 9, 2026
• Check Point - January 12 Threat Intelligence Report
• Bitdefender Threat Debrief - January 2026
• Cyble - 10 New Ransomware Groups of 2025
• Recorded Future - Ransomware Tactics 2026
• InfoSec Bulletin - Ransomware Statistics

Attack-Specific Sources

• DeXpose - Akira Attacks
• Arctic Wolf - Akira SonicWall Campaign
• Check Point - LockBit Returns
• SharkStriker - January 2026 Data Breaches

RSS Feed Sources

• BleepingComputer
• The Record by Recorded Future
• SecurityWeek
• Help Net Security
• Dark Reading
• Ransomware.live