Who Ransomware Groups Hit in the UK in February 2026 — A Sector and Size Analysis

Ransomware.live is a public tracking platform that aggregates claims posted on ransomware group leak sites. When a group successfully compromises a victim and the ransom is not paid, they typically publish the victim's name and sometimes data samples on a dark web site as leverage. Ransomware.live indexes these publications, providing a publicly visible record of claimed UK victims. It is not a complete picture — many victims pay quietly, and many incidents are never disclosed — but it is the most transparent public dataset of ransomware activity available.

In February 2026, ransomware.live recorded 12 confirmed UK victims with discovery dates in that month, claimed by 10 separate ransomware groups. This post analyses those victims in detail: who they were, how large they were, what sectors they operated in, and what the pattern of targeting tells us about how these groups actually select their victims.

The Twelve: An Overview

Stripping out entries that the platform flags as US or Indian-headquartered companies misattributed via UK domain associations, the confirmed UK victims discovered in February 2026 are:

• Stellium (1 Feb) — Supply chain management consultancy — Everest group
• TriPartum (6 Feb) — Customer communications management, Stevenage — Akira
• Dukosi (7 Feb) — EV battery semiconductor technology, Edinburgh — Clop
• Logical Micro (7 Feb) — IT services — Clop
• Anchor Computer Systems (12 Feb) — Financial software for lenders, Bangor — Qilin
• [Redacted] (14 Feb) — UK Ltd, identity withheld by Nightspire
• Yew Tree Dairy (16 Feb) — Family dairy business, est. 1904 — Interlock
• Thames Valley Chamber of Commerce (16 Feb) — Regional business membership body — Worldleaks
• Adelphi (17 Feb, attack est. 11 Feb) — Pharmaceutical consultancy, Bollington — Worldleaks
• Spire Payments (23 Feb) — Fintech payment terminal manufacturer, Salisbury — Qilin
• [Redacted] Ticket #1989 (4 Feb) — UK entity, identity withheld by Anubis
• THG (27 Feb) — Claimed via Belgian domain, e-commerce/technology — Thegentlemen

Ten distinct ransomware groups are represented across these twelve victims. No single group dominates. This is not a coordinated campaign by one actor — it is the output of an industrialised, fragmented criminal market in which multiple independent operations run simultaneously, each targeting the organisations their particular tooling and intelligence can reach.

Size Distribution: The Small Business Reality

The most consistent pattern in the February dataset is size. With one significant exception, every identified victim is a small or medium-sized business.

TriPartum is the most striking example. Based in Stevenage, Hertfordshire, TriPartum is a customer communications management specialist with five employees and revenue of approximately £384,000. It is, by any definition, a micro-business. Yet Akira targeted it and published the claim. The reason is not the size of the company — it is the nature of the data it handles. TriPartum creates and manages personalised customer communications for financial services firms, insurance companies, utility providers, telecom operators, social housing providers, and retail clients. A five-person company with no in-house security team holds and processes data for organisations many times its own size.

Anchor Computer Systems, based in Bangor, Wales, has approximately 47 to 60 employees and reported turnover of £7 million. Founded in 1981, it supplies loan management software to over 300 UK lending organisations, covering consumer loans, HP agreements, mortgages, vehicle fleet management, and community development finance. It was acquired by Aryza in 2020. Qilin's claim against Anchor is not primarily a claim against a small Welsh software company — it is a claim against the data of 300 UK lenders and potentially millions of borrowers whose loan records flow through Anchor's systems.

Dukosi, headquartered at Heriot-Watt University in Edinburgh, employs between 50 and 100 people depending on the source consulted. Its revenue is modest — approximately £91,000 reported in the most recent available accounts, reflecting its stage as a deep tech company still bringing products to commercial scale. Dukosi makes chip-on-cell battery monitoring technology for electric vehicles and industrial energy storage. It has partnered with Hyundai and Kia, among others. Clop targeted Dukosi alongside Logical Micro on the same day — the double strike on the same date strongly suggests a single technical exploit was used against both, most likely a vulnerability in a shared file transfer or managed services platform of the type Clop has historically weaponised at scale.

