Following record levels of ransomware incidents in February 2025, which reached a high of 1,099 attacks, activity decreased to 635 incidents in February 2026. Although this represents a year-on-year reduction, influenced in part by earlier activity from the Cl0p ransomware group, it should not be interpreted as a reduced level of risk for organisations.
The evolving threat landscape continues to expand, with developments such as hybrid warfare and the increasing integration of AI systems contributing to a broader potential attack surface globally. Cybersecurity approaches need to continue adapting to these developments, rather than adjusting focus based solely on short-term fluctuations in attack volume.
- There was an 8% month-on-month decrease in global ransomware attacks.
- The Industrials sector remained the most targeted, accounting for 31% of total attacks.
- The Qilin threat group was responsible for 15% of all attacks.
- North America accounted for 52% of attacks, followed by 21% in Europe.
AI-driven systems are increasingly embedded across industries and are used to support routine processes and automation. However, vulnerabilities have been identified in low-code and no-code frameworks, creating potential security risks. These issues can expose sensitive data and increase exposure to attack methods such as remote code execution and command injection.
Late February saw increased tensions involving the United States, Israel, and Iran, reflecting the growing role of cyber activity within modern geopolitical conflict. Israel’s established cyber capabilities, along with its history of cyber operations, contribute to heightened risk considerations for organisations operating in the region.
This period included cyber activity such as DDoS attacks, website defacements, and reported breaches, alongside AI-driven misinformation activity. While these events were high in volume, they were generally not assessed as causing significant operational disruption.
Despite the overall reduction in attack numbers, threat actors continue to evolve techniques. February saw the emergence of a new ransomware variant, Reynolds, featuring a Bring Your-Own-Vulnerable-Driver (BYOVD) capability. Although still in early development, its delivery method highlights ongoing attempts to bypass defensive controls and improve attack efficiency.
The wider geopolitical environment continues to reflect interconnected risks and uncertainty, reinforcing the importance of maintaining resilient cybersecurity strategies capable of adapting to emerging threats.
