March was a full-blown escalation. An Iran-linked hacktivist group wiped 200,000 devices at a Fortune 500 company using the company’s own IT tools. The biggest phishing-as-a-service platform on the planet got taken down — and was back up within weeks. Europol nuked over 373,000 dark web sites in a single operation. And ransomware numbers hit the highest monthly total of the year so far, with 808 victims across 65 active groups.
Here’s the full rundown.
Handala Wiped 200,000 Stryker Devices Across 79 Countries
This was the story of the month, and probably one of the most significant cyberattacks of the year so far. On the morning of March 11, employees at medical technology giant Stryker — a Fortune 500 company with $25 billion in annual revenue and 56,000 employees worldwide — turned on their computers and found them wiped clean. Login screens were replaced with the logo of Handala, an Iran-linked hacktivist group tied to Iran’s Ministry of Intelligence and Security.
The scale was staggering. Handala claimed it erased data from over 200,000 systems, servers, and mobile devices across 79 countries. They also claimed to have exfiltrated 50 terabytes of data before pulling the trigger. Manufacturing halted at Stryker’s Ireland facilities. Approximately 5,500 employees in Cork were sent home. Stryker’s stock dropped about 9%.
What makes this attack particularly notable is how it was carried out. No ransomware. No traditional wiper malware. Investigators believe the attackers compromised a Microsoft Intune administrator account and used Intune’s own legitimate remote wipe functionality to simultaneously erase every enrolled corporate device. One stolen password, one legitimate admin tool, 200,000 wiped devices. Stryker employees on Reddit reported being urgently told to uninstall Intune from personal devices as well.
Handala said the attack was retaliation for a U.S. missile strike that hit an Iranian school on February 28, killing at least 175 people. They called Stryker a “Zionist-rooted corporation,” referencing its 2019 acquisition of Israeli company OrthoSpace and a $450 million U.S. Department of Defense contract. Stryker filed an SEC 8-K confirming a “severe global disruption” to its Microsoft environment but stressed no ransomware or malware was involved and that the incident was contained.
The FBI seized Handala’s websites on March 19. CISA issued an advisory urging all organizations to lock down their device management platforms. Hospitals that used Stryker’s online services, including LifeNet for transmitting EKGs, disconnected as a precaution. The American Hospital Association was actively monitoring the situation.
This wasn’t just a cyberattack. It was a geopolitical statement executed through enterprise IT tools.
Tycoon 2FA Got Taken Down — Then Came Right Back
On March 4, a coordinated international operation involving Europol, Microsoft, Cloudflare, Proofpoint, Trend Micro, and law enforcement from six countries dismantled Tycoon 2FA, one of the most prolific phishing-as-a-service platforms ever built. They seized 330 domains forming the backbone of the operation.
Tycoon 2FA had been running since 2023, offering subscribers a turnkey phishing kit starting at about $120 that could bypass multi-factor authentication on Microsoft 365 and Gmail in real time. It worked as an adversary-in-the-middle proxy — sitting between the victim and the legitimate login page, passing credentials through and snagging session tokens on the way back. Once the attacker had the session token, MFA was completely irrelevant.
The numbers were wild. Microsoft said Tycoon 2FA accounted for roughly 62% of all phishing attempts it blocked in 2025 and was linked to over 30 million phishing emails per month. Since its inception, it had enabled more than 64,000 confirmed phishing incidents affecting nearly 100,000 organizations. The platform operator was tracked by Microsoft as Storm-1747.
Here’s the catch: it didn’t stay down. CrowdStrike reported that attack volumes dropped to about 25% of normal levels on March 4 and 5, then quickly bounced right back to pre-takedown levels. Campaign activity, cloud compromises, and business email compromise attempts all returned to early 2026 baselines within weeks. The TTPs didn’t change either, suggesting the infrastructure was rebuilt or rerouted with minimal effort.
Takedowns slow these platforms down. They rarely kill them.
Operation Alice Nuked 373,000 Dark Web Sites
On March 9, Europol launched Operation Alice, a German-led law enforcement effort that resulted in the takedown of over 373,000 dark web sites and the seizure of 105 servers. Twenty-three countries participated, including the US, UK, France, Germany, Australia, and Ukraine.
The primary target was a massive fraudulent network called “Alice with Violence CP” run by a Chinese national since around 2019. The operation advertised child sexual abuse material and cybercrime-as-a-service across over 90,000 onion domains. Buyers could purchase “packages” using Bitcoin at prices ranging from about $20 to $250.
The twist: the whole thing was a scam. None of the advertised services actually existed. The operator made roughly $400,000 from around 10,000 customers who paid for content or services that were never delivered. But those 10,000 customers were now in law enforcement’s crosshairs. By the time the operation wrapped on March 19, police had identified 440 buyers, with over 100 under active investigation. Whenever children were thought to be in danger based on the intelligence gathered, officers moved immediately on suspects.
