21 Ransomware Claims in One Day: Inside the Industrialization of Extortion

From The Bit Baker newsletter — February 14, 2026

On February 12, 2026, something happened that would have been unthinkable three years ago but barely made anyone blink this week: eight ransomware groups posted 21 victim claims across 10 countries in a single day. Qilin topped the list with 7. INC Ransom took 6. Akira had 2. Five smaller crews accounted for the rest.

Twenty-one claims in 24 hours. That was a Wednesday.

The number by itself doesn't tell the full story. What matters is what it signals — ransomware's evolution from opportunistic crime into something that functions like an industry. A hundred and twenty-four distinct groups were active in 2025, up 46% from the year before. Attacks are running 30% higher year-over-year entering 2026. Individual groups are claiming over a thousand victims per year. We're looking at an extortion market that operates with the discipline and throughput of a franchise.

Why It Matters

Sit with the scale for a moment. GuidePoint Security counted 2,287 ransomware victims in Q4 2025 alone — their highest quarterly total ever. Qilin racked up 1,115 victims across the full year, hitting a clip of 75 per month by Q3. Big numbers. And they only reflect the attacks we can see.

BlackFog estimates roughly 86% of ransomware incidents never get reported. Only 7,079 victims showed up on leak sites in 2025. If that's 14% of actual volume, basic arithmetic puts the real total somewhere north of 50,000 organizations. Most paid, stayed quiet, or did both.

Look at the group count and another pattern comes into focus. It's no longer two or three dominant gangs running the show. A hundred and twenty-four means the market has splintered into specialized outfits — some targeting healthcare, others zeroing in on manufacturing, a few going after government contractors. Each group runs its own leak site, its own negotiation workflow, its own technical stack. The whole operation has been productized.

The Bigger Picture

Ransomware-as-a-Service isn't new. What's changed in 2025-2026 is the automation. Trend Micro predicted 2026 would be the year cybercrime goes "fully industrial," and so far the data backs that up. Modern RaaS platforms run like SaaS companies — subscription tiers, affiliate programs, distribution networks, built-in exfiltration tools. A less technical operator can buy a turnkey campaign: payload, hosting, negotiation scripts, and a percentage of every payout.

Qilin's rise is a case study. They deploy Rust-based encryption that strikes Windows, Linux, and VMware ESXi at the same time, squeezing maximum damage from each intrusion. Their victims span agriculture, healthcare, manufacturing, and IT — either the product of a large affiliate network with diverse specialties or a calculated strategy of rotating through industries to avoid concentrated law enforcement attention.

February 12's snapshot — 8 groups, 10 countries, 21 claims — also shows how geographically spread these operations have become. The US and UK still absorb the bulk of attacks, but Turkey, Brazil, and half a dozen other nations showed up in that single day's tally. These groups know international law enforcement moves slowly. They've built their operations to take advantage of that.

AI is adding fuel from the attacker's side. Polymorphic malware that rewrites itself, deepfake-enabled social engineering, automated bots that negotiate ransoms with victims — Trend Micro called these out as operational reality, not speculation. When the full attack chain from phishing email to ransom payment runs with minimal human involvement, the cost per attack plummets and the volume explodes.

What to Watch

• Qilin in 2026 — 1,115 victims last year. If they accelerate, they'll be in uncharted territory. Watch for signs of affiliate expansion or new industry verticals being targeted.
• The 86% reporting gap is warping everyone's risk calculations. Security teams are making decisions based on the visible fraction of total activity. Mandatory disclosure requirements, where they exist, are the only meaningful check on that blind spot.
• Law enforcement disruptions have an uncertain track record. LockBit and BlackCat were hit in 2024, but overall attack volume still climbed. The open question: do takedowns actually reduce ransomware, or just scatter it across new brands? The evidence so far points to redistribution.

References

1. Dark Web Informer — Ransomware Attack Update February 12, 2026
2. GuidePoint Security — Ransomware Hits Record High as Qilin Tops Threat List
3. BlackFog/SecurityBrief — AI-Driven Ransomware Attacks Surge, Most Go Unreported
4. Breached Company — Ransomware Attacks Soar 30% in 2026
5. Trend Micro — 2026 Predictions: The Year Cybercrime Becomes Fully Industrialized
6. Splunk — Ransomware Attack Types
7. Guardz — 31 Ransomware Statistics MSPs Cannot Ignore in 2026
8. Cybersecurity Dive — Ransomware Attacks on IT and Food Sectors
9. Check Point — Cyber Security Report 2026