February 2026 saw ransomware groups claim a staggering 680 victims across 72 countries, continuing the relentless pace of attacks that has defined the ransomware landscape over the past year. The most alarming development was the devastating surge in healthcare sector targeting, with victim counts rising from 40 in January to 93 in February -- a 133% increase that has had life-threatening consequences.
Top Ransomware Groups
Qilin emerged as the most prolific group in February, claiming 104 victims and solidifying its position as a dominant force in the ransomware ecosystem. The group, which operates a ransomware-as-a-service (RaaS) platform, has been rapidly expanding its affiliate network and targeting organizations across all sectors.
- Qilin: 104 victims -- the most active group for the second consecutive month
- RansomHub: 87 victims -- continued targeting of manufacturing and logistics
- Akira: 64 victims -- focused on mid-market enterprises in North America
- Play: 52 victims -- persistent targeting of Latin American and European organizations
- Black Basta: 41 victims -- resurgence after a brief decline in December
Healthcare Under Siege
The most devastating trend in February was the sharp escalation of attacks against healthcare organizations. The 93 healthcare victims represent the highest monthly total ever recorded, with real-world consequences that extended far beyond data loss and financial impact.
Multiple hospitals across North America and Europe were forced to cancel scheduled surgeries, divert emergency patients, and revert to paper-based record keeping. In several cases, outpatient clinics were temporarily closed entirely, delaying critical care for vulnerable patients.
The healthcare sector remains a prime target because of the critical nature of its operations, the sensitivity of patient data, and the historically lower investment in cybersecurity infrastructure relative to other regulated industries.
Sector Breakdown
- Healthcare: 93 victims (up from 40 in January)
- Manufacturing: 89 victims (consistent with prior months)
- Technology: 78 victims (slight increase)
- Professional Services: 65 victims
- Financial Services: 54 victims
- Education: 47 victims
- Government: 38 victims
Canadian Impact
Canada was not spared from February's ransomware onslaught. Canadian organizations accounted for approximately 28 of the 680 victims, spanning healthcare, manufacturing, and professional services. Several small and medium-sized enterprises in Ontario and British Columbia were forced to halt operations for multiple days while responding to attacks.
The Canadian Centre for Cyber Security has reiterated its guidance for organizations to maintain offline backups, implement network segmentation, and develop tested incident response plans.
Defensive Recommendations
CyberSafe recommends the following measures to protect against ransomware:
- Maintain immutable, offline backups with regular restoration testing
- Implement network segmentation to limit lateral movement
- Deploy endpoint detection and response (EDR/XDR) across all endpoints
- Enforce multi-factor authentication on all remote access and privileged accounts
- Conduct regular vulnerability scanning and prioritize patch management
- Develop and test incident response playbooks specific to ransomware scenarios
- Consider 24/7 SOC monitoring to detect threats before encryption begins