Executive Summary
Week 6 of 2026 (January 30 – February 6) was marked by significant attacks on European critical infrastructure and education. Qilin ransomware attacked Romania’s national oil pipeline operator Conpet, claiming nearly 1TB of stolen data, though operational technology systems remained unaffected. Italy’s La Sapienza University — one of Europe’s largest with 120,000 students — was crippled by a BabLock ransomware attack attributed to pro-Russian group Femwar02, forcing three days of network shutdown and disrupting mid-semester operations. DragonForce claimed a 97GB breach of German insurance giant HanseMerkur. In the US, the Covenant Health breach notification expanded to 478,000 patients following a May 2025 Qilin attack. CL0P continued its mass exploitation campaign, listing 11 Australian organizations linked to IT service providers. Daily ransomware tracking showed 23-26 claims per day from 8-10 groups, with LockBit, Akira, and Qilin maintaining high activity levels. The Poland power grid attack (December 2025) was confirmed as a wiper attack by Russia’s Sandworm group, not ransomware.
Key Statistics: - Global: 23-26 ransomware claims daily from 8-10 groups; 679 victims claimed in January 2026; Qilin claimed 115 victims in January alone - Europe: Conpet (Romania) oil pipeline attacked by Qilin; La Sapienza University (Italy) offline 3+ days; HanseMerkur (Germany) 97GB breach by DragonForce; Poland grid attack attributed to Sandworm - Asia: CL0P targeting 11 Australian organizations; Qilin hit University of Applied Sciences Worms (Germany); transportation and technology sectors heavily targeted - US: Covenant Health notification expanded to 478K patients; Conduent breach notifications ongoing affecting 25M+ individuals; Iron Mountain breach mostly limited per company - Other: TridentLocker emerged claiming 12 victims including bpost (Belgium) and Sedgwick Government Solutions (US)
1. EUROPE
1.1 Government
No new European government ransomware incidents reported this week. The Poland power grid attack (December 29-30, 2025) was confirmed by ESET as a wiper malware attack (DynoWiper) by Russia’s Sandworm group targeting ~30 distributed energy facilities, not ransomware. (Bleeping Computer, ESET Research)
1.2 Health, Municipalities & Non-commercial
La Sapienza University (Rome, Italy) — BabLock Ransomware (February 2-5, 2026) - One of Europe’s largest universities with ~120,000 students - IT network completely shut down for 3+ days following ransomware attack - Attackers issued 72-hour deadline; university did not open ransom note to avoid triggering timer - Attack attributed to pro-Russian group Femwar02 using BabLock (Rorschach) malware - Students unable to register for exams, access course materials, or use official communication channels - Rome prosecutor’s office opened case; National Cybersecurity Agency (ACN) assisting recovery - University confirmed backups are safe and being used for system restoration - Physical “infopoints” established across campus for students - Source: TechCrunch, Bleeping Computer
University of Applied Sciences, Worms (Germany) — Qilin Ransomware (February 5, 2026) - German educational institution targeted by Qilin - Systems encrypted with ransom demand issued - Attack discovered February 5, 2026 - Part of pattern targeting German higher education (follows attacks on Harz University, Ruhr West University) - Source: Purple Ops
1.3 Business
Conpet S.A. (Romania) — Qilin Ransomware (February 3-5, 2026) - Romania’s national oil pipeline operator (nearly 4,000 km pipeline network) - Cyberattack disrupted IT systems and website - Qilin claims nearly 1TB of stolen data; sample documents published including financial records and passport scans - SCADA and telecommunications systems remained fully functional - Company states operational activity unaffected; criminal complaint filed - Working with national cybersecurity authorities on investigation - Romania has faced multiple recent ransomware incidents (Romanian Waters in December 2025, Electrica Group Lynx attack in December 2024) - Source: The Record, Bleeping Computer
HanseMerkur (Germany) — DragonForce Ransomware (February 3, 2026) - Major German insurance group with €3 billion annual revenue (founded 1875) - DragonForce claims 97GB of stolen data - Leaked documents include financial records, invoices, tax notes, and documents referencing Emirates Insurance (UAE partner) - Posted on dark web leak site February 3, 2026 - Source: CyberNewsCenter
Geoplin (Slovenia) — Ransomware Attack (January 29, 2026) - Leading Slovenian natural gas supplier since 1975 - Attackers demanded €6.8 million ransom - Claims of stolen employee data, confidential documents, and financial information - Limited impact on IT environment reported - Source: CERT-EU
