TroutThreat Intelligence
Ransomware campaigns, exploited vulnerabilities, and malware trends across the global threat landscape. Covering February 2026 data.
763
RANSOMWARE VICTIMS
51
ACTIVE GROUPS
29
NEW CISA KEVS
3
THREAT IOCS
February 2026 delivered the most concentrated ransomware surge we've tracked, with 763 victims across 51 active groups — led by Qilin's unprecedented 110 attacks that establish them as the dominant threat actor in our analysis. Two critical vulnerabilities achieved immediate weaponization: CVE-2026-1731 (BeyondTrust Remote Support) and CVE-2026-24423 (SmarterMail), both scoring CVSS 9.8 and providing authentication-bypass paths into enterprise environments. Our blockchain analysis confirmed $1.02 billion in tracked ransom payments, with elite operators capturing 88% of revenue despite representing less than 25% of active groups. Healthcare and technology sectors bore the brunt with 144 combined attacks, reflecting attackers' systematic targeting of high-value, operationally critical environments.
Qilin Ransomware Group: Exploded to 110 attacks this month, representing the highest single-group volume we've documented and a 40% increase over their previous peak. Their perfected RaaS model combines sophisticated technical capabilities with streamlined affiliate networks, making them the primary enterprise threat we currently track.
CVE-2026-1731 (BeyondTrust Remote Support): Command injection vulnerability providing zero-authentication system access to remote management infrastructure. With EPSS score of 0.646 (98th percentile), this represents immediate privileged access to multiple enterprise systems simultaneously.
The Gentlemen Ransomware: Emerged as the second-most prolific operator with 88 attacks, signaling successful rapid scaling among newer RaaS platforms. Their ascent alongside Qilin indicates mature ransomware operations are consolidating market share and perfecting affiliate recruitment.
The dominant attack pattern leverages CVE-2026-1731 in BeyondTrust platforms for immediate enterprise compromise. Attackers scan for exposed instances, exploit the command injection flaw to gain system-level access (T1190), then establish persistence through scheduled tasks (T1053.005) while conducting network reconnaissance (T1018). The privileged nature of BeyondTrust access accelerates lateral movement significantly — where traditional attacks require multiple escalation steps, this vulnerability provides immediate access to domain controllers and backup infrastructure. We've observed Qilin affiliates particularly effective at weaponizing this vector, combining it with their refined double-extortion model to maximize both technical impact and financial leverage.
Qilin's operational scaling suggests continued high-volume attacks throughout March, particularly targeting healthcare and technology sectors where their double-extortion model proves most effective. The concentration of 64% of attacks among top-10 groups indicates further market consolidation, with struggling operators likely to either shut down or be absorbed by successful platforms.
February 2026 marked a watershed moment in ransomware operations, with Qilin's explosive surge to 110 attacks fundamentally reshaping the threat landscape and establishing the group as the dominant player we've tracked. The emergence of The Gentlemen as the second-most prolific operator (88 attacks) signals a concerning trend toward rapid operational scaling among newer RaaS platforms. With 763 total victims across 51 active groups, we observed the highest concentration of attacks among top-tier operators in months, suggesting successful consolidation around mature platforms with proven affiliate networks. Most critically, the sustained targeting of healthcare (55 attacks) and technology sectors (89 attacks) demonstrates attackers' continued focus on high-value targets with critical operational dependencies.
The 763 victims recorded this period represents an acceleration in ransomware deployment, driven primarily by explosive growth among established RaaS platforms rather than an increase in active groups. This concentration effect — with the top 10 groups accounting for 488 attacks (64% of total volume) — indicates mature ransomware operations are successfully scaling their affiliate networks and streamlining victim processing capabilities.
Qilin's 110 attacks represent the highest single-group volume we've documented this year, marking a 40% increase over their previous peak and signaling their evolution from mid-tier operator to ecosystem leader. This surge coincides with The Gentlemen's rapid ascent to 88 attacks, suggesting both groups have solved key operational challenges around affiliate recruitment and payment processing that continue to constrain smaller operators.
The long tail of 41 groups with fewer than 10 attacks each demonstrates the persistent fragmentation at the lower tiers, where new entrants and failing operations struggle to achieve sustainable scale. This bifurcation between dominant platforms and struggling startups indicates the ransomware economy is maturing along predictable lines — successful operators consolidate market share while weaker groups face increasing pressure from law enforcement and operational complexity.
