March 2026 Ransomware Surge: Critical Infrastructure Under Fire
March 2026 marked a sharp escalation in ransomware activity, with 780 attacks recorded a 13% increase from February and the second-highest monthly total since February 2025. The surge was driven by targeted campaigns against critical sectors, with state-sponsored and financially motivated threat actors prioritizing high-impact disruptions.
Key Trends & Sector Impacts
- Utilities Under Siege: The utility sector saw a staggering 630% spike, with 22 attacks in March (up from just 3 in February). Sixteen countries were targeted, including six U.S. utility companies, as attackers sought to maximize operational chaos.
- Manufacturing & Government Hit Hard: Attacks on manufacturers rose 36%, while government entities faced a 30% increase, reflecting a broader shift toward high-value, high-disruption targets.
- Healthcare & Education: Healthcare attacks declined 15%, though six incidents were confirmed across six countries, including Germany, the U.S., and Japan. The education sector remained stable, with 18 attacks (up from 17 in February), including a four-day shutdown at a UK school.
Ransomware Gangs & Data Theft
- Top Threat Actors: Qilin (140 attacks), Akira (80), and The Gentlemen (68) led the month, with Qilin and The Gentlemen also responsible for the most confirmed breaches (7 and 5, respectively).
- Massive Data Exfiltration: Over 242 TB of data was stolen, with PEAR’s attack on Monmouth University alone exposing 16 TB. A new group, AiLock, claimed the largest single haul (43 TB), including 129 GB from England Hockey.
Geographic Hotspots
- U.S. Remains Prime Target: The U.S. accounted for 375 attacks (48% of the total), followed by France (32), and Germany, the UK, and Canada (26 each).
- Europe’s Rising Threat: France saw a 113% surge, while the UK (+86%) and Germany (+73%) also experienced sharp increases. In contrast, attacks declined in Canada (-21%), India (-40%), and Brazil (-42%).
Confirmed vs. Unconfirmed Attacks
- 55 attacks were confirmed in March, with businesses (33), government (10), healthcare (6), and education (6) making up the bulk.
- Unconfirmed attacks (725) followed a similar distribution, though businesses bore the brunt (654 incidents). Many organizations remain silent, either due to non-disclosure policies or delayed breach reporting laws.
Notable Incidents
- Critical Infrastructure: The City of Minot’s (U.S.) water treatment plant was breached, though operations remained unaffected. In Germany, Fernheizwerk Neukölln AG (a heating plant) suffered disruptions to accounting and communications.
- Government & Healthcare: Paraguay’s IPS (2 TB stolen), Namibia’s airports, and Spain’s Puerto de Vigo were among confirmed government breaches. In healthcare, Aroostook Mental Health Services (U.S.) refused to pay a ransom, while Japan’s Shiraume Toyooka Hospital was hit by NetRunnerPR.
- Manufacturing Disruptions: AkzoNobel (U.S.), LISI Group (France), and OMAX Autos (India) were among the 12 confirmed manufacturing victims, with some facing shipping delays and operational halts.
The March 2026 surge underscores a strategic shift toward critical infrastructure and high-value sectors, with ransomware gangs leveraging data theft, operational disruption, and public exposure as primary tactics. As confirmation lags continue, the true scale of the month’s attacks may grow in the coming weeks.
Source: https://www.comparitech.com/news/ransomware-roundup-march-2026/
AkzoNobel cybersecurity rating report: https://www.rankiteo.com/company/akzonobel
Instituto Acende Brasil cybersecurity rating report: https://www.rankiteo.com/company/instituto-acende-brasil
Hydromax USA cybersecurity rating report: https://www.rankiteo.com/company/hydromax-usa
Powercom (Pty) Ltd cybersecurity rating report: https://www.rankiteo.com/company/powercom-namibia
Western Monmouth Utilities Authority cybersecurity rating report: https://www.rankiteo.com/company/western-monmouth-utilities-authority
"id": "AKZINSHYDPOWWES1775047452",
"linkid": "akzonobel, instituto-acende-brasil, hydromax-usa, powercom-namibia, western-monmouth-utilities-authority",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Utilities',
'location': 'U.S.',
'name': 'City of Minot (Water Treatment Plant)',
'type': 'Government'},
{'industry': 'Utilities',
'location': 'Germany',
'name': 'Fernheizwerk Neukölln AG',
'type': 'Business'},
{'industry': 'Healthcare',
'location': 'Paraguay',
'name': 'Paraguay’s IPS',
'type': 'Government'},
{'industry': 'Transportation',
'location': 'Namibia',
'name': 'Namibia’s airports',
'type': 'Government'},
{'industry': 'Transportation',
'location': 'Spain',
'name': 'Puerto de Vigo',
'type': 'Government'},
{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Aroostook Mental Health Services',
'type': 'Business'},
{'industry': 'Healthcare',
'location': 'Japan',
'name': 'Shiraume Toyooka Hospital',
'type': 'Business'},
{'industry': 'Education',
'location': 'U.S.',
'name': 'Monmouth University',
'type': 'Education'},
{'industry': 'Sports',
'location': 'UK',
'name': 'England Hockey',
'type': 'Business'},
{'industry': 'Manufacturing',
'location': 'U.S.',
'name': 'AkzoNobel',
'type': 'Business'},
{'industry': 'Manufacturing',
'location': 'France',
'name': 'LISI Group',
'type': 'Business'},
{'industry': 'Manufacturing',
'location': 'India',
'name': 'OMAX Autos',
'type': 'Business'},
{'industry': 'Education',
'location': 'UK',
'name': 'UK School (unspecified)',
'type': 'Education'}],
'data_breach': {'data_exfiltration': '242 TB',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Operational data',
'Sensitive business data']},
'date_detected': '2026-03-01',
'date_publicly_disclosed': '2026-03-31',
'description': 'March 2026 marked a sharp escalation in ransomware activity, '
'with 780 attacks recorded (a 13% increase from February) and '
'the second-highest monthly total since February 2025. The '
'surge was driven by targeted campaigns against critical '
'sectors, with state-sponsored and financially motivated '
'threat actors prioritizing high-impact disruptions. Key '
'trends included a 630% spike in utility sector attacks, a 36% '
'rise in manufacturing attacks, and a 30% increase in '
'government attacks. Over 242 TB of data was stolen, with '
'notable incidents affecting critical infrastructure, '
'healthcare, and manufacturing.',
'impact': {'data_compromised': '242 TB',
'downtime': ['Four-day shutdown (UK school)',
'Shipping delays (manufacturing)'],
'operational_impact': ['Disruptions to accounting and '
'communications (Fernheizwerk Neukölln AG)',
'Operational halts (manufacturing)']},
'investigation_status': 'Ongoing',
'motivation': ['Financial gain', 'Operational disruption', 'Data theft'],
'ransomware': {'data_exfiltration': 'Yes',
'ransom_paid': 'No (Aroostook Mental Health Services)',
'ransomware_strain': ['Qilin',
'Akira',
'The Gentlemen',
'AiLock',
'NetRunnerPR']},
'references': [{'date_accessed': '2026-03-31',
'source': 'Cyber Incident Report (March 2026)'}],
'threat_actor': ['Qilin', 'Akira', 'The Gentlemen', 'AiLock', 'NetRunnerPR'],
'title': 'March 2026 Ransomware Surge: Critical Infrastructure Under Fire',
'type': 'Ransomware'}