Executive Summary
The week of February 20–27, 2026, was dominated by the ShinyHunters extortion group, which demanded $1.5 million from Wynn Resorts after stealing 800,000 employee records and then dumped 12.4 million CarGurus user accounts when the automotive marketplace refused to pay. UMMC’s ransomware crisis entered its second week with all 35 Mississippi clinics remaining closed through mid-week before recovery efforts brought signs of restoration by Friday. Qilin, now the world’s most prolific ransomware operation with over 200 victims in 2026 alone, claimed Malaysia Airlines and the Transport Workers Union Local 100 in New York, placing 67,000 transit workers at risk of identity theft. In the Middle East, Iran-linked Handala published thousands of patient records stolen from Clalit, Israel’s largest healthcare network serving 4.5 million members, while the UAE announced it had foiled a wave of AI-powered ransomware attacks targeting national infrastructure. Europol revealed the first results of Project Compass — 30 arrests and 179 identifications within “The Com,” the loose-knit cybercrime network behind attacks on MGM, Marks & Spencer, and other high-profile targets. A landmark Chainalysis report published February 27 quantified the shifting economics: total ransomware payments fell to $820 million in 2025 despite a 50% surge in attack volume, with the share of victims paying dropping to an all-time low of 28%.
Key Statistics:
- Global: Ransomware payments fell to $820M in 2025 (down 8%) despite a 50% increase in attack volume; median ransom grew 368% to ~$60,000; only 28% of victims paid — an all-time low
- Europe: 5+ incidents — INC Ransom hit Valgo SA (France, 279 GB exfiltrated) and Air Cote d’Ivoire (208 GB); Medusa claimed AMEVIDA SE (Germany); The Gentlemen listed Boutique Harley-Davidson (France)
- Asia: 3+ incidents — Qilin claimed Malaysia Airlines (unverified); Handala published Clalit patient records (Israel); UMMC recovery continued from the prior week’s attack
- US: 8+ incidents — ShinyHunters breached Wynn Resorts ($1.5M demand) and CarGurus (12.4M accounts); Qilin listed TWU Local 100 (67,000 NYC transit workers) and Tulsa International Airport; Anubis hit Envirogen Technologies; UMMC clinics remained closed through mid-week
- Other: UAE foiled AI-powered ransomware attacks on national infrastructure; Tengu claimed Al Arif Contracting (UAE); VECT hit Del Rey Servicos (Brazil)
1. EUROPE
1.1 Government
No incidents reported this week.
1.2 Health, Municipalities & Non-commercial
No new incidents reported this week for this category. However, Romania’s national oil pipeline operator Conpet confirmed that the Qilin ransomware group stole nearly one terabyte of data in a February 3 attack. Although the attack occurred earlier in the month, Conpet’s confirmation of data theft — including government-issued IDs and financial records — continued to generate significant coverage this week. Conpet operates approximately 3,800 kilometres of pipelines supplying crude oil and petroleum products to refineries across Romania, though its SCADA and operational technology systems remained unaffected. An investigation by InfoStealers revealed that an infostealer infection on a Conpet employee’s device likely provided the initial credentials that enabled Qilin’s intrusion, illustrating how commodity malware serves as an on-ramp for targeted ransomware campaigns against critical infrastructure.
1.3 Business
INC Ransom was the most active European threat this week, claiming two major victims on February 19. Valgo SA, a French environmental engineering firm specialising in asbestos removal, soil decontamination, and industrial site remediation, had 279 GB of data exfiltrated — comprising over 225,000 files and 50,000 folders including confidential client information from Renault Group and other major clients, NDAs, contracts, laboratory research, and financial records. Separately, Medusa ransomware listed AMEVIDA SE, a German customer service and call centre company, alongside two US-based victims on its leak portal around February 26. In France, The Gentlemen ransomware group claimed Boutique Harley-Davidson Nantes, a retail dealership, with the listing appearing on February 25 as part of the group’s continued high-volume operations across Western Europe.