Qilin's meteoric rise to 110 attacks establishes them as the dominant ransomware operation we currently track, representing a fundamental shift in the threat landscape. The group has perfected a sophisticated RaaS model that combines advanced technical capabilities with streamlined affiliate onboarding, enabling unprecedented scale while maintaining operational security. Our analysis shows Qilin affiliates consistently leverage T1190 exploitation of public-facing applications — particularly unpatched VPN gateways and Exchange servers — to establish initial footholds, then deploy custom toolsets for T1021.002 lateral movement across Windows domains using legitimate administrative tools. Their double extortion model has evolved to include automated data exfiltration capabilities that reduce affiliate workload while maximizing pressure on victims. The group's geographic spread across North America and Europe, combined with their apparent avoidance of certain Eastern European targets, suggests sophisticated geopolitical awareness in their targeting methodology.
The Gentlemen emerged as a formidable force with 88 attacks, representing one of the most successful new entrant stories we've documented. Despite their relatively recent emergence, the group demonstrates operational sophistication typically associated with established players, suggesting possible connections to disbanded operations or recruitment of experienced personnel. Their affiliates show consistent preference for T1133 exploitation of external remote services, particularly targeting organizations with exposed RDP endpoints and inadequately secured cloud infrastructure. What distinguishes The Gentlemen is their unusually low public profile despite high attack volume — their leak sites maintain minimal branding and their communications avoid the theatrical elements common among other major groups. This operational restraint, combined with their rapid scaling, suggests a business-focused approach that prioritizes profit over publicity, making them particularly dangerous for defenders who may underestimate their capabilities based on limited public visibility.
Clop's 79 attacks demonstrate their continued dominance through strategic evolution rather than pure volume growth. The group has refined their targeting to focus increasingly on high-value technology and financial services organizations, leveraging their established reputation to command premium ransom payments. Their technical approach centers on T1190 exploitation of zero-day vulnerabilities in enterprise software — particularly file transfer applications and network appliances — combined with sophisticated T1005 data discovery tools that automatically identify and catalog sensitive information. Clop's affiliate network benefits from the group's investment in custom tooling and infrastructure, including dedicated data hosting capabilities that enable rapid victim processing. Their geographic concentration in North America and Western Europe reflects a deliberate focus on regions with mature cyber insurance markets and established payment mechanisms, maximizing both success rates and ransom amounts.
Akira maintained steady operations with 47 attacks while demonstrating clear tactical evolution that suggests ongoing investment in capabilities development. The group's suspected lineage to disbanded CONTI operations becomes evident in their sophisticated understanding of enterprise environments and preference for targeting manufacturing and business services sectors. Akira affiliates consistently exploit T1133 external remote services vulnerabilities, particularly in VPN implementations and cloud-based management interfaces, before deploying custom backdoors for persistent access. Their lateral movement techniques emphasize T1021.001 exploitation of administrative shares combined with living-off-the-land approaches using PowerShell and WMI for environment mapping. The group's technical sophistication is evident in their custom encryption implementations and data exfiltration tools, which demonstrate ongoing development efforts rather than reliance on commodity malware.
IncRansom achieved 42 attacks through deliberate targeting of healthcare and financial services sectors, demonstrating sophisticated understanding of regulatory environments and operational pressures that amplify extortion effectiveness. The group's geographic distribution across the US, Canada, South Africa, Japan, and Singapore suggests either a highly distributed affiliate network or specialized targeting of multinational organizations with operations in these regions. Their attack methodology emphasizes T1190 exploitation of public-facing applications, particularly electronic health record systems and financial management platforms where downtime carries immediate operational consequences. IncRansom's success appears tied to their understanding of sector-specific compliance requirements and data sensitivity, enabling them to craft ransom demands that account for regulatory penalties and operational disruption costs beyond simple data encryption.
Nightspire represents the most significant emerging threat with 35 attacks, demonstrating rapid organizational maturity that suggests either substantial initial investment or recruitment of experienced personnel. Their systematic targeting of manufacturing and construction organizations across the US, Germany, Japan, Italy, and India indicates sophisticated market analysis and geographic coordination capabilities typically associated with established operations. The group's attack velocity suggests they've solved key operational challenges around affiliate recruitment and payment processing that typically constrain new entrants.
