Who Ransomware Groups Hit in the UK in January 2026 — A Sector and Size Analysis

Ransomware.live is a public tracking platform that indexes claims posted on ransomware group leak sites — the pages criminal groups use to publish victim names and data samples when ransoms are not paid. It is not a complete picture of UK ransomware incidents. Most victims pay quietly or contain incidents without public disclosure. But it provides the most transparent available window into the ongoing campaign activity against UK organisations.

In January 2026, ransomware.live recorded 20 confirmed UK victims with discovery dates in that month, claimed by 11 separate ransomware groups. That is one publicly claimed UK victim every 1.5 days. The true number of incidents — including those resolved without publication — is considerably higher. This post analyses those 20 victims in detail: who they were, what size they were, which sectors were targeted, and what the pattern of claims tells us about how UK organisations are being selected and compromised.

The Twenty: An Overview

The confirmed UK victims discovered in January 2026, in chronological order, are:

• Purcell Architects (5 Jan) — Heritage architecture practice, 340 staff — Akira
• Berkmann Wine Cellars (6 Jan) — Wine merchant and distributor — Qilin
• Richard Alibon Primary School (13 Jan, attack est. 8 Jan) — Primary school, Dagenham — Beast
• Collett Hulance (13 Jan, attack est. 9 Jan) — Chartered accountants, Bedford — Beast
• Merit Group (14 Jan, attack est. 11 Jan) — Publishing holding company — Sinobi
• PSTECHLTD (15 Jan) — IT services — Qilin
• Central Roofing South Wales (17 Jan) — Roofing contractor, Wales — Qilin
• Dedman Gray Property Consultants (16 Jan, attack est. 15 Jan) — Property consultancy — Genesis
• NWIMS IT Group (16 Jan) — IT services provider — Dragonforce
• PKT QS (20 Jan, attack est. 16 Jan) — Quantity surveyors — Blackshrantac
• Sandberg (20 Jan) — Materials testing consultancy, est. 1860 — Incransom
• Gianni Botsford Architects (24 Jan) — Architecture practice, London — Nightspire
• MRC Prion Unit and Institute of Prion Diseases (24 Jan) — UCL research institute — Crypto24
• interr.com (24 Jan) — Security and risk management consultancy — Safepay
• Warranty First (25 Jan) — Vehicle warranty services — Clop
• BAQUS (25 Jan) — Building and property consultancy — Clop
• Trust Payments (25 Jan) — Global fintech payments group, 500+ staff — Clop
• Lesk Engineers (25 Jan) — Engineering consultancy — Nightspire
• Shaw Hill Primary School (27 Jan) — Primary school, Lancashire — Incransom
• Urban Edge Architecture (29 Jan) — Architecture practice, Stamford — Interlock

Eleven distinct ransomware groups are represented. No single group dominates, though three groups — Qilin, Beast, and Nightspire — each claimed multiple UK victims. This again reflects the affiliate model of the ransomware-as-a-service market rather than a single coordinated campaign: multiple independent operations running simultaneously, each reaching the organisations their specific tooling and access methods can find.

The Dominant Pattern: Construction and Engineering Under Sustained Attack

The most striking feature of the January dataset is the concentration of victims in the construction, architecture, and engineering sector. Seven of the twenty confirmed UK victims operate in this space:

• Purcell Architects — heritage architecture
• Gianni Botsford Architects — architectural design
• Urban Edge Architecture — architectural practice
• Sandberg — construction materials testing and consultancy
• PKT QS — quantity surveying
• Lesk Engineers — engineering consultancy
• Central Roofing South Wales — roofing contractor

That is 35 per cent of all identified UK victims in a single month concentrated in one sector. This is not a random distribution. Construction and engineering firms are targeted heavily for several converging reasons that make them structurally attractive to ransomware groups.

Professional services firms in this sector hold significant quantities of project data — drawings, specifications, contracts, structural surveys, client correspondence — whose encryption creates immediate operational disruption. A contractor that cannot access live project drawings faces real consequences: sites stop, deadlines are missed, and in regulated environments such as heritage conservation or structural engineering, the liability exposure from inaccessible records is acute. This creates strong payment pressure.

