Executive Summary
The week of February 13–20, 2026, brought one of the most impactful healthcare ransomware incidents of the year so far: the University of Mississippi Medical Center (UMMC) was forced to close all 35 clinics statewide, cancel surgeries, and revert to paper charts after ransomware knocked its EPIC electronic medical records system offline. Across the Atlantic, LockBit 5.0 claimed an Austrian healthcare provider and a Massachusetts police department, while NightSpire — which posted 26 new victims on a single day (February 15) — struck targets ranging from a German automotive firm to an Indian industrial manufacturer and a Hungarian factory. The Gentlemen ransomware group hit a U.S. municipality, and Rhysida demanded $660,000 from the Cheyenne and Arapaho Tribes in Oklahoma. A notable law enforcement win came when Polish police arrested a Phobos ransomware affiliate on February 17, seizing stolen credentials and credit card data. Meanwhile, the Crazy ransomware gang drew attention for abusing legitimate employee monitoring software to maintain stealth inside corporate networks before deploying payloads.
Key Statistics:
- Global: Approximately 30–35 new ransomware victims posted daily across leak sites; ransomware rose to 20% of all cyber events in the first half of February, up from 14% in January
- Europe: 6+ incidents — LockBit 5.0 hit Austrian healthcare (CS Pflege & Betreuung); NightSpire targeted firms in Germany, Spain, and Hungary; Cloak exfiltrated 2.7 TB from a German auto dealer
- Asia: 4+ incidents — Advantest (Japan, $120B semiconductor giant) confirmed ransomware; Washington Hotel Japan disclosed a breach; NightSpire claimed Makimura Co. (Japan) and RIECO Industries (India)
- US: 10+ incidents — UMMC clinic closures dominated headlines; Cheyenne and Arapaho Tribes extorted by Rhysida; City of New Castle (DE) hit by The Gentlemen; Play, Sinobi, Akira, and NightSpire all posted multiple US victims
- Other: Emirates National Group (UAE) claimed by The Gentlemen; Sands Suites resort in Mauritius hit by LockBit 5.0
1. EUROPE
1.1 Government
Polish authorities from the Central Bureau of Cybercrime Control (CBZC) arrested a 47-year-old man in the Małopolska region on February 17, as part of “Operation Aether” coordinated with Europol. Investigators found stolen credentials, credit card numbers, and server access data on his devices, and confirmed he had communicated with the Phobos ransomware operation via encrypted messaging. The U.S. DOJ has linked Phobos to breaches at more than 1,000 entities worldwide, with ransom payments totalling over $16 million.
1.2 Health, Municipalities & Non-commercial
LockBit 5.0 claimed a cyberattack on CS Pflege & Betreuung (cs.at), an Austrian healthcare and elderly care provider, with the listing appearing on February 14. The estimated attack date was January 25, and the group threatened to release sensitive patient and operational information unless ransom demands were met. The targeting of a care provider serving vulnerable populations exemplifies the continued willingness of ransomware groups to strike healthcare without restraint.
1.3 Business
NightSpire was particularly active against European businesses this week. On February 18, the group claimed KFZ Sauter GmbH Co. KG, a German automotive firm, threatening to release sensitive financial and legal documents. The estimated attack date was February 2. Separately, NightSpire listed PERLITE, S.L.U, a Spanish industrial firm, on February 14, with client-specific drawings and customized data among the compromised materials (estimated attack date: January 16). In Hungary, NightSpire claimed UniTurn Kft., a manufacturing company, on February 14, with HR and employee data allegedly exfiltrated (estimated attack: February 3). Rounding out the European business victims, the Cloak ransomware group listed Autohaus Dinnebier Gruppe, a German automotive dealership network, on February 19, claiming exfiltration of 2.7 TB of data.
2. ASIA
2.1 Government
No incidents reported this week.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
The most significant Asian incident was the ransomware attack on Advantest Corporation, one of the world’s leading semiconductor test equipment manufacturers. The Japanese firm, which serves Intel, Samsung, and TSMC and has a market capitalization exceeding $120 billion, detected an intrusion on February 15 and confirmed that an unauthorized third party deployed ransomware across portions of its network. Third-party cybersecurity specialists were brought in to isolate the threat, and Advantest stated it would notify affected parties if customer or employee data was compromised.
