February may be the shortest month of the year, but it packed a devastating punch in the world of cybercrime. According to a recent report from Comparitech, ransomware attacks surged to an alarming 959 incidents—nearly doubling January’s 512 reported cases. Clop, RansomHub, and Medusa led the charge, with Clop alone claiming responsibility for 323 breaches, primarily exploiting the Cleo vulnerability.
A Growing Epidemic: Key Findings
Total attacks: 959, with 41 confirmed by affected organizations
Most affected sectors: Businesses (844 attacks), government entities (17), healthcare (47), and education (27)
Top ransomware gangs: Clop (323), RansomHub (95), Akira (80), Play (47), Qilin (43)
Most confirmed attacks: RansomHub (6), Qilin (4), Medusa (4)
Healthcare Takes a Hit
Hospitals and clinics worldwide found themselves in the crosshairs, with seven confirmed ransomware attacks in February, up from four in January. Medusa, in particular, left its mark:
SimonMed Imaging (U.S.) – Hit with a $1M ransom, though the company claimed to have “interrupted” the attack before data encryption occurred. Medusa alleged it stole 213 GB of data.
HCRG Care Group (UK) – Medusa demanded $2M after allegedly stealing 2.3 TB of sensitive data.
Bell Ambulance (U.S.) – Employees were notified mid-February after a Medusa-led attack. The group demanded $400,000 for 212 GB of stolen data.
Utsunomiya Central Clinic (Japan) – Qilin claimed this attack, affecting 300,000 individuals, making it the largest healthcare breach of the year so far.
Governments Under Fire
Following 10 confirmed government breaches in January, February saw eight more incidents, with RansomHub leading the charge:
City of Tarrant (U.S.) and Sault Ste. Marie Tribe of Chippewa Indians (U.S.) – Both claimed by RansomHub.
ELECGALAPAGOS S.A. (Galapagos Islands) – A critical state utility provider targeted.
Palau Ministry of Health and Human Services – Struck by Qilin, further demonstrating the group's reach.
Education Sector in the Crosshairs
Schools and universities continue to be soft targets, with six confirmed ransomware cases in February. Notable attacks include:
CESI Ecole d’Ingénieurs (France) – Victim of Termite.
Saint George’s College (Chile) – Attacked by Fog.
Laurens County School District 56 (U.S.) – Medusa demanded $320,000.
Businesses: The Most Affected Sector
While businesses bore the brunt of ransomware activity, with 844 reported incidents, only 20 attacks were confirmed. Among them:
Lee Enterprises (U.S.) – A Qilin attack disrupted operations across 70+ newspapers, with 350 GB of stolen data.
The Agency (London, UK) – A high-profile talent agency listed on Rhysida’s leak site with a 7-bitcoin ransom (~$682,000).
Alf DaFrè (Italy) – The furniture manufacturer halted production for eight days, impacting 350 employees.
Paratus Group (Namibia) – Akira claimed responsibility for this attack on the telecom giant.
Clop, RansomHub, and Emerging Threats
Clop dominated February’s ransomware landscape, largely due to its Cleo vulnerability exploitation. RansomHub followed with 95 claims and six confirmed attacks, while Qilin emerged as a formidable player with four confirmed breaches.
Additionally, new players entered the fray:
Anubis – Four victims, including Pound Road Medical Centre (Australia), which confirmed an attack dating back to November.
Run Some Wares – A ransomware group with four unconfirmed victims, earning the dubious distinction of having the least original name.
Confirmed vs. Unconfirmed Attacks: The Fog of Cyberwarfare
With nearly 900 attacks remaining unconfirmed, the discrepancy between claimed and verified breaches underscores the opaque nature of ransomware reporting. Some organizations may withhold disclosure due to reputational concerns, while others may genuinely evade significant data loss. However, as mandatory disclosure laws expand globally, the full scope of February’s ransomware rampage will likely become clearer in the coming months.
Looking Ahead
The February surge in ransomware attacks highlights a growing trend of increasingly sophisticated, high-volume cyberattacks. Clop’s exploitation of the Cleo vulnerability, coupled with RansomHub’s aggressive expansion, signals a troubling year ahead for businesses, healthcare providers, and government agencies worldwide.
With 824 business attacks yet to be confirmed, 40 more in healthcare, and 21 in education, the true impact of February’s ransomware onslaught is still unfolding. One thing is clear: ransomware isn’t slowing down—it’s evolving.