NCC warns ransomware risk persists despite January dip

NCC Group reported a 17% month-on-month fall in global ransomware incidents in January, but warned the drop does not signal a broader reduction in cyber risk.

Its Threat Pulse tracking recorded 651 incidents, down from 696 in January 2025. NCC Group said the near match to last year suggests activity could remain elevated after what it described as a disruptive year for ransomware in 2025.

"While ransomware attacks were lower than December, activity closely mirrors January 2025, when 696 incidents were recorded. Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organisations should not mistake the month-on-month drop for a decline in risk," said Matt Hull, VP of Cyber Intelligence and Response at NCC Group.

Qilin activity

Qilin was the most active ransomware group in January, with 108 attributed attacks-17% of total incidents.

Examples linked to Qilin included an attack on Covenant Health, which exposed personal and medical data for about 478,000 patients and disrupted hospital operations.

Qilin also claimed responsibility for an attack on Tulsa International Airport, where internal financial records and employee data were leaked after the network breach.

NCC Group said Qilin appeared to focus on critical and industrial sectors, citing the impact of operational disruption and the sensitivity of the data involved.

Sectors and regions

Industrials were the most targeted sector in January, accounting for 32% of attacks (196 incidents). Consumer Discretionary followed with 143 incidents. Healthcare ranked fourth with 53 attacks, despite the Covenant Health breach highlighted in the report.

North America accounted for 54% of global ransomware activity, while Europe represented 22%.

"North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure. Qilin's high-profile attacks on US-based organisations such as Covenant Health and Tulsa Airport show how top threat actors are focusing on sectors where data and disruption carry the greatest value," Hull said.

Messaging platforms

The report also noted changes in how threat actors gain initial access, with messaging platforms increasingly serving as entry points. It cited device-linking scams, fake group invites, and malicious QR codes that can trick victims into granting access to their accounts.

These techniques shift the focus from purely technical compromise of corporate systems to the manipulation of end users. They also broaden the target set to include individuals whose accounts could provide routes into workplaces, supply chains, or business partners.

NCC Group also pointed to the "rise of AI" and the expansion of attack surfaces as factors increasing complexity for defenders. It did not quantify AI's impact on January's incident numbers, but described it as a continuing influence on attacker behaviour.

"The ransomware landscape is not getting any easier. Threat actors are constantly evolving, leveraging every tool and tactic to exploit vulnerabilities and maximise impact. Messaging platforms and the rise of AI add further complexity and widen attack surfaces. This creates more ways for attackers to target individuals and organisations. It's never been more important for organisations to remain vigilant and strengthen their security posture to stay ahead of these evolving threats," Hull said.

Overall, January's figures were below the previous month but close to the prior-year baseline. NCC Group expects tactics and target selection to keep evolving through 2026, including greater use of messaging channels as entry points for ransomware operations.