Home / Blog / Byer-Nichols Threat Brief for March 1-15 2026

Ransomware activity in early March 2026 remained fragmented, led by Qilin with continued pressure across manufacturing, technology, and construction sectors, while small businesses made up the vast majority of victims. The threat landscape featured a mix of established and emerging adversaries, alongside active exploitation of vulnerabilities across major platforms like Apple, Google, and enterprise software, reinforcing a broad, opportunistic attack environment.

Report Links

Download Threat Brief For March 1-15 2026

Byer-Nichols Threat Brief Podcast March 1-15 2026

Ransomware Actors

Ransomware Percentage Last Period Two Ago
Qilin 19.82% 1 1
LockBit 7.71% 9 5
Akira 7.71% 3 4
INC Ransom 6.83% 4 9
DragonForce 6.39% 7 8

Qilin led ransomware activity at 19.82%, maintaining its top position, while LockBit, Akira, and INC Ransom showed continued presence despite shifts in ranking. DragonForce also remained active, indicating a fragmented but competitive threat landscape.

Victim Sector

Sector Percentage Last Period Movement
manufacturing 16.96% 5 5 -> 1
technology 14.54% 1 1 -> 2
construction 12.33% 4 4 -> 3
financial-services 11.89% 3 3 -> 4
retail 11.23% 2 2 -> 5

Victim Location

Victim Percentage Last Period Movement
USA 51.76% 1 unchanged
Germany 3.74% NEW
UK 3.52% NEW
Canada 3.52% 2 2 -> 4
France 3.52% NEW

Victim Org Size

Size Percentage Last Period Change
Small Business (500 or less) 82.08% 79.62% 2.46%
Mid-Market (501-5000) 13.50% 16.03% -2.53%
Large Enterprise (5000+) 4.42% 4.35% 0.07%

Trending Adversaries

Multiple adversaries including APT28, ShinyHunters, and UNC6426 were active, reflecting a mix of established and emerging threat actors operating simultaneously across campaigns.

  • APT28
  • Handala
  • ShinyHunters
  • Silver Dragon
  • UAT-9244
  • UNC6426

Trending & Actively Exploited Vulnerabilities

Actively exploited vulnerabilities span major vendors including Apple, Google, Ivanti, and VMware, indicating widespread targeting of both enterprise systems and consumer technologies.

CVE Vendor Product
CVE-2021-30952 Apple Multiple Products
CVE-2023-41974 Apple iOS and iPadOS
CVE-2023-43000 Apple Multiple Products
CVE-2025-26399 SolarWinds Web Help Desk
CVE-2025-68613 n8n n8n
CVE-2026-1603 Ivanti Endpoint Manager (EPM)
CVE-2026-21385 Qualcomm Multiple Chipsets
CVE-2026-22719 Broadcom VMware Aria Operations
CVE-2026-3909 Google Skia
CVE-2026-3910 Google Chromium V8

Trending Malware

Trending Malware Details
A0Backdoor Lightweight backdoor used for persistent access and remote command execution on compromised systems.
BadPaw Loader Malware loader designed to deliver additional payloads, often used as an initial infection vector.
BlackSanta Backdoor malware associated with data theft and system control, typically deployed post-compromise.
GhostSocks Proxy-based malware that routes attacker traffic through infected machines to obscure origin.
KadNap Botnet Botnet malware used to control large networks of infected devices for coordinated attacks.
MeowMeow Backdoor Backdoor enabling unauthorized access and potential data exfiltration from compromised hosts.

Top News

  • Compromised Site Management Panels are a Hot Item in Cybercrime Markets
  • CyberStrikeAI tool adopted by hackers for AI-powered attacks
  • Drone strikes damaged AWS data centers in Middle East
  • Europol-coordinated action disrupts Tycoon2FA phishing platform
  • Fake Claude Code install guides push infostealers in InstallFix attacks
  • FBI seizes LeakBase cybercrime forum, data of 142,000 members
  • Google says 90 zero-days were exploited in attacks last year, paid $17.1 million for vulnerability reports in 2025
  • ShinyHunters claims ongoing Salesforce Aura data theft attacks

Contributors

Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Architect
Produced & Distributed By Phish Tank Digital