Ransomware Activity Updates: January 2026 Trends, Milkyway Variant, and Lakelands Public Health Incident
Ransomware reporting in early February highlighted both broad January 2026 activity and specific new developments. BlackFog tracked 91 publicly disclosed ransomware attacks to open 2026, with healthcare the most targeted sector (27 incidents) and nearly half (49%) of recorded attacks not publicly claimed by a known group; among claimed activity, Qilin led with eight incidents and the U.S. accounted for 58% of disclosed attacks. Separately, CYFIRMA reported identifying a ransomware strain dubbed Milkyway, which encrypts files and appends the .milkyway extension, presents a full-screen ransom message, and uses typical extortion pressure (including threats to leak stolen data), with recovery generally dependent on offline/secure backups absent cryptographic flaws.
A healthcare-specific incident in Ontario was also disclosed: Lakelands Public Health reported a cybersecurity intrusion discovered Jan 29 and reported Feb 3, which disrupted internal systems and some public services during containment while stating infectious disease and clinical appointment systems were not impacted. The Lynx ransomware group publicly claimed responsibility by listing the organization on a leak site and implying data theft; Lakelands Public Health engaged a specialized cybersecurity firm and worked with law enforcement and forensics to validate the claim and determine scope. UpGuard characterized Lynx as a RaaS operation and an alleged successor to the INC ransomware group, consistent with double-extortion tactics (encryption plus threatened data exposure).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CYFIRMA documents Pulsar RAT malware campaign
CYFIRMA disclosed technical details of a stealthy, memory-resident Windows malware operation it labeled Pulsar RAT. The campaign was described as modular and in-memory, using a multi-stage infection chain for remote control, surveillance, and data theft with exfiltration over common online services.
CYFIRMA identifies emerging Milkyway ransomware strain
CYFIRMA reported a developing Windows-targeting ransomware strain dubbed Milkyway, describing its encryption behavior, ransom note, and tactics including persistence and shadow copy deletion. The report characterized the malware as using coercive extortion threats involving data leaks and outreach to victims' partners or authorities.
Lynx ransomware group claims Lakelands Public Health attack
The Lynx ransomware group listed Lakelands Public Health on its dark web leak site, claiming responsibility for the incident and implying data exfiltration. The health unit said those claims had not been verified and that affected individuals would be notified if confirmed.
Lakelands Public Health publicly reports cybersecurity incident
On February 3, 2026, Lakelands Public Health disclosed a significant cybersecurity incident. The organization said it had activated incident response protocols, engaged a specialized cybersecurity firm, and was working with law enforcement and forensic experts to determine scope and whether any personal or health information was compromised.
BlackFog reports 91 publicly disclosed ransomware attacks in January
BlackFog said January 2026 saw 91 publicly disclosed ransomware attacks worldwide, with healthcare the most targeted sector, followed by government and manufacturing. The report noted the United States accounted for 58% of disclosed attacks and that nearly half of incidents were not yet publicly claimed by a known ransomware group.
Lakelands Public Health detects network intrusion
Lakelands Public Health in Ontario detected a cybersecurity intrusion and began containment and investigation activities. Several internal systems and some non-urgent public services were later disrupted, while infectious disease and clinical appointment systems were reported unaffected.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Weekly Intelligence Report - 06 February 2026 - CYFIRMA
cyfirma.com
Open sourceThe State of Ransomware: January 2026 | BlackFog
blackfog.com
Open sourceLakelands Public Health Investigating Data Breach | UpGuard
upguard.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted **82 publicly disclosed ransomware incidents** across **20 countries**, with the **U.S.** most affected (51 incidents) and **healthcare** the most targeted sector (31%). The report attributed publicly claimed attacks to **24 ransomware groups**, led by **Shiny Hunters** (8) and **Qilin** (6), while noting **41%** of incidents were not yet attributed; it also cited individual victim disclosures/claims involving **Nova Biomedical** (PII exposure affecting 10,764 people), **Hosokawa Micron** (files accessed; **Everest** claimed ~30GB theft), and **Iron Mountain** (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential). Separately, Huntress described how investigation of a “routine” **RDP brute-force** success led to discovery of credential-hunting behavior and **geo-distributed infrastructure** consistent with a **ransomware-as-a-service** ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of **heightened cyber risk** following the February 2026 U.S./Israel-Iran escalation (*Operation Epic Fury*), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential **wiper activity, DDoS, targeted intrusions, supply-chain risk**, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
May 12, 2026
Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to **ransomware/data-extortion** activity with material operational or privacy impact. **Air Côte d’Ivoire** confirmed a cyberattack affecting parts of its information systems after **INC ransomware** claimed theft of **208 GB** and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, **University of Mississippi Medical Center (UMMC)** reported a ransomware incident that forced statewide clinic closures and disrupted access to **Epic** electronic medical records, prompting engagement with the **FBI** and **CISA** and use of downtime procedures to sustain patient care. Separately, **Conduent**’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least **~25 million** people affected across multiple states and exposure of sensitive PII (including **SSNs** and health/insurance data). **Wynn Resorts** also confirmed an unauthorized party accessed and stole employee data after being listed by the **ShinyHunters** extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted. Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving **Burger King France** and **Wendy’s UK**; **Qilin** ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (**MediMap**) taken offline after apparent unauthorized access and **patient record tampering** (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s *Operation Olalampo*, Google Ads cloaking via **1Campaign**, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Mar 21, 2026
Ransomware Ecosystem Update: Leading Groups, RaaS Expansion, and Termite’s ClickFix Adoption
Reporting highlights a broader shift in the ransomware ecosystem toward **platform-like operations** and **ransomware-as-a-service (RaaS)** models that lower the barrier to entry and accelerate the creation of new crews. Huntress telemetry for 2025 is cited as placing **Akira** as a leading ransomware group, with operators increasingly targeting the **hypervisor layer** to bypass traditional endpoint controls; separate commentary describes rapid victim growth for **Qilin** (claimed to exceed 1,000 victims in 2025) and notes **LockBit** regaining operational capability after prior disruption. The same reporting also points to “**Extortion-as-a-Service**” offerings (including a federation described as **SLSH**—Scattered Spider/Lapsus$/ShinyHunters) that enable affiliates to rent tooling rather than develop it, contributing to a surge in newly formed groups. A separate technical write-up details **Termite** ransomware as a Babuk-derived operation first observed in late 2024 that has matured into a multi-stage intrusion and **double-extortion** threat, claiming dozens of victims across multiple sectors and regions by March 2026. The report emphasizes Termite’s operationalization of **ClickFix** (browser-based social engineering) to bypass traditional phishing defenses, and provides a distinctive forensic marker: encrypted files reportedly have the Babuk-inherited trailing string `"choung dong looks like hot dog"`, positioned as a practical indicator during triage. Another overview article catalogs major active ransomware groups and tactics, including **Lynx** (described as sharing substantial code with INC, using double extortion, appending `.lynx`, and deleting shadow copies) and **Medusa**, while reiterating law-enforcement attribution and indictments tied to **LockBit** leadership and deployment activity.
Mar 21, 2026