Washington Hotel in Japan disclosed a ransomware infection detected on February 13 that compromised data stored on its servers, including business data, and disrupted operations at several hotel properties and credit card terminals.
NightSpire expanded its Asian footprint with two additional claims. Makimura Co., Ltd., a Japanese company, was listed on February 14 with approximately 500 GB of exfiltrated data including financial records and client lists (estimated attack: January 31). In India, RIECO Industries Limited, a prominent industrial manufacturer, was claimed on February 14 with roughly 10 GB of drawing and engineering data stolen (estimated attack: January 28).
Additionally, Asahi Group Holdings confirmed on February 18–19 that its September 2025 ransomware attack (attributed to Qilin) ultimately led to the leak of 115,513 sets of personal data. While the attack itself occurred months earlier, the disclosure of the full breach scope this week marked a significant update, with the company announcing a comprehensive cybersecurity overhaul including new governance structures and enhanced detection capabilities.
3. UNITED STATES
3.1 Government
The Rhysida ransomware gang claimed responsibility for a December 2025 attack on the Cheyenne and Arapaho Tribes of Oklahoma, with the claim surfacing on February 17. The attack had shut down tribal computer networks, schools, and critical systems, and Rhysida demanded 10 bitcoin (approximately $660,000) to avoid leaking stolen data. Tribal governor Reggie Wassana declared the tribe would not pay, stating “these criminals have not, and will not, receive one cent.”
The City of Meriden, Connecticut shut down its internet services around February 17 after identifying what officials described as an “attempted interruption” of IT systems. City Hall staff were forced to work manually, a City Council meeting was cancelled, and water, sewer, and tax payment systems were disrupted. The public library lost all internet-dependent services. Police are investigating, and the city has not formally attributed the incident.
The City of New Castle, Delaware was claimed by The Gentlemen ransomware group on February 13, with the group alleging exfiltration of sensitive municipal data from the historic city’s government systems.
The Hanover Police Department (Massachusetts) was listed by LockBit 5.0 on February 14, with the estimated attack dated to February 9, as part of the group’s broader campaign against public-sector entities.
The Warren County Sheriff’s Office in Kentucky was listed by RansomHouse on February 18, though the estimated attack date stretches back to December 19, 2025, suggesting a delayed public claim.
3.2 Health, Municipalities & Non-commercial
The week’s most consequential incident was the ransomware attack on the University of Mississippi Medical Center (UMMC), detected in the early hours of Thursday, February 19. The attack brought down UMMC’s EPIC electronic medical records system and forced the closure of all 35 clinic locations statewide, the cancellation of outpatient surgeries and imaging appointments, and a shift to paper-based “downtime procedures” for hospitalized patients. UMMC operates the state’s only children’s hospital, only Level I trauma center, and only organ and bone marrow transplant program, making the disruption exceptionally impactful. During a press conference, officials acknowledged they were communicating with the ransomware operators and working with the FBI. Patients like Richard Bell, who drove three hours for chemotherapy only to be turned away, illustrated the human cost of the attack.
NightSpire claimed MD Charts, a US healthcare electronic health records company, on February 19, and separately listed Pearl Institute for Clinical Research LLC, a neurological clinical research organization, on February 20 (estimated attack: February 1).
3.3 Business
Play ransomware was the most active group targeting US businesses on February 20, claiming nine victims in a single day across professional services and automotive sectors. Among the week’s Play victims listed on February 19 were Marwood, Sika Technology, Paisley Products of Canada, Kirbor Homes, and Tropic Tool & Mold.
Sinobi ransomware continued its surge — with listings up over 300% quarter-on-quarter — posting three US victims on February 19: Saltech Systems (IT services), Iblesoft Inc. (software development, Doral, Florida), and Electriduct (cable management manufacturer). All three are mid-market firms in the $10–50 million revenue range that Sinobi typically targets.