Smaller firms in this sector — sole practitioners, two- to ten-person quantity surveying practices, regional roofing contractors — typically have no dedicated IT security function, no managed endpoint detection, and no 24/7 monitoring. Their internet-facing infrastructure is often maintained by a generalist IT support company that addresses problems reactively rather than proactively managing the security posture. This makes them reachable through credential grinding and known CVE exploitation of the type documented throughout the sector.

The three architecture firms in the January dataset — Purcell, Gianni Botsford, and Urban Edge — span the full size range. Purcell is the world's largest heritage architecture practice, with 340 employees, 14 studios globally, and commissions including the Elizabeth Tower and Canterbury Cathedral. Gianni Botsford Architects is a boutique London practice. Urban Edge Architecture operates from Stamford. All three hold sensitive client project data, and all three were compromised in the same calendar month by different ransomware groups using different tooling. The sector concentration is not explained by a single shared vulnerability exploited by one group — it reflects the sector's broad exposure across multiple attack vectors simultaneously.

Size Distribution: A Near-Total SMB Profile

With one significant exception, every identified victim in January is a small or medium-sized business. The size range runs from a two-person architectural practice to a 500-person fintech company, but the preponderance sits firmly in the sub-100-employee range.

Sandberg is perhaps the most instructive entry. Founded in 1860 — making it 166 years old at the time of the attack — Sandberg is an independent private professional partnership providing materials testing, consultancy, and inspection services to the construction industry. It has between 51 and 100 employees and has been UKAS-accredited since 1985. Its clients include government authorities, consulting engineers, architects, civil engineering contractors, and property developers. A 166-year-old independent partnership, UKAS-accredited, serving government and major construction clients: the profile of an organisation with longstanding professional obligations around confidentiality, and no in-house security team to protect the data those obligations cover.

Trust Payments is the clear outlier in the January dataset on size. Headquartered at 1 Royal Exchange in the City of London and founded in 1997, Trust Payments is a global payments group with approximately 500 employees, revenue of around £179 million in 2023, and payment technology deployed to more than 20,000 businesses. Its operations span Europe, North America, and Asia. Clop's claim against Trust Payments — published on 25 January, the same day as two other UK victims — is consistent with Clop's operational model of mass exploitation of managed file transfer vulnerabilities, compromising large numbers of organisations simultaneously. The other two same-day Clop victims — Warranty First (vehicle warranty services) and BAQUS (building and property consultancy) — are both considerably smaller. The triple-strike on 25 January is not three separate targeted attacks: it is the output of a single automated exploitation campaign that happened to sweep up one significant fintech company alongside two smaller businesses on the same day.

Collett Hulance, a chartered certified accountancy firm based in Bedford, is at the opposite end of the scale: a small practice serving local businesses. It was claimed by Beast on 13 January, with the estimated attack date placed two days earlier on 9 January. An accountancy practice holds tax records, management accounts, payroll data, and client financial information — data that is directly monetisable and that the firm has a professional obligation to protect. The size of the firm does not reduce that obligation; it typically reduces the security investment available to meet it.

Two Primary Schools in One Month

The presence of two UK primary schools in a single month's ransomware dataset requires specific attention. Richard Alibon Primary School in Dagenham was claimed by Beast on 13 January, with an estimated attack date of 8 January. Shaw Hill Primary School in Lancashire was claimed by Incransom on 27 January. Two different groups, two different schools, in the same month.

Primary schools process some of the most sensitive categories of personal data that any organisation holds: safeguarding records, child protection plans, SEND documentation, pupil medical information, and the complete personal profiles of children and their families. Under UK GDPR, children's personal data attracts the highest level of regulatory scrutiny, and the ICO has been explicit that educational institutions are data controllers subject to the full range of enforcement powers.

Schools are targeted because they are typically the least well-defended institutions on the public internet. A primary school in Dagenham or Lancashire has no CISO, no SOC, no dedicated security budget. Its IT infrastructure may be managed by a local authority shared service or a small contracted IT provider. Its internet-facing attack surface — a school management information system, remote access capability for staff, perhaps a cloud email platform — is identical in shape to that of any other small organisation, and equally susceptible to the credential grinding and VPN exploitation campaigns that run continuously against every reachable endpoint in the UK.

The seasonality of school attacks is a known pattern: holiday periods create windows when monitoring capability drops and the urgency to restore before pupils return maximises payment pressure. A January attack, landing at the end of the Christmas break or in the first weeks of the spring term, is consistent with this timing dynamic.