Iron Mountain — Everest Gang Breach (February 2, 2026) - Data storage and recovery services company - Everest gang claimed 1.4TB data theft - Iron Mountain confirmed incident mostly limited to marketing materials in single folder - Attackers used compromised credentials; no ransomware deployed - Source: Bleeping Computer
bpost (Belgium) — TridentLocker Ransomware (December 1, 2025, ongoing impact) - Belgium’s national postal service - 30.46GB / 5,140 files stolen - Affected environment isolated from core logistics; operations unaffected - bpost confirmed breach involved “personal and business information of a small number of department customers” - Source: CyberNews
2. ASIA
2.1 Government
No new Asian government ransomware incidents reported this week.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
CL0P — Australian IT Provider Campaign (January-February 2026) - 11 Australia-based companies listed across IT services, banking, construction, hospitality, professional services, and healthcare sectors - Victims linked to IT support firm NextPhaze and Cleo software vulnerabilities - Western Australia-based targets include Etto Australia, The Hale Road Tavern, RMW Hospitality Group, MRA Group, Ventnor, Y Architecture Studio - CL0P may be exploiting shared IT infrastructure; authenticity of breach claims unconfirmed - Other Australian victims: Ampol Limited, Linfox, Worley (engineering), Podiatry WA - Source: CyberDaily
Kyowon Group (South Korea) — Note: Covered in W05 summary - Attack occurred January 10, 2026; ~9.6 million accounts potentially affected - No attribution claimed; investigation ongoing
3. UNITED STATES
3.1 Government
Sedgwick Government Solutions — TridentLocker Ransomware (December 31, 2025) - Claims administration firm for federal agencies (DHS, ICE, CBP, USCIS, DOL, CISA) - TridentLocker claimed 3.4GB data theft - Sedgwick confirmed security incident at subsidiary - TridentLocker is new group emerged November 2025 with 12 total victims - Source: The Record
3.2 Health, Municipalities & Non-commercial
Covenant Health (Massachusetts) — Qilin Ransomware Notification Expansion (January 2, 2026) - Originally disclosed July 2025 with 7,800 affected - Expanded notification reveals 478,188 affected individuals - Qilin claimed 852GB / 1.35 million files stolen in June 2025 - Exposed: names, addresses, DOB, medical record numbers, SSNs, treatment details, insurance info - Attack occurred May 18-26, 2025; data published by Qilin (ransom not paid) - 12 months identity protection offered - Source: The Record, SecurityWeek
Conduent — SafePay Ransomware Notifications Ongoing (January 2025 attack) - 25+ million individuals confirmed affected across multiple states - Texas: 15.4 million affected (nearly 50% of state population) - Oregon: 10.5 million initially reported - 8.5TB data stolen including SSNs, medical info, insurance details - Attack began October 2024; service disruption January 13, 2025 - $9M breach costs incurred by September 2025; $16M additional expected by Q1 2026 - Source: SC Media
Illinois Department of Human Services — Data Exposure (January 2026 disclosure) - Note: This was a misconfiguration, not ransomware - 700,000+ residents’ data publicly accessible for years due to incorrect privacy settings - Separate from December 2024 phishing attack affecting 1.1 million - Source: The Record
3.3 Business
Under Armour — Everest Ransomware Data Leak (January 18, 2026) - 72 million customer records published on hacking forum - Attack occurred November 2025; Everest claimed responsibility - Exposed: names, emails, DOB, genders, geographic locations, purchase info - Multiple class action lawsuits filed in Maryland and Texas - Second major breach (first was 150M MyFitnessPal users in 2018) - Source: Malwarebytes, TechCrunch
LockBit Activity (February 4-5, 2026) - Most active group in recent days with 4 incidents in 24 hours - Victims include Kenta Informática (Brazil), Guarnera (Brazil) - Primarily targeting transportation, professional services sectors - Source: Purple Ops
Akira Ransomware Victims (February 2026) - Karl Geuther GmbH, Farsound Aviation, Fenco Labs, PTI-CCIT, Richey Tax Solutions, Royal Wine - Source: Ransomware.live
4. REST OF WORLD
4.1 Government
No incidents reported this week.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
Qilin Victims — Rest of World (January 30 - February 6, 2026) - Parente Fireworks (location TBD) - La Fabrica (location TBD) - Kopas Cosmetics (location TBD) - Source: Ransomware.live
