Bitdefender has analyzed the movements of dozens of ransomware groups executing campaigns against organizations based in the United States. As a result of this analysis, we can draw insights into patterns that emerged in early 2026. The analysis that follows expounds on key trends and developments. We also share predictions that underscore how ransomware operations and attack patterns may take shape during spring 2026.
Top Ransomware Groups from January to February 2026
A total of 53 ransomware groups claimed victims based in the United States from January to February 2026. Seven of the 53 groups have consecutively ranked in our Top 10 list for more than four months.
These top ransomware groups include Qilin, Akira, Clop, INC Ransom, Play, DragonForce, and Sinobi. All of these groups, as well as the rest in our Top 10 listing (below), and numerous emerging groups have attacked a range of organizations in the United States, from small to mid-size organizations and enterprises.
While 0APT’s victims (185 in total) are captured in the results, it is important to note that many of the victims claimed by 0APT may not represent legitimate victims due to the group’s poor telemetry filtering and history of false claims. As a result, it is far more likely that Qilin has claimed the greatest number of U.S. victims in 2026 thus far.
After excluding an excessive number of 0APT’s (false) victims from the datasets, Bitdefender can determine with high confidence that the number of U.S. organizations hit by ransomware groups in the first two months of 2026 likely fell between 750 and 800.
Top U.S. Industries Targeted by Ransomware
When comparing the types of industries most affected by ransomware attacks in the United States, the construction industry has seen the most attacks, with manufacturing following closely behind. Other industries, such as technology, healthcare, and law offices or legal services, continue to rank within the first five.
Despite victims in these industries consistently being targeted in past quarters, it’s important to note that collected ransom payments are declining.
This trend of decreasing ransom payouts may be attributed to a combination of factors. There is increased pressure on organizations to follow the guidance needed to maintain their cyber insurance and adhere to the regulations governing operations in their specific industry.
Another factor could be an increase in awareness of best practices for incident response and reporting within private-sector communities. Advisory publications and other releases from leading authorities like CISA, the FBI, and the NSA have likely helped.
Current Developments in Ransomware Attack Patterns
From December 2025 through February 2026, Bitdefender observed multiple patterns in ransomware attacks, including those against U.S. organizations. Several notable changes have been identified that mark a turn in how ransomware groups operate. These changes are illustrated in threat actor behaviors such as:
-
Choosing a different initial attack vector to limit the noise linked to compromise
-
Focusing on executing more scaled attacks to take over vendor chains
-
Using automation to shorten the time-to-exploit window for disclosed PoCs
-
Renewing interest and investments in defense evasion (BYOVD) tactics
The First Vector: Control the Noise and Bypass MFA
More ransomware groups are focusing on identity-first compromise. In other words, they are prioritizing credential theft over more active means of attack, like exploitation. The threat actor can steal credentials using a method like collecting browser session tokens. Taking this route over brute forcing a system to gain entry helps the threat actor to evade prompt detection.
Ensure that tokens such as cookies and OAuth keys on login pages are encrypted and securing them by linking them to approved, registered devices can create a barrier that deters threat actors. This prevents them from extracting any decrypted authentication inputs. Other measures that may be taken to secure data within each browser session include enforcing restrictions on the lifetime of the cookie (and session), limiting the opportunities for threat actors to compromise a session if left idle, and forcing a new cookie to be required for the next session.
Pwn the Vendor and Take the Chain
Stolen credentials leave the door open for more scaled, high-impact supply chain attacks. Bitdefender has observed these types of incidents for over a year. Groups like ShinyHunters and their past collective, Scattered LAPSUS$ Hunters, took the helm in organizing supply chain attacks on a massive scale in summer 2025.
More ransomware groups are following suit, breaching organizations (for instance in technology) that support the financial services, healthcare, manufacturing, and other sectors to hit a wider network of victims, often striking authentication and SaaS platforms. Implementing MFA and enforcing patch management policies are typically the first steps many organizations take to better their security posture. However, these security practices are not sufficient in addressing the issues of identity-first compromise or the shrinking time-to-exploit window.
Automate and Shorten the Time-to-Exploit Window
The duration of time necessary for threat actors to successfully exploit vulnerabilities has become shorter, with more reported exploitation attempts occurring within a couple hours or less after the release of a proof of concept (PoC) for an exploit.
This diverges greatly from the time to exploit windows of two to three days or more that were identified throughout attacks reported in 2024 and the first couple of quarters of 2025.
Threat actors can shrink this window using automation tools like CyberStrukeAI. The threat actor uses this Generative AI to provide an input, like a GitHub repository referencing code for an attack, and they can then design, review, and execute. They utilize that input by loading modules to add payloads and scan select targets. This allows the threat actor to quickly complete the exploitation phase against hundreds of targets or more, then move on to the manual phase to introduce additional payloads, exfiltrate data, or perform encryption.
Cut Through Defenses with BYOVD
The tools of the past like EDRSandblast, HRSword, and EDRKillShifter may appear out of date. Yet, they have the same key objective: defense evasion. And this applies to the new generation of EDR killers. Since the fourth quarter of 2025, there’s been one major development in the way that threat actors are operating with workarounds to evade (or blind) defenses like EDR and anti-virus solutions. BYOVD (bring your own vulnerable driver) tactics have been a crucial component of attacks that have left many victim organizations with limited options to counteract or fully treat the issue. BYOVD attacks use legitimate drivers to gain unauthorized kernel-level access by exploiting vulnerabilities in these trusted drivers. Attackers might embed malicious drivers within seemingly harmless software packages associated with authorized installers and devices or manipulate existing drivers.