DragonForce achieved notable scale with 36 attacks while maintaining operational focus on construction and technology sectors. Their geographic distribution across the US, Turkey, France, Canada, and UK demonstrates international reach that exceeds typical startup capabilities. The group's consistent targeting patterns suggest they've developed specialized tooling or expertise for their preferred sectors, potentially indicating recruitment of personnel with domain-specific knowledge.
LockBit 5.0's emergence with 34 attacks represents evolution rather than true innovation, as the group builds on the established LockBit brand while demonstrating enhanced cross-platform capabilities. Their focus on technology and transportation sectors aligns with historical LockBit targeting preferences, but the technical sophistication evident in their latest tools suggests ongoing development investment despite previous disruptions.
Technology sector organizations bore the heaviest burden with 89 attacks, reflecting their dual vulnerability as both high-value targets and operators of complex, interconnected infrastructure that multiplies impact when compromised. Manufacturing followed with 65 attacks, driven by attackers' understanding that production downtime costs often exceed ransom demands, creating powerful incentives for payment. The 55 healthcare attacks represent a particularly concerning trend, as these organizations face regulatory penalties for data breaches that compound direct operational costs, making them attractive targets despite ethical considerations.
Financial services' 37 attacks reflect sophisticated attacker understanding of regulatory environments where operational disruption can trigger immediate compliance violations and reputational damage. The concentration of attacks in these sectors reveals attackers' evolution beyond opportunistic targeting toward strategic selection based on payment probability, operational impact, and regulatory pressure.
Construction and business services each sustained significant attack volumes (37 and 28 respectively), indicating ransomware operators have identified these sectors as offering favorable risk-reward profiles. Construction companies often operate with minimal IT security investment while handling large project values, while business services organizations frequently store sensitive client data that amplifies extortion pressure.
The United States' dominance with 316 attacks (41% of global volume) reflects both the concentration of high-value targets and the maturity of cyber insurance markets that facilitate ransom payments. This geographic concentration enables ransomware operators to develop specialized expertise in US regulatory environments, payment mechanisms, and negotiation tactics that maximize success rates.
The strong showing across Western Europe — Germany (29), Italy (21), Great Britain (17), and France (16) — demonstrates ransomware operators' sophisticated understanding of GDPR environments where data breach penalties multiply extortion pressure. The geographic distribution suggests operators have developed region-specific expertise in regulatory frameworks and payment infrastructures.
Canada's 31 attacks reflect its position as an attractive secondary target market with similar regulatory and economic characteristics to the US but potentially less mature defensive capabilities. The presence of attacks across emerging markets including Brazil (16), India (12), and Thailand (9) indicates expanding operational reach as established markets become more difficult to exploit.
Notably absent are significant attack volumes against CIS countries, confirming the persistent geographic constraints that limit ransomware operators' targeting to avoid domestic law enforcement pressure. This geographic selectivity demonstrates that despite global reach, ransomware operations remain constrained by geopolitical considerations.
March will likely see continued consolidation around dominant RaaS platforms as Qilin and The Gentlemen leverage their February success to attract additional affiliates and expand operational capabilities. We anticipate both groups will face increased law enforcement scrutiny that may drive infrastructure changes and operational security enhancements.
The healthcare sector will remain under intense pressure as ransomware operators recognize the sector's unique vulnerability profile combining operational criticality, regulatory exposure, and often-inadequate security investments. Technology sector targeting will likely intensify as attackers refine techniques for exploiting cloud infrastructure and software supply chains.
We expect emerging groups to face increased pressure as the ransomware economy's maturation makes it more difficult for new entrants to achieve sustainable scale without significant operational sophistication. This may drive consolidation through acquisition or partnership arrangements between established and emerging operations.
| CVE | VENDOR / PRODUCT | RANSOMWARE |
|---|---|---|
| CVE-2026-1731CWE-78 | BeyondTrustRemote Support (RS) and Privileged Remote Access (PRA) | CONFIRMED |
| CVE-2026-24423CWE-306 | SmarterToolsSmarterMail | CONFIRMED |
This month witnessed a sharp escalation in the ransomware ecosystem's exploitation sophistication, with threat actors zeroing in on two critical vulnerabilities that exemplify their evolving target selection. Both CVEs achieved the maximum CVSS rating of 9.8, but more importantly, they represent distinct vectors into enterprise environments that traditional perimeter defenses struggle to monitor.