DragonForce Victims (February 1-2, 2026) - Mullinax Ford (US) — February 1, 2026 - Erickson Thorpe and Swainston — February 2, 2026 - Source: HookPhish
5. THREAT ACTOR ACTIVITY
Most Active Groups (Week 6)
Qilin - Continued dominance with 115 victims claimed in January 2026 alone - 55+ victims already in early 2026, ahead of record 2025 pace (1,066 victims) - Major Week 6 attacks: Conpet S.A. (Romania), University of Applied Sciences Worms (Germany) - Focus on critical infrastructure (oil/gas, education, healthcare) - Source: Barracuda
LockBit - Most active in daily tracking (4 incidents on Feb 5) - Primarily targeting Brazil and Italy - Focus on transportation and professional services - Source: Purple Ops
DragonForce - Claimed HanseMerkur (Germany) 97GB breach - Operating cartel-style model offering affiliates own branding - Multi-platform capability (Windows, Linux, ESXi, BSD, NAS) - 185 organizations compromised in 2025 - Source: CyberNewsCenter
CL0P - 93 victims claimed in January 2026 - Mass exploitation of Cleo software and Oracle E-Business Suite vulnerabilities - Targeting IT service providers to access multiple downstream victims - Australia seeing elevated attack volume linked to CL0P campaign - Source: SecurityWeek
TridentLocker (Emerging) - New RaaS operation emerged November 2025 - 12 victims claimed to date - Notable targets: bpost (Belgium), Sedgwick Government Solutions (US federal contractor) - Manufacturing, government, IT, professional services sectors targeted - Primary focus: North America and Europe - Source: CyberNews
Akira - Maintained stable activity with ~740 victims in 2025 - Last recorded victim February 5, 2026 - Source: Ransomware.live
Clarification: Poland Power Grid Attack
The December 2025 attack on Poland’s energy infrastructure was confirmed by ESET as a wiper attack (not ransomware) conducted by Russia’s Sandworm group using DynoWiper malware. The attack targeted ~30 distributed energy facilities but failed to disrupt power to the 500,000 people it could have affected. This is classified as cyber sabotage, not extortion. (ESET Research)
VMware ESXi Exploitation
CISA confirmed ransomware gangs are exploiting CVE-2025-22225 (ESXi sandbox escape) in attacks. Vulnerability was patched in March 2025 but exploitation likely ongoing since February 2024. Organizations should prioritize patching VMware infrastructure. (Bleeping Computer)
6. KEY TAKEAWAYS
Trends Observed
Critical Infrastructure Targeting Continues: Qilin’s attack on Romania’s Conpet oil pipeline operator demonstrates persistent focus on energy sector. The group claimed nearly 1TB of data while operational systems remained secure — highlighting the importance of IT/OT segmentation.
European Education Under Fire: La Sapienza (Italy) and University of Applied Sciences Worms (Germany) join growing list of European universities targeted, following 2025 attacks on Harz University, Ruhr West, and EU/FH. BabLock malware’s fast encryption capabilities make rapid response critical.
Healthcare Notifications Expanding: Covenant Health breach notification jumped from 7,800 to 478,188 affected individuals. Conduent breach now affects 25M+ across multiple states. Organizations face ongoing notification costs and class action liability.
Emerging Groups Gaining Traction: TridentLocker (emerged November 2025) has claimed 12 victims including federal contractor Sedgwick and Belgian postal service bpost, signaling rapid operational maturity.
Supply Chain Exploitation: CL0P’s targeting of Australian IT providers NextPhaze and others demonstrates continued focus on service provider access as multiplier for victim count.
Defensive Recommendations
VMware ESXi Patching: Immediately apply patches for CVE-2025-22225 and related vulnerabilities; Chinese-speaking actors and ransomware gangs actively exploiting since 2024
Education Sector Hardening: Implement network segmentation, maintain offline backups, establish emergency manual procedures for exam registration and student services
Energy/OT Segmentation Validation: Conpet incident validates importance of IT/OT separation; ensure SCADA systems are isolated from corporate networks
Third-Party Risk Assessment: Map IT service provider relationships; CL0P campaign demonstrates single provider compromise can affect multiple organizations
Ransom Timer Awareness: La Sapienza’s decision not to open ransom note avoided triggering 72-hour countdown — understand attacker tactics before engaging
Payment Rate Trends
Coveware reports Q4 2025 saw record-low payment rates (~20%) for mass data-exfiltration campaigns, suggesting organizations are increasingly refusing to pay. This may drive tactical shifts toward operational disruption to increase payment pressure.