2. ASIA
2.1 Government
No incidents reported this week.
2.2 Health, Municipalities & Non-commercial
The Iran-linked hacktivist group Handala claimed a breach of Clalit Health Services, Israel’s largest healthcare network serving approximately 4.5 million members. Under the banner “Operation Justice for the Oppressed,” Handala published thousands of documents online around February 25, including medical referral forms (Form 17 payment authorisations), sick leave certificates, test referrals, and internal correspondence from more than 10,000 patients. Clalit stated its cybersecurity specialists were investigating and that systems were running normally, while reporting the incident to Israel’s Privacy Protection Authority, National Cyber Directorate, and Health Ministry. The attack came amid heightened tensions between Israel and Iran, with Handala — previously known for breaching Israeli politicians’ Telegram accounts — explicitly framing the operation as geopolitical retaliation.
2.3 Business
Qilin ransomware listed Malaysia Airlines on its leak site around February 22–26, though the listing contained no proof or data samples. The claim raised concerns about potential exposure of passenger records, booking data, payment information, and travel documentation, but remains unverified at this time. This follows Qilin’s attack on Kuala Lumpur International Airport last March, which caused significant digital infrastructure disruptions, suggesting a pattern of targeting Malaysia’s aviation sector. Qilin has now claimed over 200 victims in 2026 and listed more than 1,000 victims throughout 2025, making it the most prolific ransomware operation globally.
3. UNITED STATES
3.1 Government
Qilin ransomware claimed Tulsa International Airport in what was described as the airline sector’s first reported ransomware claim of 2026. Leaked files allegedly include financial records, internal emails from the airport’s Chief Financial Officer, copies of employee IDs including driver’s licences and passports, annual budget and revenue spreadsheets, tenant databases, vendor revenue sheets, and court case documents. Airport officials stressed that operations and passenger security were not compromised, though they declined to comment further on the incident.
Qilin also claimed the Transport Workers Union Local 100 on February 23, the powerhouse union chapter representing subway and bus operators, maintenance crews, and other MTA staff across all five New York City boroughs. The group claims to have posted stolen files to the dark web containing names, contact details, and benefits data for roughly 67,000 current and retired transit workers. Union leaders and cybersecurity experts warned the leak could fuel targeted phishing, identity theft, and benefits fraud.
3.2 Health, Municipalities & Non-commercial
The University of Mississippi Medical Center ransomware crisis, which began with the February 19 detection, dominated US healthcare news throughout the week. UMMC kept all 35 clinics closed through Monday and Tuesday of the following week, cancelling outpatient surgeries, imaging appointments, and elective procedures while hospital services continued via “downtime procedures” with paper charts. By mid-week, experts warned that recovery could take “weeks to months,” and UMMC confirmed it had made contact with the group behind the attack but declined to name them or discuss ransom payments. The hospital — Mississippi’s only Level I trauma centre, only children’s hospital, and only organ and bone marrow transplant programme — represents a catastrophic single point of failure for the state’s healthcare system. By late in the week, officials expressed hope that normal clinic operations could resume soon, though full system restoration remained ongoing.
The BridgePay Network Solutions ransomware attack, which struck the payment processing vendor on February 6, continued to disrupt municipal utility payments across Texas throughout the week. Residents in Denton, Frisco, Coppell, and Bryan remained unable to pay utility bills via credit or debit card, with the City of Denton pausing late fees and disconnections until February 23. BridgePay confirmed ransomware and involvement of the FBI and U.S. Secret Service but stated no payment card data was compromised, and service was eventually restored after Invoice Cloud arranged an alternate card processor.