CVE-2026-1731 in BeyondTrust Remote Support platforms represents the ransomware operator's dream scenario: a command injection flaw (CWE-78) in remote access infrastructure that requires zero authentication. We've observed multiple ransomware groups — particularly those with sophisticated initial access capabilities — leveraging this vulnerability to execute arbitrary commands directly on target systems. The attack leverages T1190 (Exploit Public-Facing Application) to achieve immediate system-level access, bypassing the typical credential harvesting phase entirely. With an EPSS score of 0.646, this vulnerability sits in the 98th percentile for exploitation likelihood, and our analysis confirms that assessment is warranted. BeyondTrust's position as a critical IT management tool means successful exploitation often provides attackers with privileged access to multiple systems simultaneously.
The second weaponized vulnerability, CVE-2026-24423 in SmarterTools SmarterMail, exploits a missing authentication control (CWE-306) in the ConnectToHub API method. This flaw allows attackers to redirect email traffic through malicious infrastructure, creating both an initial access vector (T1190) and a persistence mechanism (T1133 - External Remote Services). While the EPSS score of 0.293 suggests moderate exploitation probability, we've documented active use by ransomware affiliates who exploit this vulnerability to establish covert communication channels and exfiltrate sensitive email data before deploying ransomware payloads.
The current threat landscape demonstrates how ransomware operators have refined their multi-stage attack sequences to maximize both stealth and impact. The BeyondTrust vulnerability serves as a particularly potent initial access vector, with attackers exploiting the command injection flaw to immediately establish persistence through scheduled tasks (T1053.005) or service creation (T1543.003). From this foothold, we've observed threat actors conducting network reconnaissance (T1018) to identify high-value targets, particularly domain controllers and backup infrastructure.
A typical attack chain begins with automated scanning for exposed BeyondTrust instances, followed by exploitation of CVE-2026-1731 to gain system-level access. Attackers then deploy custom PowerShell scripts for credential harvesting (T1003) and lateral movement preparation. The privileged nature of BeyondTrust access accelerates the kill chain significantly — where traditional attacks require multiple privilege escalation steps, these compromises often begin with the keys to the kingdom.
The SmarterMail vulnerability follows a more subtle approach, with attackers redirecting email traffic to capture authentication credentials and sensitive communications. This intelligence gathering phase feeds directly into spear-phishing campaigns (T1566.001) targeting additional employees, creating multiple entry points before the ransomware deployment phase. The combination creates a scenario where defenders face simultaneous attacks from compromised infrastructure and social engineering vectors.
Despite identical CVSS scores, the BeyondTrust CVE-2026-1731 demands immediate emergency patching based on three critical factors: the unauthenticated nature of exploitation, the privileged access it provides, and the confirmed active use by multiple ransomware groups. The 98th percentile EPSS score reflects real-world exploitation patterns we've observed, with automated scanning and exploitation tools already circulating in underground forums.
SmarterMail CVE-2026-24423 ranks second despite its critical rating due to the more limited exposure of email server infrastructure and the additional reconnaissance steps required for effective exploitation. However, organizations running SmarterMail in their environment should treat this as an emergency patch due to the potential for email traffic interception and the difficulty of detecting this type of compromise through traditional monitoring.
The stark 100% critical severity distribution this month underscores the ransomware ecosystem's focus on high-impact vulnerabilities. These aren't opportunistic exploits — they represent carefully selected attack vectors that maximize the chances of successful deployment and payment collection.
This month's vulnerability landscape reveals a concerning shift toward targeting privileged access management and communication infrastructure — the very systems organizations depend on for secure operations. The focus on BeyondTrust and SmarterMail represents a maturation in ransomware targeting, moving beyond traditional web application flaws toward infrastructure that provides both immediate access and operational persistence.
The vendor distribution shows Microsoft maintaining its position as the primary target (8 CVEs), but the emergence of specialized enterprise software vendors like BeyondTrust and SmarterTools indicates threat actors are expanding their reconnaissance to identify less-monitored but equally valuable attack surfaces. This trend suggests ransomware groups are conducting more sophisticated target analysis, identifying organizations' dependency on specific enterprise tools and developing targeted exploits accordingly.
We're witnessing a fundamental shift from broad, opportunistic scanning toward targeted vulnerability research against enterprise software stacks. The remote access and email server focus indicates attackers understand that successful ransomware deployment requires not just initial access, but the ability to maintain operational control throughout the encryption process. These vulnerabilities provide exactly that combination — immediate high-privilege access with built-in persistence mechanisms that security teams often overlook during incident response.