Ransomware in 2026: Data-Only Extortion Replaces Encryption

91 Ransomware Attacks Disclosed in January 2026

The ransomware threat continues to intensify in 2026. According to BlackFog's monthly tracking data, 91 publicly disclosed ransomware attacks occurred in January 2026 alone, setting an aggressive pace for what analysts predict will be a record-breaking year. More critically, a fundamental shift in attacker methodology is underway: many ransomware groups are now skipping encryption entirely, opting for data-only extortion that renders traditional backup strategies ineffective.

January 2026 by the Numbers

Sector Breakdown

Healthcare Under Siege

Healthcare absorbed the heaviest impact with 27 disclosed incidents in January, representing nearly 30% of all attacks. Hospitals, clinics, insurance providers, and pharmaceutical companies were all affected.

Why Healthcare Remains the Top Target

• High-value data — Patient records contain PII, insurance details, and medical histories worth up to $1,000 per record on dark web markets
• Operational urgency — Hospitals cannot tolerate downtime, increasing pressure to pay
• Regulatory exposure — HIPAA breach notifications create legal and reputational leverage for attackers
• Legacy systems — Many healthcare organizations run outdated systems with known vulnerabilities

Full Sector Breakdown (January 2026)

The Shift to Data-Only Extortion

Why Groups Are Abandoning Encryption

A growing number of ransomware operators now exfiltrate data without deploying encryption payloads. This represents a strategic evolution in the ransomware business model:

Implications for Defenders

• Backup strategies alone are no longer sufficient — Organizations must focus on preventing data exfiltration, not just ensuring recoverability
• Data Loss Prevention (DLP) becomes critical — Monitor for unusual outbound data transfers
• Network segmentation limits attacker access to sensitive data stores
• Encryption at rest reduces the value of stolen data if exfiltrated

Geographic Distribution

The United States accounts for 58% of disclosed attacks in January, consistent with historical trends. However, attacks are spreading globally across 22+ countries.

Evolving Tactics in 2026

EDR/AV Disabling Now Standard

Modern ransomware operators routinely disable or bypass endpoint detection and response (EDR) tools before executing their payloads. Techniques include:

• Bring Your Own Vulnerable Driver (BYOVD) — Load signed but vulnerable kernel drivers to kill security processes
• EDR unhooking — Remove API hooks placed by security agents
• Safe mode deployment — Reboot into Safe Mode where security agents do not load
• Credential theft — Steal admin credentials to uninstall EDR agents via management consoles

Cloud and SaaS Targeting

Attackers are increasingly targeting cloud workloads, SaaS platforms, and remote endpoints rather than on-premises infrastructure:

• Cloud storage exfiltration — Targeting AWS S3, Azure Blob, and Google Cloud Storage
• SaaS account takeover — Compromising admin credentials for Salesforce, ServiceNow, and other platforms
• Remote endpoint compromise — Targeting VPN and remote desktop gateways to reach distributed workforces

New Actors Beyond Russia

Recorded Future predicts that 2026 will be the first year where new ransomware actors emerging outside of Russia exceed those originating within it. Emerging ransomware ecosystems are developing in:

• Southeast Asia — Vietnam and the Philippines
• South America — Brazil and Argentina
• Africa — Nigeria and South Africa
• Middle East — Iran-linked groups pivoting from espionage to extortion

Trend Analysis

What the Data Tells Us

1. Volume is accelerating — 91 attacks in January projects to 1,000+ for the year if the pace holds
2. Healthcare is disproportionately affected — Nearly 1 in 3 attacks hits healthcare
3. Encryption is becoming optional — Data-only extortion is faster, stealthier, and harder to recover from
4. The threat is globalizing — New actor ecosystems are emerging outside traditional Russian-speaking groups
5. Defensive tools are being targeted — EDR/AV disabling is now a standard part of the attack playbook

Recommendations

For All Organizations

1. Prioritize data exfiltration detection over encryption prevention — Deploy DLP and monitor for anomalous outbound transfers
2. Harden EDR deployments — Enable tamper protection, use kernel-level protections, and monitor for BYOVD activity
3. Segment networks aggressively — Limit lateral movement and access to sensitive data stores
4. Implement phishing-resistant MFA — Hardware security keys for all privileged accounts
5. Conduct ransomware tabletop exercises — Test response procedures for data-only extortion scenarios

For Healthcare Organizations

• Encrypt patient data at rest to reduce the impact of exfiltration
• Segment clinical systems from administrative networks
• Maintain offline copies of critical patient records for continuity during incidents
• Engage with Health-ISAC for sector-specific threat intelligence

Sources

• BlackFog — Ransomware Tracker January 2026
• Recorded Future — 2026 Ransomware Landscape Forecast
• SharkStriker — Top Ransomware Attacks of 2026

Related Reading

• Healthcare Sector Faces Unprecedented Ransomware Surge in
• Ransomware Forces University of Mississippi Medical Center
• Former Cybersecurity Incident Responders Plead Guilty to