RedACT NOW

👉🏻 we moved our dashboard to GitHub, check it NOW!

🌐 Global
Threat Landscape

since january 2026

Globally speaking, January recorded 722 publicly claimed victims (verified).

February rose slightly to 782 claims, highlighting a strong trend.

🇮🇹 Italian
Threat Landscape

since January 2026

January recorded 20 confirmed claims affecting organizations across multiple sectors.

In February, incidents rose to 26, reflecting only cases that were fully validated and confirmed.

1504

Ransomware victims
world, 2026

Active groups
world, 2026

Countries impacted
2026

New Threat Actors
world, 2026

Top 7 Threat Actors 2026

1 • 🥷🏻 Qilin
2 • 🥷🏻 TheGentlemen
3 • 🥷🏻 CL0P
4 • 🥷🏻 Akira
5 • 🥷🏻 INC Ransom
6 • 🥷🏻 PLAY
7 • 🥷🏻 Sinobi

Top 7 Countries 2026

1 • 🇺🇸 USA
2 • 🇨🇦 Canada
3 • 🇬🇧 UK
4 • 🇩🇪 Germany
5 • 🇫🇷 France
6 • 🇮🇹 Italy
7 • 🇧🇷 Brazil

Top 7 Sectors 2026

1 • ⚙️ Manufacturing
2 • 🥫 Food industry
3 • 💻 IT
4 • 🏥 Healthcare
5 • 📊 Consulting
6 • 🚚 Logistics & Transportation
7 • 👗 Apparel

Infrastructure hosting distribution 🌐

🇷🇺 Russia / CIS — 41%
🇳🇱 Netherlands — 18%
🇩🇪 Germany — 12%
🇫🇷 France — 9%
🌍 Offshore hosting — 20%

Ransomware DLS, RaaS and supporting infrastructure are frequently hosted in jurisdictions offering permissive hosting environments or limited enforcement cooperation, enabling operators to maintain resilient extortion platforms.

Operational models in ransomware campaigns 🌐

🤝 RaaS affiliates — 72%
🧠 Core group operations — 18%
⚙️ Hybrid operations — 10%

Most ransomware activity is driven by the Ransomware-as-a-Service (RaaS) model, where core developers provide infrastructure and malware while affiliates conduct intrusions and share profits. Direct operations by core groups remain a minority.

New Threat Actors 2026

January • MintEye, MS13089, Osiris
February • BravoX, sepc0, Sicari, VECT, SHADOWBYT3$

Ransomware claims in Italy: comparative overview

Exfiltrated data comparison
2025–2026, Italy

This comparison highlights the volume of data exfiltrated and publicly released by ransomware threat actors across 2025 and early 2026, providing a perspective on how the scale of exposed information has evolved over time.

2024 (31,142.25 GB) already represented a significant level of activity and marked a clear escalation compared to 2025, both in the number of incidents and in the overall volume of leaked data.

published data in 2025

26,270.97

published data in 2026*

3,626.12

* all 2026 values presented here are based on verified incidents and are updated as of 28 February 2026.

Top 5 Regions 2026 🇮🇹

1 • 🏙️ Lombardia
2 • 🏎️ Emilia-Romagna
3 • ⚓ Liguria
4 • 🏛️ Lazio
5 • 🌋 Campania

Top 5 Provinces 2026 🇮🇹

1 • 🏙️ Milano
2 • 🏔️ Bergamo
3 • ⚓ Genova
4 • 🏛️ Roma
5 • 🎓 Padova

Exfiltrated data by Region 🇮🇹

Lombardia — 95.80 GB
Veneto — 470.00 GB
Piemonte — 150.00 GB
Sicilia — 145.00 GB
Emilia-Romagna — 302.00 GB

Top targeted legal forms and target profile 2026 🇮🇹

🏢 SRL — 15
🏛 SPA — 13
👥 SNC — 1
📁 Other — 16

Mid-size enterprises — 48%
Large enterprises — 34%
Small organizations — 18%

Ransomware campaigns increasingly focus on medium and large organizations, which offer higher financial leverage and larger volumes of potentially exfiltrated data.

Economic impact of ransomware 🇪🇺

Average recovery cost

€1.2M – €2.8M

Typical recovery costs for ransomware incidents including downtime, system restoration, incident response and operational disruption.

Potential NIS2 administrative fines

Up to €10M

Under the NIS2 Directive, essential entities may face penalties of up to €10 million or 2% of global annual turnover for severe cybersecurity failures or non-compliance.

Average time to data leak

Average delay

9–14 days

Fastest disclosure

48 hours

Longest delay observed

>30 days

Many ransomware incidents remain undisclosed for days before victims appear on leak sites, reflecting the time required for extortion pressure, negotiation attempts, or staged publication.