Once activated, vulnerable drivers allow attackers to bypass signature-based detections and stop active processes created by EDR solutions. Some security solutions reference detection rulesets to combat the use of manipulated and vulnerable drivers in BYOVD attacks by scanning the corresponding drivers and components against a block list. However, there’s a common constraint: drivers built into Windows services cannot be blocked. Even more concerning is the weaponization of EDR-blinding capabilities that are now unleashed in one stage instead of the two to three stages often reported in 2025 incidents before encryption actions were performed. In recent months, more ransomware groups have developed ransomware that already has an embedded vulnerable driver to execute the BYOVD attack. This helps to reduce the gaps between the defense evasion and execution in attack cycles—both processes are now more likely to occur in close sync with each other.
Ransomware Predictions
The ransomware ecosystem and common rules of engagement will broaden, warping the qualities that are often attributed to ransomware (and RaaS) groups: Ransomware groups offering access to RaaS platforms have great staying power.
Competition will force some groups to modify or abandon their initial rules of engagement, recruiting processes, and profit-sharing systems. Multiple ransomware groups have already incorporated tools that diverge from ransomware and commodity malware in their arsenal. Reports of established and emerging groups branching out, expanding partnerships, and demonstrating greater flexibility in profit-sharing guidelines have circulated since the second quarter of 2025.
In addition, ransomware group activity in recent weeks has shown a significant move towards operating with hacktivist messaging under the backdrop of the war in Iran. Some groups have also recruited insiders and cyber mercenaries. Others offer free and low-cost RaaS platforms, which were once considered niche and expensive. There’s room for the ecosystem and ransomware operation hierarchy as we know it, to grow. This includes specialized roles like IABs (initial access brokers), penetration testers, developers, and negotiators.
Recommendation: Maintain a threat intelligence program, receiving and enriching intelligence on threat actor activities and TTPs to stay informed about ransomware and cybercrime operations and to receive guidance concerning remediation actions.
Also, ransomware groups and other threat actors are highly skilled in conducting reconnaissance against potential targets, identifying exposed data, and finding and exploiting vulnerabilities. This makes implementing proactive security measures like EASM (External Attack Surface Management) even more important. Continuously update an asset inventory and scan for unknown and unused assets. Check for vulnerabilities or exposures and prioritize the ones in need of immediate action to reduce the likelihood of exploitation.
The common target sought by ransomware groups for initial access will expand to include more systems. They will target vulnerable edge devices such as VPNs and firewalls, which present just one method for a threat actor to get a foothold into an environment and inflict great damage.
While compromised edge devices account for a significant share of systems accessed before an attack is completed, other platforms will also see an uptick in compromise, namely hypervisors and cloud-based services. Hypervisors have historically been targeted by leading RaaS groups, and many modern encryptors are designed to encrypt virtual machines on ESXi hosts.
Recommendation: Regularly update hypervisor and virtualization services. Harden the operating system by disabling nonessential services. Use MFA for all administrative logins, especially for hypervisor management consoles. Enforce the Principle of Least Privilege, ensuring that no user or service has more permissions than necessary to perform essential job functions. Establish a tested recovery plan and keep backups in at least two other locations so they are secured and isolated from the primary environment.
LOTC Instances Will Rise
While conversations about Living Off the Land (LOTL) tend to focus on the abuse of native programs installed on Windows machines and even ESXi instances, many tools intended to secure and manage data in the cloud can also be repurposed by threat actors to block access to sensitive data or transfer it elsewhere.
Living off the cloud (LOTC) tactics should not be downplayed in discourse about identifying and combating Living Off the Land tactics. Although improvements to logging and retention configurations for cloud platforms may help detect anomalous activity, these practices on their own are not sufficient to address LOTC attacks.
Recommendation: Map and reduce the attack surface. Do not rely on whitelisting; even approved applications, such as Box, and administrative functions built into AWS cloud environments, are potential targets for threat actors.
A behavior-based approach that aligns with malicious use cases for LOTL tactics, drawn from attacker playbooks and data examined from other logging sources, plays a crucial role in detecting malicious activity. Tools like PHASR allow users to enforce block rules that prevent activities aligned with ransomware playbook behavior. These policies detect and prevent actions associated with unauthorized access, lateral movement, and execution.
Enforce additional elevated security practices rather than adopting ones that may address basic cyber hygiene. For instance, when implementing access controls, add dual-control mechanisms that allow changes or updates to security configurations to be applied only with authorization from two designated admins.
BYOVD Will Reach a Prevalence rate of 75% or More in Ransomware A
ttacks
This prevalence will make EDR-blinding capabilities more accessible. And the use of BYOVD attacks to disable EDR and antivirus solutions will rise as a preferred defense-evasion tactic. This increased preference for BYOVD attacks rings true for the leading ransomware groups. And in the aftermath of their activities, several emerging groups are utilizing similar tactics. The use of BYOVD attacks is a prominent challenge for defenders and will continue to rise, especially as operators managing RaaS platforms issue updates marketing these capabilities.
Additional Recommendations: Stay informed about Living Off the Land tactics for loading drivers. Continuously assess the technologies (and security solutions) that are deployed. The use of EDR killers and BYOVD attacks is widespread; an organization cannot afford to assume that any endpoint security solution provides adequate coverage against these defense-evasion methods. If the solution is equipped with driver blocklisting and other monitoring capabilities, ensure that it is kept up to date so that any internal libraries are current. Establish other security practices like driver sandboxing to ensure that flagged drivers cannot interact with critical OS components.
