Ransomware activity in early March 2026 remained fragmented, led by Qilin with continued pressure across manufacturing, technology, and construction sectors, while small businesses made up the vast majority of victims. The threat landscape featured a mix of established and emerging adversaries, alongside active exploitation of vulnerabilities across major platforms like Apple, Google, and enterprise software, reinforcing a broad, opportunistic attack environment.
Report Links
Download Threat Brief For March 1-15 2026
Byer-Nichols Threat Brief Podcast March 1-15 2026
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 19.82% | 1 | 1 |
| LockBit | 7.71% | 9 | 5 |
| Akira | 7.71% | 3 | 4 |
| INC Ransom | 6.83% | 4 | 9 |
| DragonForce | 6.39% | 7 | 8 |
Qilin led ransomware activity at 19.82%, maintaining its top position, while LockBit, Akira, and INC Ransom showed continued presence despite shifts in ranking. DragonForce also remained active, indicating a fragmented but competitive threat landscape.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| manufacturing | 16.96% | 5 | 5 -> 1 |
| technology | 14.54% | 1 | 1 -> 2 |
| construction | 12.33% | 4 | 4 -> 3 |
| financial-services | 11.89% | 3 | 3 -> 4 |
| retail | 11.23% | 2 | 2 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 51.76% | 1 | unchanged |
| Germany | 3.74% | NEW | |
| UK | 3.52% | NEW | |
| Canada | 3.52% | 2 | 2 -> 4 |
| France | 3.52% | NEW |
Victim Org Size
| Size | Percentage | Last Period | Change |
|---|---|---|---|
| Small Business (500 or less) | 82.08% | 79.62% | 2.46% |
| Mid-Market (501-5000) | 13.50% | 16.03% | -2.53% |
| Large Enterprise (5000+) | 4.42% | 4.35% | 0.07% |
Trending Adversaries
Multiple adversaries including APT28, ShinyHunters, and UNC6426 were active, reflecting a mix of established and emerging threat actors operating simultaneously across campaigns.
- APT28
- Handala
- ShinyHunters
- Silver Dragon
- UAT-9244
- UNC6426
Trending & Actively Exploited Vulnerabilities
Actively exploited vulnerabilities span major vendors including Apple, Google, Ivanti, and VMware, indicating widespread targeting of both enterprise systems and consumer technologies.
| CVE | Vendor | Product |
|---|---|---|
| CVE-2021-30952 | Apple | Multiple Products |
| CVE-2023-41974 | Apple | iOS and iPadOS |
| CVE-2023-43000 | Apple | Multiple Products |
| CVE-2025-26399 | SolarWinds | Web Help Desk |
| CVE-2025-68613 | n8n | n8n |
| CVE-2026-1603 | Ivanti | Endpoint Manager (EPM) |
| CVE-2026-21385 | Qualcomm | Multiple Chipsets |
| CVE-2026-22719 | Broadcom | VMware Aria Operations |
| CVE-2026-3909 | Skia | |
| CVE-2026-3910 | Chromium V8 |
Trending Malware
| Trending Malware | Details |
|---|---|
| A0Backdoor | Lightweight backdoor used for persistent access and remote command execution on compromised systems. |
| BadPaw Loader | Malware loader designed to deliver additional payloads, often used as an initial infection vector. |
| BlackSanta | Backdoor malware associated with data theft and system control, typically deployed post-compromise. |
| GhostSocks | Proxy-based malware that routes attacker traffic through infected machines to obscure origin. |
| KadNap Botnet | Botnet malware used to control large networks of infected devices for coordinated attacks. |
| MeowMeow Backdoor | Backdoor enabling unauthorized access and potential data exfiltration from compromised hosts. |
Top News
- Compromised Site Management Panels are a Hot Item in Cybercrime Markets
- CyberStrikeAI tool adopted by hackers for AI-powered attacks
- Drone strikes damaged AWS data centers in Middle East
- Europol-coordinated action disrupts Tycoon2FA phishing platform
- Fake Claude Code install guides push infostealers in InstallFix attacks
- FBI seizes LeakBase cybercrime forum, data of 142,000 members
- Google says 90 zero-days were exploited in attacks last year, paid $17.1 million for vulnerability reports in 2025
- ShinyHunters claims ongoing Salesforce Aura data theft attacks
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bio’s by Geoff Rehmet, Cybersecurity Architect
Produced & Distributed By Phish Tank Digital