March 2025, Manchester - Following record-breaking heights in February 2025 (1,099 attacks), there were 635 ransomware incidents in February 2026. The significant drop year-on-year reflects the ‘batch-listing’ from the Cl0p ransomware group in February 2025 which caused a spike in reported incidents.
This fall year-on-year should not be mistaken for a reduced threat level or an opportunity for cyber security complacency. The technology landscape continues to evolve rapidly, with hybrid warfare gaining prominence, and the growing adoption of AI systems expanding the attack surface.
February 2026 key statistics:
- Global ransomware attacks decreased 8% month-on-month
- The Industrials sector accounted for 31% of ransomware attacks in February 2026, remaining the most targeted sector
- Qilin was again the most active threat group, responsible for 15% of all attacks
- More than half (52%) of attacks targeted North America, followed by 21% in Europe
Security risks in AI-enabled platforms
While AI-driven workflows are becoming easier to integrate and automate routine tasks, they are also introducing new security risks and amplifying existing ones. Recently identified vulnerabilities in low-code and no-code orchestration frameworks have exposed sensitive data and increased the risk of exploitation through remote code execution, command injection and other attack techniques.
Global conflict spurs cyber warfare
Late February saw an escalation in tensions involving the US, Israel and Iran, underscoring the increasing integration of offensive cyber capabilities into modern conflict. Israel’s advanced cyber capabilities and history of attacks heighten the risk landscape, particularly for organisations with a presence in Israel.
Cyber activity linked to the Israel–Iran tensions has included DDoS attacks, website defacements, exaggerated breach claims, and widespread AI-driven misinformation. While high in volume, most of this activity has been relatively low in direct operational impact rather than materially disruptive.
New ransomware variants and threat groups
Despite the overall decline in attack volume, threat actors and techniques continue to evolve. A new ransomware variant, Reynolds, was identified in February, featuring a built-in Bring Your-Own-Vulnerable-Driver (BYOVD) component.
Although Reynolds is still in its early stages and limited information is available, its delivery method is unusual and warrants caution. It shows how attackers are continuously refining techniques to bypass defensive controls and simplify execution.
Matt Hull, VP of Cyber Intelligence and Response:
“The past month has seen significant geopolitical turbulence. Given the complexity of global supply chains, even regionally focused cyber activity can have wider implications. Organisations worldwide must remain vigilant, as interconnected systems increase the risk of disruption and exposure to information warfare.
“At the same time, rapid AI adoption across sectors is creating new security challenges. While ransomware volumes have decreased compared to both January and February last year, AI-enabled threats and an increasingly volatile landscape mean organisations must ensure their cyber resilience strategies can adapt to evolving risks.”