3.3 Business
ShinyHunters dominated US business breaches with two high-profile extortion campaigns. The group demanded $1.5 million from Wynn Resorts after claiming to have stolen over 800,000 records containing employee names, emails, phone numbers, positions, salaries, start dates, birthdays, and Social Security numbers. A February 23 deadline was set, with threats of data leaks and “annoying digital problems.” By February 25, Wynn confirmed the breach and stated the attackers confirmed the stolen data had been deleted — a claim security experts note typically follows ransom payment, though Wynn has not disclosed whether any payment was made. The company is offering free credit monitoring and identity protection to all employees.
ShinyHunters also breached CarGurus, one of America’s largest online automotive marketplaces, on February 13 using voice-phishing (vishing) attacks to obtain single-sign-on credentials from Okta, Microsoft, and Google services. When the company refused to pay, ShinyHunters dumped a 6.1 GB compressed archive on February 21 containing over 12.4 million records across multiple files, including user account mappings, auto finance pre-qualification data, dealer account and subscription information, names, phone numbers, physical and IP addresses, and finance application outcomes.
Beacon Pointe Advisors, a registered investment advisory firm with $62 billion in assets and over 90 offices, disclosed a breach stemming from a social engineering attack between January 30 and February 1. ShinyHunters claimed over 100,000 records including Social Security numbers, financial account details, and driver’s licences, setting an extortion deadline of February 18. Multiple class-action investigations have been launched.
Anubis ransomware claimed Envirogen Technologies on February 26, a US-based engineering firm specialising in water treatment and resource recovery. The group exfiltrated approximately 56,000 files across 8,000+ folders, including internal administrative documents and employee-related records.
4. REST OF WORLD
4.1 Government
The United Arab Emirates announced on February 22 that it had foiled a wave of AI-powered cyberattacks targeting national infrastructure, which officials described as “organised, terrorist in nature.” The attacks included ransomware deployment, network infiltration, and systematic phishing campaigns against national platforms. Mohamed Al Kuwaiti, head of the UAE Cybersecurity Council, highlighted 90,000 to 200,000 daily breach attempts and stated that 128 confirmed cyber threat incidents had targeted UAE entities in 2026 so far. The announcement came amid heightened regional geopolitical tensions and coincided with separate attacks by the Tengu ransomware group against UAE firms.
4.2 Health, Municipalities & Non-commercial
INC Ransom claimed Air Cote d’Ivoire on February 19, with the Ivorian national airline confirming that hackers breached its systems on February 8. The group threatened to release 208 GB of stolen data unless an undisclosed ransom was paid by February 24. The cyberattack affected parts of the airline’s information systems and forced technical teams to assist with flight operations manually. The airline reported the incident to France’s ANSSI and the Ivory Coast Telecommunications Regulatory Authority.
4.3 Business
Tengu ransomware claimed Al Arif Contracting Co., a leading construction firm in the UAE, on February 25, threatening data leaks unless demands were met. Tengu, which emerged as a RaaS operation in October 2025, primarily targets construction, healthcare, and automotive sectors across Mexico, the US, Morocco, Thailand, and the UAE.
In Brazil, the emerging VECT ransomware group listed Del Rey Servicos on February 25, an IT sector company, with the victim reportedly in active ransom negotiations. Exfiltrated data allegedly includes service orders, maintenance documentation, recruitment records, and job registrations. VECT, which launched its recruitment programme in December 2025 using custom C++/ChaCha20 malware, appears to be specifically targeting Brazilian and South African organisations in its early operational phase.
5. THREAT ACTOR ACTIVITY
ShinyHunters was the week’s most prominent threat actor by impact, executing three major breaches: Wynn Resorts ($1.5M demand, 800,000 employee records), CarGurus (12.4 million user accounts dumped after payment refusal), and Beacon Pointe Advisors ($62B investment firm, 100,000+ records including SSNs). The group’s attack methodology has shifted toward vishing — voice-phishing attacks targeting SSO credentials for Okta, Microsoft, and Google services — rather than traditional technical exploitation. ShinyHunters’ willingness to immediately dump massive datasets when victims refuse payment makes them particularly dangerous.