Akira claimed two US victims on February 18: A&A Global Industries (toys and candy) and Cargo Largo (discount retail, Independence, Missouri), threatening to release corporate and employee data.
LockBit 5.0 claimed Chamberlain & McCreery, a US construction contractor specializing in energy-efficient projects, on February 14 (estimated attack: February 11).
NightSpire added American Piping & Boiler Co (construction sector) on February 18, along with TCPN Inc and RS Development LLC during the same period.
4. REST OF WORLD
4.1 Government
No incidents reported this week.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
The Gentlemen ransomware group claimed Emirates National Group (UAE) on February 12, a major Abu Dhabi-based transport and mobility provider operating car rentals, limousine services, taxi operations, and public bus systems. The group threatened to release exfiltrated data via its Tor-based leak site.
LockBit 5.0 listed Sands Suites Resort & Spa (sands.mu) in Mauritius on February 14, with the estimated attack date of February 13, demonstrating the group’s truly global reach even to small island-nation hospitality businesses.
5. THREAT ACTOR ACTIVITY
NightSpire was the dominant group of the week by volume, posting 26 new victims on February 15 alone — accounting for 86% of all disclosures that day. The group, first observed in early 2025, has rapidly evolved from a data-theft-only operation to a full double-extortion model using Go-based ransomware with AES-256/RSA-2048 encryption. NightSpire primarily exploits the Fortinet firewall vulnerability CVE-2024-55591 for initial access and uses WinSCP and MEGACmd for data exfiltration. Its victim profile skews toward mid-sized organizations across manufacturing, healthcare, construction, and technology.
LockBit 5.0 continued its post-disruption resurgence, with 60 victim entries since December 2025. The variant’s expanded cross-platform capabilities — targeting Windows, Linux, and VMware ESXi — make it particularly dangerous, and approximately 80% of attacks hit Windows systems. The group’s RaaS affiliate model has successfully reactivated despite Operation Cronos’s 2024 takedown of the original infrastructure.
Play ransomware maintained high operational tempo, posting nine victims in a single day (February 20), primarily targeting professional services and automotive sectors in the United States.
Sinobi listings surged over 300% from the previous quarter, with the group focusing on US mid-market firms in the $10–50 million revenue range across technology, manufacturing, and services.
The Gentlemen, first observed in mid-2025, now exceeds 130 confirmed victims. The group uses a Go-based payload and gains access through compromised FortiGate firewall admin panels, employing a Bring Your Own Vulnerable Driver (BYOVD) technique with a renamed ThrottleStop.sys driver exploiting CVE-2025-7771.
The Crazy gang drew attention from Huntress researchers for abusing legitimate employee monitoring software — specifically Net Monitor for Employees Professional and SimpleHelp — to maintain persistence, monitor victim desktops, and even set alerts for cryptocurrency wallet access before deploying ransomware. Both investigated breaches originated from compromised SSL VPN credentials.
Law enforcement: Polish police arrested a suspected Phobos affiliate on February 17 as part of Europol’s “Operation Aether,” seizing stolen credentials and server access data.
6. KEY TAKEAWAYS
The UMMC attack starkly illustrates how ransomware against healthcare can force the closure of an entire state’s clinic infrastructure, delaying chemotherapy, surgeries, and routine care for thousands. With healthcare leading all sectors in ransomware incidents in January 2026 (27 attacks), the trend shows no signs of abating.
NightSpire’s explosive growth — from obscurity in early 2025 to 26 victims in a single day — reflects the low barrier to entry in ransomware-as-a-service and the continued exploitation of well-known vulnerabilities like CVE-2024-55591 in Fortinet appliances. Organizations that have not patched this flaw remain acutely exposed.
The resurgence of LockBit 5.0 with cross-platform capabilities and the diversification of groups like The Gentlemen using BYOVD techniques demonstrate ongoing tactical evolution. Defenders should prioritize enforcing multi-factor authentication on all remote access (the Crazy gang’s breaches both began with stolen VPN credentials), maintaining offline backups, and patching internet-facing appliances — particularly Fortinet and SmarterMail systems, both of which CISA flagged this week for active exploitation in ransomware campaigns.