Qilin, the ransomware gang behind a crippling 2024 cyber attack on a major NHS supplier partner, maintained its status as ‘top dog’ in the ransomware ecosystem during January 2026, accounting for nearly a fifth of all observed attacks, according to data gathered by NCC Group for its regular monthly cyber barometer.

In its latest update, NCC said it saw 108 Qilin attacks, 17% of the total, in January, although this was down slightly on its December tally of 170 attacks – NCC noted that general attack volumes do tend to ebb at this time of year, and this was the case in January, with activity falling by 17% to 651 reported incidents.

NCC vice president of cyber intelligence and response, Matt Hull, said this activity pattern closely mirrored that seen last year.

“Given the scale and disruption of 2025, this pattern could be an early signal that 2026 may follow a similar path. Organisations should not mistake the month-on-month drop for a decline in risk,” he said.

As for Qilin, its attacks show no signs of stopping – within the past few days it has claimed a breach of the Local 100 Chapter of the Transport Workers Union of America (TWU), affecting 41,000 current and 26,000 former employees of New York City’s public transport system. NCC said the gang was consistently targeting organisations in critical and industrial sectors where operational disruption and sensitive data exposure can increase the pressure to give in to its extortion demands.

Active for about three and a half years, Qilin – which went by the name Agenda for a time – operates a standard ransomware-as-a-service (RaaS) model, distributing its tools to a network of trusted affiliates who do its dirty work for it.

By some margin, its greatest number of recorded victims is in the US, with 333 known victims, followed by Canada, the UK, France and Germany – according to data compiled last autumn by the Cisco Talos team. At the time, Talos said there were approximately 24 known Qilin victims in the UK.

“North America remains the most targeted region due to a mix of geopolitical factors, economic incentives, and broad digital exposure. Qilin’s high-profile attacks on US-based organisations … show how top threat actors are focusing on sectors where data and disruption carry the greatest value,” said Hull.

The other most active ransomware operations NCC observed last month were Akira, which conducted 68 known attacks, sinobi with 56, INC Ransom with 47, and Cl0p with 46. The industrials sector remained the most victimised, accounting for 32% of activity, followed by consumer discretionary, which was hit by 23% of known attacks, and IT, with 11%.