• Home
  • cyber
  • F5, Rockwell Automation, Fortinet and Cisco: March 2026 Cyber Threat Landscape Fueled by Ransomware, Breaches, and Access Markets
cyber Vulnerability

F5, Rockwell Automation, Fortinet and Cisco: March 2026 Cyber Threat Landscape Fueled by Ransomware, Breaches, and Access Markets

Mar 1, 2026 3 min read
F5, Rockwell Automation, Fortinet and Cisco: March 2026 Cyber Threat Landscape Fueled by Ransomware, Breaches, and Access Markets

March 2026 Cyber Threat Landscape: Ransomware, Access Brokers, and Critical Vulnerabilities Drive Global Risks

The cybersecurity threat landscape in March 2026 saw heightened activity, with ransomware attacks, data breaches, and underground access markets shaping a volatile environment. According to Cyble Research & Intelligence Labs (CRIL), financially motivated cybercriminals intensified their operations, targeting industries reliant on uptime or handling sensitive data.

Ransomware Surges, Dominated by Five Major Groups

Ransomware remained the leading attack vector, with 702 incidents recorded globally. Five threat groups Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom accounted for 56% of all activity, leveraging double-extortion tactics to maximize pressure on victims. The most affected sectors included:

  • Construction
  • Professional Services
  • Manufacturing
  • Healthcare
  • Energy & Utilities

The U.S. was the primary target, influenced by geopolitical tensions, including those involving Iran.

Compromised Access Market Expands

The sale of unauthorized network access surged, with 20 incidents tracked across cybercrime forums. Professional Services (25%) and Retail (20%) were the most targeted sectors. Three threat actors vexin, holyduxy, and algoyim dominated the market, facilitating ransomware, espionage, and financial fraud.

Data Breaches Expose Massive Volumes of Sensitive Information

CRIL documented 54 significant data breaches, with notable incidents including:

  • "nightly" claiming theft of 5TB of data from Hospitality Holdings, including biometric data and CCTV footage.
  • XP95 advertising 3.8TB of South African government data for sale.
  • A breach exposing 95,000 travel records, including passport and payment details.

Critical Vulnerabilities Exploited at Scale

Attackers actively targeted flaws in CISA’s Known Exploited Vulnerabilities (KEV) catalog, including:

  • CVE-2026-20131 (Cisco Secure Firewall Management Center)
  • CVE-2025-53521 (F5 BIG-IP APM)
  • CVE-2026-20963 (Microsoft SharePoint Server)
  • CVE-2026-33017 (Langflow AI)
  • CVE-2021-22681 (Rockwell Automation ICS)

Both zero-day exploits and unpatched legacy vulnerabilities were weaponized, highlighting persistent patch management gaps.

Emerging Threats: AI, Supply Chain, and Geopolitical Risks

"id": "CRICYBF5LFOR1776854731",
"linkid": "cri-san-francisco, cybersecurity-from-rockwell-automation, f5labs, fortinet",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Hospitality',
                        'name': 'Hospitality Holdings',
                        'type': 'private'},
                       {'industry': 'Public Sector',
                        'location': 'South Africa',
                        'name': 'South African government',
                        'type': 'government'},
                       {'customers_affected': '95,000', 'industry': 'Travel'},
                       {'industry': 'Construction'},
                       {'industry': 'Professional Services'},
                       {'industry': 'Manufacturing'},
                       {'industry': 'Healthcare'},
                       {'industry': 'Energy & Utilities'},
                       {'industry': 'Retail'}],
 'attack_vector': ['double-extortion',
                   'initial_access_broker',
                   'zero-day_exploits',
                   'unpatched_vulnerabilities',
                   'malicious_npm_packages'],
 'data_breach': {'data_exfiltration': 'yes',
                 'number_of_records_exposed': ['5TB', '3.8TB', '95,000'],
                 'personally_identifiable_information': 'yes',
                 'sensitivity_of_data': 'high',
                 'type_of_data_compromised': ['biometric_data',
                                              'CCTV_footage',
                                              'government_data',
                                              'passport_details',
                                              'payment_information']},
 'date_detected': '2026-03',
 'date_publicly_disclosed': '2026-03',
 'description': 'The cybersecurity threat landscape in March 2026 saw '
                'heightened activity, with ransomware attacks, data breaches, '
                'and underground access markets shaping a volatile '
                'environment. Financially motivated cybercriminals intensified '
                'their operations, targeting industries reliant on uptime or '
                'handling sensitive data.',
 'impact': {'data_compromised': ['5TB (Hospitality Holdings)',
                                 '3.8TB (South African government)',
                                 '95,000 travel records'],
            'identity_theft_risk': 'high',
            'payment_information_risk': 'high',
            'systems_affected': ['Cisco Secure Firewall Management Center',
                                 'F5 BIG-IP APM',
                                 'Microsoft SharePoint Server',
                                 'Langflow AI',
                                 'Rockwell Automation ICS',
                                 'Fortinet FortiGate devices']},
 'initial_access_broker': {'data_sold_on_dark_web': 'yes',
                           'high_value_targets': ['Professional Services',
                                                  'Retail']},
 'motivation': ['financial_gain', 'espionage', 'geopolitical'],
 'post_incident_analysis': {'root_causes': ['unpatched_vulnerabilities',
                                            'supply_chain_compromise',
                                            'geopolitical_tensions']},
 'ransomware': {'data_encryption': 'yes',
                'data_exfiltration': 'yes',
                'ransomware_strain': ['Qilin',
                                      'Akira',
                                      'The Gentlemen',
                                      'Dragonforce',
                                      'INC Ransom']},
 'references': [{'date_accessed': '2026-03',
                 'source': 'Cyble Research & Intelligence Labs (CRIL)'}],
 'threat_actor': ['Qilin',
                  'Akira',
                  'The Gentlemen',
                  'Dragonforce',
                  'INC Ransom',
                  'vexin',
                  'holyduxy',
                  'algoyim',
                  'North Korean-linked actors',
                  'Iran-linked actors'],
 'title': 'March 2026 Cyber Threat Landscape: Ransomware, Access Brokers, and '
          'Critical Vulnerabilities Drive Global Risks',
 'type': ['ransomware',
          'data_breach',
          'unauthorized_access_sale',
          'vulnerability_exploitation'],
 'vulnerability_exploited': ['CVE-2026-20131 (Cisco Secure Firewall Management '
                             'Center)',
                             'CVE-2025-53521 (F5 BIG-IP APM)',
                             'CVE-2026-20963 (Microsoft SharePoint Server)',
                             'CVE-2026-33017 (Langflow AI)',
                             'CVE-2021-22681 (Rockwell Automation ICS)']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.