Ransomware attacks surged 30% in the first half of 2026 compared to the same period in 2025, with Qilin and INC Ransom emerging as two of the most prolific and dangerous operators in a crowded criminal ecosystem. Healthcare continues to be the top targeted industry, with 27 incidents in January 2026 alone, a figure that reflects both the sector’s operational sensitivity and the premium value of health records on darknet markets.
Qilin: The Dominant Force
Qilin — also known as Agenda — is a ransomware group that entered 2026 accelerating, not slowing down. By early 2026, Qilin had already posted 55 confirmed victims, placing it ahead of its own 2025 pace. By June 2026, tracking data, Qilin had accumulated 168 confirmed victims in the healthcare sector alone, behind only manufacturing (291) and business services (245) in overall victim count.
Qilin operates as a Ransomware-as-a-Service (RaaS) platform, recruiting affiliates who conduct attacks using Qilin’s ransomware builder and infrastructure in exchange for a percentage of ransom proceeds. This model allows the core group to expand operational throughput without directly executing every attack.
The group’s double extortion model — encrypting victim data while simultaneously exfiltrating it and threatening public release on their leak site — has proven effective at pressuring victims into paying ransom demands even when robust backups exist. Public exposure of sensitive patient records creates regulatory, legal, and reputational pressure that many healthcare organisations find more immediately damaging than operational downtime.
A notable recent case involves Covenant Health, which suffered a Qilin ransomware breach that exposed 478,188 patient records. The Covenant Health incident highlights Qilin’s willingness to attack hospitals and health systems regardless of the direct patient safety implications.
INC Ransom: Targeting Critical Sectors
INC Ransom is another highly active operator that was among the top ransomware groups by victim count in January 2026, with 47 known attacks that month. The group targets organisations across multiple sectors, including healthcare, legal services, and public administration.
INC Ransom gained significant attention in 2025 for its attack on NHS Scotland, which exposed 3 terabytes of patient data. The group continues to operate aggressively in 2026, targeting entities including healthcare practices, municipal agencies, and regional service providers.
Recent INC Ransom victims include healthcare organisations such as Lymphedema Therapy Specialists, Inc. (February 2026, affecting 378 Texas patients) and various municipal and public sector entities, including Champaign-Urbana Public Health District.
The 2026 Ransomware Landscape
Beyond Qilin and INC Ransom, the broader 2026 ransomware ecosystem is characterised by:
- AI-assisted operations: Multiple ransomware groups are now using AI tools to accelerate phishing campaign creation, target research, and initial access operations, reducing the operational cost of launching attacks.
- Healthcare as a premium target: Patient records sell for up to 10 times as much as financial records on darknet markets, making it a persistently attractive target. Operational disruption of healthcare services also creates patient-safety leverage that can pressure organisations to make faster payment decisions.
- The Play and SafePay operators were also confirmed in recent June 2026 attack disclosures, targeting organisations including Clínica Maitenes and various regional businesses.
Why It Matters
The 30% year-over-year increase in ransomware incidents confirms that neither law enforcement action nor improved defensive capabilities has materially reduced the operational tempo of ransomware criminal enterprises. The professionalisation of RaaS platforms, combined with AI-assisted tooling and shortened attack timelines, is creating conditions in which even well-defended organisations face materially elevated risk.
For healthcare specifically, the combination of operational sensitivity, high data value, and historically underfunded security programmes creates a structural vulnerability that the industry has not yet resolved despite years of high-profile attacks.