The Clop Triple-Strike: Mass Exploitation in Action

Clop's simultaneous claims against Warranty First, BAQUS, and Trust Payments on 25 January 2026 is the month's clearest illustration of how industrialised ransomware campaigns actually operate. Three UK organisations, across three different sectors — vehicle warranty, property consultancy, and fintech payments — claimed on a single day by the same group.

Clop's operational model is well-documented. Rather than selecting targets individually, Clop has consistently exploited mass vulnerabilities in widely deployed file transfer and managed services platforms, compromising large numbers of organisations simultaneously and publishing claims in batches. The MOVEit, GoAnywhere, and Cleo campaigns of previous years each produced hundreds of victims disclosed in waves. The January 25 triple-strike against UK organisations is consistent with this batch-disclosure pattern: the actual compromises likely occurred at different points over a preceding period, with the claims published simultaneously as the ransom deadline passed for all three.

For the affected organisations, the mass-exploitation origin of the attack is cold comfort. Whether Clop targeted them specifically or swept them up in an automated campaign, the consequences — data exfiltration, regulatory notification obligations, reputational exposure, and the cost of breach response — are identical.

An Academic Research Institute: The MRC Prion Unit

The most unusual entry in the January dataset is the MRC Prion Unit and Institute of Prion Diseases at University College London. Claimed by the Crypto24 group on 24 January, this is a UCL Medical Research Council unit conducting research into fatal prion diseases — including Creutzfeldt-Jakob disease — one of the few institutions in the world with the specialist capability and biosafety infrastructure to study these conditions.

A research institute of this nature holds patient data from clinical studies, genetic and biological research data, experimental protocols, pre-publication research findings, and potentially data from international collaborative studies subject to their own data sharing agreements. Its compromise does not carry the financial system implications of a payments company or the immediate operational disruption of a contractor, but the sensitivity of the research data and the international obligations around research participant privacy make it a significant breach in its own sector.

The claim is also notable because it targets a publicly funded institution. Public sector and academic organisations have historically been targeted with slightly lower frequency than commercial businesses, partly because the perceived payment probability is lower. That calculus appears to be changing: as the October 2025 British Library attack demonstrated, UK public institutions will pay or face severe operational consequences, and the data they hold is valuable regardless of whether the organisation itself values it in financial terms.

Beast Group: Sequential UK Attacks on Consecutive Days

The Beast ransomware group claimed two UK victims in January with estimated attack dates on consecutive days: Richard Alibon Primary School on 8 January and Collett Hulance on 9 January. A primary school and a chartered accountancy firm, in different sectors, in different parts of England, attacked on back-to-back days by the same group.

This pattern is consistent with an automated campaign using a common exploit or access tool that discovered both targets in rapid succession. The same group also claimed First 4 Recruitment, a North West recruitment agency, with an estimated attack date of 8 January — the same day as the Richard Alibon attack — though that claim was not published until February. Three UK organisations, at least two on the same estimated attack date, claimed by the same group, across three entirely different sectors: education, accountancy, and recruitment. The attack surface each organisation presented to the internet was the common factor, not the sector or the size.

What January 2026 Tells Us

The January dataset is more varied in sector than the February data, but it shares the same fundamental structural characteristic: the organisations appearing on ransomware group leak sites are predominantly small businesses without continuous security monitoring, operating in sectors that generate sensitive data far exceeding their security investment.

Seven construction and engineering firms. Two primary schools. A 166-year-old independent partnership. A chartered accountancy practice. A building and property consultancy. A vehicle warranty provider. A materials testing laboratory serving government clients. None of these organisations are obvious ransomware targets in the way that a hospital or a national bank might be. All of them held data whose encryption or exfiltration creates significant consequences — operational, regulatory, or reputational.

Twenty publicly claimed UK victims in January 2026. One every 1.5 days. This is not an exceptional month. It is not the consequence of a newly emerged threat or an unusually capable adversary. It is the ordinary output of an industrialised criminal market, operating continuously, finding and exploiting the organisations that have not addressed the fundamentals: unpatched internet-facing systems, authentication endpoints without MFA, and the absence of continuous monitoring that would detect the credential grinding and reconnaissance that precedes every attack on this list.

The February dataset — analysed in our companion piece published this week — shows the same pattern repeating. The organisations that appear in that list are not the same organisations as these. But the profile is largely identical.