Fast Facts
- Ransomware remains dominant with 702 incidents in March, driven by sophisticated groups like Qilin and Akira, targeting industries such as construction and healthcare.
- The growth of the underground access market facilitates ransomware attacks and espionage, with key brokers like vexin and holyduxy controlling over 55% of listings.
- Exploitation of known vulnerabilities (e.g., CVE-2026-20131, CVE-2025-53521) and AI-driven attacks (e.g., CyberStrikeAI targeting Fortinet devices) significantly increase breach risks.
Threat, Attack Techniques, and Targets
In March 2026, the cyber threat landscape continued to grow. Ransomware attacks led the scene with 702 incidents worldwide. Major ransomware groups included Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom. Together, they caused over half of all ransomware activity. These groups often used double-extortion tactics. They stole data and then encrypted systems to pressure victims for ransom.
Industries most targeted by ransomware included construction, professional services, manufacturing, healthcare, and energy. Attackers focused mainly on organizations that rely on high uptime or store sensitive data. The US remained the primary target, partly because of global tensions involving Iran.
Meanwhile, the underground market for compromised access grew. During March, 20 incidents involved selling unauthorized network access. Key sectors receiving access sales were professional services, retail, IT, and manufacturing. Threat actors like vexin, holyduxy, and algoyim dominated this market. They provide access that enables ransomware attacks, espionage, or fraud.
CRIL also tracked breaches and leaks in March. They recorded 54 significant incidents. The most affected sectors were government, retail, and technology. Some breaches involved stolen large data volumes, such as 5TB from Hospitality Holdings or 3.8TB of South African government data. Others exposed travel records with passport and payment info.
Finally, exploitation of vulnerabilities increased. Attackers targeted flaws listed in CISA’s KEV catalog, including Cisco, F5, Microsoft, Langflow, and Rockwell Automation products. Both new zero-days and older unpatched flaws saw active exploitation, indicating gaps in organizations’ patch management.
Impact, Security Implications, and Remediation Guidance
The rise in ransomware activity and access sales poses serious risks. Organizations face operational disruptions, financial losses, and data exposure. Data breach incidents can lead to identity theft, regulatory penalties, and loss of trust. The increasing use of double-extortion amplifies pressure on victims to pay, even if they have backups. Geopolitical tensions further intensify threats, especially targeting US and Middle Eastern entities.
Security implications include the need to strengthen defenses against ransomware and unauthorized access. This involves timely patching of critical vulnerabilities, enhanced network monitoring, and robust backup strategies. Protecting sensitive data and recognizing signs of breach or intrusion are vital.
If remediation guidance is needed, organizations should consult their security vendors or relevant authorities. Regular updates, vulnerability assessments, and incident response plans remain essential. Staying informed about emerging threats and attack techniques helps to mitigate risks effectively.
Stay Ahead with the Latest Tech Trends
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
