March 2026 Ransomware Surge: Critical Infrastructure Under Fire March 2026 marked a sharp escalation in ransomware activity, with 780 attacks recorded a 13% increase from February and the second-highest monthly total since February 2025. The surge was driven by targeted campaigns against critical sectors, with state-sponsored and financially motivated threat actors prioritizing high-impact disruptions. ### Key Trends & Sector Impacts - Utilities Under Siege: The utility sector saw a staggering 630% spike, with 22 attacks in March (up from just 3 in February). Sixteen countries were targeted, including six U.S. utility companies, as attackers sought to maximize operational chaos. - Manufacturing & Government Hit Hard: Attacks on manufacturers rose 36%, while government entities faced a 30% increase, reflecting a broader shift toward high-value, high-disruption targets. - Healthcare & Education: Healthcare attacks declined 15%, though six incidents were confirmed across six countries, including Germany, the U.S., and Japan. The education sector remained stable, with 18 attacks (up from 17 in February), including a four-day shutdown at a UK school. ### Ransomware Gangs & Data Theft - Top Threat Actors: Qilin (140 attacks), Akira (80), and The Gentlemen (68) led the month, with Qilin and The Gentlemen also responsible for the most confirmed breaches (7 and 5, respectively). - Massive Data Exfiltration: Over 242 TB of data was stolen, with PEAR’s attack on Monmouth University alone exposing 16 TB. A new group, AiLock, claimed the largest single haul (43 TB), including 129 GB from England Hockey. ### Geographic Hotspots - U.S. Remains Prime Target: The U.S. accounted for 375 attacks (48% of the total), followed by France (32), and Germany, the UK, and Canada (26 each). - Europe’s Rising Threat: France saw a 113% surge, while the UK (+86%) and Germany (+73%) also experienced sharp increases. In contrast, attacks declined in Canada (-21%), India (-40%), and Brazil (-42%). ### Confirmed vs. Unconfirmed Attacks - 55 attacks were confirmed in March, with businesses (33), government (10), healthcare (6), and education (6) making up the bulk. - Unconfirmed attacks (725) followed a similar distribution, though businesses bore the brunt (654 incidents). Many organizations remain silent, either due to non-disclosure policies or delayed breach reporting laws. ### Notable Incidents - Critical Infrastructure: The City of Minot’s (U.S.) water treatment plant was breached, though operations remained unaffected. In Germany, Fernheizwerk Neukölln AG (a heating plant) suffered disruptions to accounting and communications. - Government & Healthcare: Paraguay’s IPS (2 TB stolen), Namibia’s airports, and Spain’s Puerto de Vigo were among confirmed government breaches. In healthcare, Aroostook Mental Health Services (U.S.) refused to pay a ransom, while Japan’s Shiraume Toyooka Hospital was hit by NetRunnerPR. - Manufacturing Disruptions: AkzoNobel (U.S.), LISI Group (France), and OMAX Autos (India) were among the 12 confirmed manufacturing victims, with some facing shipping delays and operational halts. The March 2026 surge underscores a strategic shift toward critical infrastructure and high-value sectors, with ransomware gangs leveraging data theft, operational disruption, and public exposure as primary tactics. As confirmation lags continue, the true scale of the month’s attacks may grow in the coming weeks.

Anubis Ransomware Gang Claims 170GB Data Theft from AkzoNobel in February Breach In December 2024, the Anubis ransomware operation emerged as a ransomware-as-a-service (RaaS) group, and in February 2025, it breached Dutch paint manufacturer AkzoNobel, exfiltrating approximately 170,000 files totaling 170GB of sensitive data. The stolen material includes confidential client agreements, employee contact details, private emails, passport scans, and technical documents. AkzoNobel, a global company with 35,000 employees and brands like Dulux and Sikkens, confirmed the incident at one of its U.S. sites, stating the breach had been contained with limited impact. The attack occurred on February 24, when the threat actor FulcrumSec exploited the React2Shell vulnerability in an unpatched React frontend application to gain access to AkzoNobel’s AWS infrastructure. The company has not disclosed whether it is negotiating with the attackers. Anubis has previously deployed a data wiper capable of permanently destroying files, adding to the severity of its attacks. Meanwhile, Iranian threat group Dust Specter has been linked to a separate campaign, spoofing Iraq’s Ministry of Foreign Affairs to target Iraqi government officials with new malware strains SplitDrop, TwinTask, TwinTalk, and GhostForm as part of an AI-powered intrusion operation first detected in January. The breach highlights ongoing risks from unpatched vulnerabilities and the evolving tactics of ransomware groups, including the use of destructive payloads alongside data exfiltration.

AkzoNobel Confirms Cyberattack on U.S. Site as Anubis Ransomware Gang Leaks Stolen Data Dutch multinational paint and coatings giant AkzoNobel has confirmed a cybersecurity breach at one of its U.S. sites, following a data leak by the Anubis ransomware gang. The company stated that the incident was contained and limited to the affected location, with no broader impact on its global operations. In a statement to BleepingComputer, AkzoNobel acknowledged the breach, noting that it is notifying impacted parties and collaborating with authorities. The company, which employs 35,000 people and generates over $12 billion in annual revenue, owns well-known brands such as Dulux, Sikkens, International, and Interpon. The Anubis ransomware group claimed responsibility for the attack, alleging it exfiltrated 170GB of data nearly 170,000 files from AkzoNobel. Leaked samples on the gang’s dark web site include confidential client agreements, internal emails, passport scans, technical specifications, and material testing documents. The full dataset has not yet been released, and AkzoNobel has not disclosed whether it engaged with the attackers. Anubis, a ransomware-as-a-service (RaaS) operation, emerged in December 2024 and gained traction after launching an affiliate program on the RAMP cybercrime forum in February 2025. The group offers affiliates 80% of ransom payments and has since expanded its tactics, including a data-wiping tool introduced in June 2025 to prevent file recovery. The breach marks another high-profile attack by the increasingly active ransomware group.