Qilin, the ransomware gang responsible for a devastating cyber attack on a major NHS supplier partner in 2024, continued to dominate the ransomware ecosystem in January 2026, accounting for nearly 20% of all observed attacks, according to data collected by NCC Group for its monthly cyber barometer.
NCC reported 108 Qilin attacks in January, representing 17% of the total attacks, although this was slightly lower than the 170 attacks recorded in December. NCC mentioned that attack volumes typically decrease at this time of year, and January saw a 17% drop in activity with 651 reported incidents.
Matt Hull, NCC’s vice president of cyber intelligence and response, noted that this pattern of activity closely mirrored that of the previous year.
“Considering the scale and impact of 2025, this trend could indicate a similar trajectory for 2026. Organizations should not interpret the month-on-month decrease as a reduction in risk,” he cautioned.
Qilin shows no signs of slowing down, recently claiming responsibility for breaching the Local 100 Chapter of the Transport Workers Union of America (TWU), affecting thousands of current and former employees of New York City’s public transport system. NCC highlighted that the gang targets organizations in critical sectors where operational disruption and data exposure can pressure victims to meet its extortion demands.
Operating for about three and a half years, Qilin, formerly known as Agenda, operates on a ransomware-as-a-service (RaaS) model, distributing its tools to a network of affiliates who carry out attacks on its behalf.
Most of Qilin’s victims are in the US, with 333 known cases, followed by Canada, the UK, France, and Germany. According to data from Cisco Talos, there were approximately 24 known Qilin victims in the UK last autumn.
“North America remains the primary target region due to various factors. Qilin’s high-profile attacks on US organizations demonstrate how top threat actors focus on sectors where data and disruption have significant value,” added Hull.
Other active ransomware operations observed by NCC in January included Akira with 68 attacks, sinobi with 56, INC Ransom with 47, and Cl0p with 46. The industrial sector remained the most targeted, accounting for 32% of attacks, followed by consumer discretionary and IT with 23% and 11% respectively.
Fragmented landscape
In its Threat Pulse report for the month, NCC highlighted the increasingly decentralized ransomware landscape, making it challenging to generate accurate threat intelligence reports.
This decentralization is attributed to the rise of RaaS models among cybercriminals, allowing multiple threat actors to operate under the same brand. Affiliates can easily work with multiple RaaS operations simultaneously, as evidenced by shared crypto cash-out addresses linking various ransomware gangs, including Qilin.
Additionally, ransomware gangs face risks such as operational security threats from competitors and law enforcement pressure, prompting them to rebrand and reinvent themselves at a faster pace.
The high levels of ransomware activity and the abundance of information from dark web forums, leak sites, and social media further complicate threat analysis.
NCC highlighted a recent case where 0APT made exaggerated claims, leading to rushed analysis by security providers that turned out to be inaccurate. The varying timelines of attack reporting and discovery also pose challenges for researchers.
NCC’s teams are working to address these limitations by consolidating threat feeds into a central database for more accurate threat analysis. This approach aims to distinguish between confirmed and reported threats, filtering out recycled or fabricated claims.
