The United States construction industry has become the primary target for ransomware attacks in early 2026, according to new analysis from cybersecurity firm Bitdefender. Researchers observed that while the number of attacks remains high, with an estimated 750 to 800 U.S. organizations impacted in the first two months of the year, the value of collected ransom payments is declining.
In a report covering the period from through , Bitdefender identified a significant trend in ransomware targeting. The construction sector experienced the most attacks, followed closely by manufacturing. Other consistently targeted industries include technology, healthcare, and legal services. After filtering out what it described as inflated claims from certain threat groups, Bitdefender stated with high confidence that the number of U.S. victims fell within the 750 to 800 range for January and February 2026.
The analysis also highlights a strategic shift in how ransomware groups operate. According to Bitdefender, threat actors are adapting their methods to increase efficiency and evade detection. Key changes in attack patterns include:
- Identity-First Compromise: A greater focus on stealing credentials, such as browser session tokens, to gain initial access quietly, bypassing multi-factor authentication (MFA) and avoiding noisy exploitation attempts.
- Supply Chain Attacks: Breaching technology service providers and SaaS platforms to compromise a wider network of downstream victims in sectors like finance and healthcare.
- Attack Automation: Using automation to drastically shorten the time-to-exploit window, with attacks occurring within hours of a proof-of-concept (PoC) release, down from several days in 2024 and 2025.
- Defense Evasion: Renewed investment in tactics like “Bring Your Own Vulnerable Driver” (BYOVD) to bypass security controls.
Bitdefender attributes the trend of decreasing ransom payouts to several factors. Organizations face increased pressure to implement robust security measures to maintain cyber insurance policies and comply with industry regulations. Furthermore, there is a growing awareness of best practices for incident response, aided by advisory publications from government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.
The shift towards identity-based and supply chain attacks suggests that organizations can no longer rely solely on traditional defenses. Threat groups like ShinyHunters have demonstrated the effectiveness of these scaled attacks. The shrinking time-to-exploit window means security teams have significantly less time to patch vulnerabilities after they are publicly disclosed, demanding more proactive and automated defense strategies.
Based on the observed tactics, Bitdefender implies that standard security measures like MFA and patch management are insufficient on their own. Organizations should consider securing identity and access points by encrypting browser session tokens and OAuth keys, linking them to approved devices, and enforcing strict session lifetime limits to prevent credential theft.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