Spire Payments is the largest confirmed UK business in the dataset with known metrics. Headquartered in Salisbury, Wiltshire, Spire has between 65 and 133 employees and revenue of approximately £33 to £34 million. It was acquired by Castles Technology in 2020. Spire is the third-largest point-of-sale terminal provider in Europe and has deployed more than 21 million payment devices to retailers, hospitality businesses, and transport operators globally. A breach of the company that manages this infrastructure has implications that extend significantly beyond Spire itself.

The single medium-large victim is Adelphi. Headquartered at Adelphi Mill in Bollington, Cheshire, Adelphi is a pharmaceutical and healthcare consultancy employing over 700 people worldwide, with approximately 500 based in the UK. It became part of the Omnicom Corporation in 1998 and sits within Omnicom Health Group, the world's largest healthcare marketing and communications group. Adelphi holds sensitive pharmaceutical trial data, real-world evidence datasets, health economics research, market access analysis, and strategic consultancy material for global drug manufacturers. Worldleaks published the claim on 17 February, with the estimated attack date placed at 11 February.

Sector Distribution: Who Is Actually Being Hit

Five broad sectors are represented in the confirmed February victims.

Financial Technology and Services

Three victims operate directly in or adjacent to financial services: Anchor Computer Systems (loan management software for 300+ lenders), Spire Payments (payment terminal infrastructure), and TriPartum (customer communications including financial services clients). The financial services sector consistently appears in the upper tier of ransomware targeting because it combines high data sensitivity, strong regulatory incentives to pay quickly and quietly, and, in the case of smaller supplier firms, security postures that lag well behind those of their clients.

The Anchor and Spire cases illustrate a specific dynamic worth naming directly: neither company is a financial institution. Neither holds customer funds or is FCA-regulated in the way a bank or insurer is. But both hold the data and infrastructure through which regulated financial activity happens. Attackers understand this. The supplier to the financial sector is often a more accessible route to financial sector data than the financial institution itself.

Technology and Deep Tech

Dukosi and Logical Micro represent the technology sector, with Dukosi occupying the deep tech end — a pre-commercial-scale semiconductor company whose intellectual property in chip-on-cell battery monitoring is its primary commercial asset. The targeting of Dukosi by Clop is notable because Clop's usual profile is mass exploitation of managed file transfer vulnerabilities, harvesting data from large numbers of targets simultaneously rather than picking high-value organisations individually. If Dukosi was compromised through that mechanism, its presence in the dataset is likely incidental to a broader campaign sweep. If targeted selectively, the IP value — EV battery technology being developed in partnership with two of the world's largest automotive manufacturers — provides clear motivation.

Healthcare and Life Sciences

Adelphi is the most significant single victim in the dataset from a data sensitivity perspective. A pharmaceutical consultancy of this scale holds real-world clinical evidence, health economics models supporting drug pricing and market access submissions, disease-specific observational research, and strategic marketing data for global pharma brands. Some of this data involves patient cohort information, treatment outcomes, and healthcare professional relationships. The attack was attributed to Worldleaks, the same group that also claimed the Thames Valley Chamber of Commerce on the same day — 16 February. Two UK organisations, very different in nature and sector, claimed by the same group on the same day again points to a common exploitation mechanism rather than bespoke targeting of each victim.

Civic and Membership Bodies

The Thames Valley Chamber of Commerce is, by conventional ransomware targeting logic, an unlikely victim. It is a non-profit membership organisation supporting businesses across Berkshire, Buckinghamshire, and Oxfordshire. It does not hold payment card data. It does not process financial transactions at scale. It is not a regulated financial institution. Its interest to an attacker is the data it holds on member businesses — contact details, financial information shared in the course of business support services, and the network relationships between the businesses it represents. A compromised Chamber of Commerce account or dataset provides a highly credible impersonation platform for reaching its entire member base. This is consistent with the pattern documented in our March 2026 threat intelligence paper: attackers are not targeting organisations for their own data alone, but for the access their data provides to the organisations connected to them.