Monitoring methodology & ethical framework

Monitoring ransomware activity demands a careful balance between comprehensive coverage and analytical rigor. Our monitoring focuses exclusively on ransomware groups whose claims can be considered credible and attributable to identifiable targets.

Entities operating primarily as data brokers, aggregators of previously leaked material, or actors publishing unverifiable claims are excluded from our dataset, as their activity does not reflect genuine ransomware operations.

It is also common for certain groups—particularly those emerging from hacktivist environments—to adopt ransomware-style extortion tactics. In these cases, we evaluate the claims themselves rather than relying solely on the group’s declared identity.

Each incident is subject to manual verification, duplicate detection, and contextual analysis. Claims that cannot be verified or cannot be linked to a legitimate and identifiable target are excluded from monitoring and statistical analysis.

About ransomNews

watchdogs in the age of digital warfare

real data. real threats.

ransomNews is an independent observatory dedicated to tracking and analyzing global ransomware activity. We monitor cyber extortion claims across the world, verify each incident manually, and compile clear, data-driven insights with a sharp focus on Italy.

Every month, we publish RedACT, in-depth report to inform, educate, and raise awareness - empowering businesses, institutions, and individuals to better understand the evolving ransomware landscape.

Our mission: to turn raw data into actionable knowledge, making cybersecurity a shared responsibility.

RedACT & dataset

Blog

Long-form analysis, commentary, and behind-the-scenes

LinkedIn verification: secure? Realiable? Think again.

Examining biometric processing, subprocessor chains, CLOUD Act exposure, and data sovereignty risks for users and organizations.

24.02 2026

Ransomware case studies: Colonial Pipeline, Costa Rica and systemic cyber risk

A technical analysis of landmark ransomware attacks, examining operational impact, state response, critical infrastructure risk.

14.02 2026

Supply Chain Ransomware: how attackers use your vendors against you

An evidence-based analysis of supply chain ransomware vectors and threat actor evolution, sector exposure.

09.02 2026

0APT: arise of a giant or epic fake?

One of the most discussed ransomware group seems in between: a rising star in the RaaS ecosystem or a mass fake effect?

05.02 2026

Ransomware incident at University La Sapienza

Another breach at one of the most known university in Italy and abroad; could be tied to Spain and US incidents?

05.02 2026

The AI Social Newtwork
or where we failed at being humans

The quiet moment when an assistant stopped asking and started acting, and a whole social network shaked the buzz

31.01 2026

Maritime Ransomware
the weird paradox of cybersecurity

Strategically critical, technologically messy, and yet many serious incidents land with a dull thud in public awareness.

13.01 2026

The WhatsApp affaire
take two: notes and statuses

Closed for vacation. Or why a single note on your profile could ruin your holidays, your life and your finances.

26.11 2025

The WhatsApp affaire
numbers, usernames, privacy

WhatsApp's shift to usernames promises more privacy, but new research shows 3.5B accounts can still be enumerated at scale. Phone numbers remain the platform's weakest link.

20.11 2025

What we do

ransomware disclosure, activity tracking & more

Ransomware Events Tracking

We monitor ransomware claims published by threat actors, verify their credibility, and enrich the data to provide structured intelligence on global ransomware activity.

Reports and Insights

We compile RedACT and RedACTinsights, free resources offering rigorously verified, data-driven reporting on ransomware activity and threat actors.

Open Source Threat Intel

We conduct deep OSINT and SOCMINT investigations to extract, verify, and contextualize threat actor claims and more.

Technical Data Support

We support organizations and institutions with tailored ransomware intelligence reports, sector-specific and data-driven.

Threat Landscape Briefings

We deliver curated threat landscape briefings, sector-specific, timely, and actionable, relevant to any organization.

Awareness

We raise awareness around invisible exposure: how our digital habits, overlooked traces, and public signals can silently map our vulnerabilities.

Where our data Speak

From global stages to specialized forums, our insights power the conversation

CyberAct Forum

Viterbo, Italy

ForumPA

Rome, Italy

Public Sector Stakeholders

Italy, Switzerland, Estonia

Private Consulting

Italy, Switzerland, Estonia

Intel Hub

Your central access point for ransomware knowledge

The Team

behind the firewall

Every alert starts with messy data.
We dig through claims, leaks, and fragments, verify what’s real, and connect the dots so the picture makes sense.

Follow us for real-time ransomware news, emerging threat groups, critical vulnerabilities, and the signals that often get missed.
Cybersecurity awareness isn’t noise. It’s knowing what actually matters.

ransomNews