Qilin maintained its position as the world’s most prolific ransomware operation, surpassing 200 victims in 2026 after listing over 1,000 in 2025. This week’s claims included Malaysia Airlines (unverified), TWU Local 100 (67,000 NYC transit workers), and Tulsa International Airport, demonstrating a broadening focus on transportation infrastructure. The Conpet confirmation also highlighted Qilin’s earlier attack on Romania’s oil pipeline operator, with an InfoStealers investigation tracing the intrusion to an initial infostealer infection.
The Gentlemen continued high-tempo operations, having posted 25 victims in a single week (February 14–20) and adding new targets including Boutique Harley-Davidson Nantes (France) and Advanced Connection Corporation (UK). The group now exceeds 130 confirmed victims and maintains its FortiGate-focused initial access methodology combined with BYOVD techniques.
Medusa gained attention not only for new victims (AMEVIDA SE in Germany, Chartre Consulting in the US) but also for the Lazarus Group’s adoption of Medusa ransomware. Broadcom’s Symantec threat hunters confirmed that the North Korean state-backed APT successfully deployed Medusa against an unnamed Middle East target and attempted (unsuccessfully) to hit a US healthcare organisation. The Lazarus Group used its signature Comebacker and Blindingcan backdoors alongside Medusa, marking a significant shift toward off-the-shelf ransomware by a nation-state actor.
INC Ransom struck both Air Cote d’Ivoire (208 GB) and Valgo SA in France (279 GB), exfiltrating nearly 500 GB of combined data across the two victims in what appears to be a coordinated week of activity.
Handala, the Iran-linked hacktivist group, attacked Clalit Health Services in Israel, publishing thousands of patient documents in what they framed as geopolitical retaliation.
Law enforcement: Europol announced the first results of Project Compass, a multi-national operation targeting “The Com” — a decentralised network of mostly teenage and young-adult English-speaking cybercriminals linked to the MGM, Marks & Spencer, Co-op, and Harrods attacks (via Scattered Spider). The operation, coordinated across 28 countries including the Five Eyes nations, resulted in 30 arrests, 179 identifications, and the rescue of four victims from active attacks.
6. KEY TAKEAWAYS
The Chainalysis 2026 report, published February 27, provides the clearest economic picture of ransomware’s evolution: total payments fell to $820 million in 2025 even as attack volume surged 50%, and only 28% of victims paid — an all-time low. Yet median demands rose 368% to ~$60,000, indicating that while fewer organisations pay, those that do face significantly higher stakes. Initial access broker payments reached at least $14 million on-chain, with spikes in IAB activity preceding ransomware surges by roughly 30 days.
ShinyHunters’ pivot to vishing-based SSO credential theft represents an escalation in social engineering tactics that traditional perimeter defences cannot address. Organisations relying on Okta, Microsoft Entra ID, or Google Workspace should implement phishing-resistant authentication (FIDO2/hardware keys) and train help desk staff to verify identity through out-of-band channels before issuing credential resets.
The Lazarus Group’s adoption of Medusa ransomware blurs the traditional boundary between nation-state espionage and cybercriminal extortion. When a state actor with intelligence objectives deploys commodity ransomware, defenders must account for the possibility that an apparent financially motivated attack is actually an intelligence operation — or both simultaneously.
An Index Engines report published February 25 found that nearly 90% of analysed ransomware samples now exhibit polymorphic behaviours, while approximately 80% employ shadow encryption — intermittent, partial, or slow encryption designed to evade detection while corrupting data over time. This represents a 33% increase in shadow encryption adoption since Q2 2025 and fundamentally challenges detection approaches that rely on identifying rapid, bulk file encryption patterns.
UMMC’s week-long clinic closures illustrate how ransomware against a state’s sole Level I trauma centre, children’s hospital, and transplant programme creates healthcare access crises that extend far beyond data theft. With healthcare continuing to lead all sectors in ransomware targeting, hospitals that serve as regional monopolies represent catastrophic single points of failure.