Agriculture and Food Production

Yew Tree Dairy is the most overtly opportunistic entry in the dataset. A family-owned dairy business supplying dairy products since 1904, it has no obvious data-sensitive profile, no financial system dependency of national significance, and no particular regulatory incentive to pay a ransom quickly. Its presence in the dataset is almost certainly the product of automated scanning and mass exploitation rather than deliberate selection. In the context of the industrialised attack model described in our threat intelligence paper — shift-based automation running credential grinding and known CVE exploitation against every reachable internet-facing service — a 120-year-old dairy business with an exposed VPN or unpatched router is as reachable as a fintech company. The attackers do not always know or care what they have compromised until after the initial access is achieved.

The Supply Chain Amplification Effect

The most important analytical observation from the February dataset is not about the victims themselves but about who their victims are. In at least three of the twelve cases, the compromised organisation is a small company whose primary value to an attacker lies not in its own data but in the data it holds on behalf of, or the access it provides to, much larger organisations.

TriPartum, with five employees, sits in a processing relationship with financial services clients significantly larger than itself. Anchor Computer Systems, with 60 employees and £7 million turnover, has its software running inside 300 UK lending businesses. Spire Payments, with fewer than 150 employees, has deployed 21 million payment devices. In each case, the attack surface accessible through the small company is orders of magnitude larger than the company itself.

This is the supply chain attack dynamic in its most everyday form. Nation-state actors execute sophisticated supply chain attacks against high-profile targets like Trivy. Criminal ransomware groups achieve the same supply chain amplification simply by compromising a supplier firm. They do not need to be sophisticated about it. They need to find a small company with an exposed service, apply known exploits, and discover after access what they actually have.

Ransomware Group Diversity: Ten Groups, One Month

Ten separate ransomware groups claimed UK victims in February 2026. Clop, Qilin, Worldleaks, Akira, Interlock, Everest, Anubis, Nightspire, Thegentlemen, and Play each appear once or twice. No group dominates. This pattern is consistent across the full ransomware.live dataset for the UK and reflects the current structure of the ransomware-as-a-service market, in which ransomware infrastructure is licensed to affiliates who conduct their own campaigns.

The consequence for defenders is that there is no single group to monitor, no single attack signature to detect, and no single intelligence source that covers the full threat landscape. The affiliate model means that the same underlying exploit or access tool may be used by multiple groups simultaneously, producing what appears from the outside to be unrelated attacks with different threat actor branding. Clop's simultaneous claims against Dukosi and Logical Micro on 7 February, and Worldleaks' simultaneous claims against Adelphi and the Thames Valley Chamber on 16 to 17 February, both suggest common exploitation events producing multiple victims on the same day.

What the Dataset Tells Us About Who Is Not Protected

The February 2026 UK victim set contains no major bank, no FTSE 100 company, no national infrastructure operator. The largest organisation present — Adelphi, with 700 worldwide employees — is a mid-market professional services company. The smallest — TriPartum, with five employees — is a micro-business.

This is not because large organisations are immune. The full ransomware.live UK dataset of 788 victims includes organisations of all sizes. But the February 2026 sample is representative of a recurring pattern: the organisations that appear most consistently in these datasets are those without dedicated security teams, without continuous monitoring capability, and without the internal resource to detect and respond to an intrusion before it reaches the data exfiltration stage.

The firms in this dataset were not targeted because they are weak in any absolute sense. They were targeted because they were reachable — because their internet-facing infrastructure had a known vulnerability, an unmonitored authentication endpoint, or a configuration that automated scanning tools could find and exploit. The credential grinding campaigns documented in our March 2026 threat intelligence whitepaper run continuously against every authentication service on the public internet. The VPN exploitation tooling tracks new CVEs within days of publication. An organisation that does not patch within a two-week window and does not have MFA on its internet-facing services is statistically certain to appear in a dataset like this within a foreseeable period.

Twelve UK victims in 28 days is one every 2.3 days. That is only what was published. The NCSC's own research consistently estimates that published ransomware claims represent a small fraction of actual incidents — most victims pay or contain the incident without public disclosure. The true February 2026 UK ransomware victim count is almost certainly considerably higher.