Ransomware Numbers Hit 2026’s Highest Month
March was the busiest ransomware month of the year. Breachsense tracked 808 companies claimed on ransomware leak sites, up 19% from February’s 680. A total of 65 distinct ransomware groups were active, up from 54 in February. The ecosystem is expanding, not contracting.
Qilin topped the charts again with 131 victims — their highest single month ever and the third consecutive month above 100. Akira came in second with 84. TheGentlemen were third with 64.
The United States absorbed half of all attacks — 404 claims out of 808. France was second with 36, Germany third with 32. Some notable country-level shifts: France saw a 113% increase in attacks from February. The UK was up 86%. Germany up 73%. Spain up 58%.
Manufacturing stayed the most targeted sector with 76 victims. But the real outlier was utilities — attacks jumped over 630% from 3 in February to 22 in March, across 16 different countries. State-sponsored groups increasingly view critical infrastructure as high-value targets for maximum disruption. Government entities also saw a 30% jump.
Ten new ransomware operators were identified in March alone: AiLock, ALP-001, ATTACKER, Audit Team, Exitium, Krybit, Loki, MNT6, NetRunner, and XP95. The underground is not running out of new entrants.
Medusa Demanded $800K From a Hospital and a County Government
Medusa had a busy month. They formally claimed the February 19 attack on the University of Mississippi Medical Center, posting it on their leak site on March 12 with a demand of $800,000 and a deadline of March 20. They claimed to have stolen over 1TB of data including patient health information and employee records. The FBI and Department of Homeland Security were brought in. UMMC had finally reopened its 35 clinics on March 2 after a nine-day closure.
Five days later, Medusa hit again — this time targeting Passaic County, New Jersey. The attack disrupted phone lines and IT infrastructure serving nearly 600,000 residents. Same ransom demand: $800,000. Medusa operates as a ransomware-as-a-service model with multiple affiliates using the same toolkit. They’ve claimed over 400 victims in the first three months of 2026 alone.
Foster City Declared a State of Emergency After Ransomware
On March 19, the city of Foster City, California was hit by a ransomware attack that took down nearly all municipal services. City officials declared a state of emergency. At the time of reporting, it remained unknown whether citizen data was compromised. The attack joins a growing pattern of ransomware targeting smaller municipal governments that run on tight budgets and aging systems.
Foster City wasn’t alone. Other local government targets in March included the city of Meriden, Connecticut (hit by Qilin), and multiple Orange County, California municipalities that dealt with breach fallout throughout the month.
Cegedim Breach Exposed 15.8 Million French Patient Records
A breach at Cegedim’s MonLogicielMedical platform — used by 3,800 French doctors — resulted in 15.8 million patient records being stolen, making it one of the largest healthcare data breaches in European history. The breach happened in late 2025, Cegedim detected it and filed a criminal complaint in October, but said nothing publicly for four months. France24 broke the story and Cegedim confirmed it on March 3.
The most damaging detail: 165,000 of the stolen files contained doctors’ free-text notes with HIV status, psychiatric diagnoses, sexual orientation, and mental health conditions. Politicians were reportedly among those exposed. To make things worse, France’s data regulator CNIL had already fined Cegedim 800,000 euros in September 2024 for illegally processing this exact category of sensitive health data. The fine clearly didn’t change much.
Aura — the Identity Theft Protection Company — Got Breached
This is the irony-of-the-month award. Aura, a company that sells identity theft protection to consumers, confirmed it was breached after one of its own employees fell for a voice phishing call. The attacker impersonated a trusted contact, convinced the employee to hand over access, and walked out with names, email addresses, home addresses, and phone numbers for roughly 900,000 people. Aura claims only about 35,000 were actual customers, but the optics are about as bad as they get when your entire product is built on the promise of keeping people’s data safe.
Marquis Breach Hit 74 Banks — Seven Months Later
Marquis Software Solutions, a Texas-based provider of data analytics and CRM services to over 700 US banks and credit unions, disclosed in March that a ransomware attack from August 2025 had stolen data belonging to over 672,000 individuals. The breach disrupted operations at 74 downstream banks.
The attackers compromised a SonicWall firewall to get in and deployed ransomware from there. Stolen data included names, dates of birth, Social Security numbers, and financial account information. Marquis subsequently sued SonicWall, alleging security failures enabled the compromise. The seven-month gap between the breach and public disclosure means affected individuals had no idea their data was circulating for the better part of a year.
Stolen Airline Miles Are Now a Dark Web Commodity
Flare published research in March showing that stolen airline loyalty program accounts are now being actively converted into flights and hotel stays, then resold as discounted travel on underground markets. Compromised frequent flyer accounts are treated as tradable currency across Telegram channels and dark web forums. It’s a niche that’s been growing quietly but has become organized enough to warrant dedicated vendor operations.
Separately, compromised cPanel credentials — the backend management panels for web hosting — are being sold in bulk as plug-and-play phishing and scam infrastructure. Flare analyzed over 200,000 underground posts and found a fully commoditized market where hacked site management panels are bought and resold like wholesale inventory.
Tax Season Malvertising Campaign Targeting Americans
The Hacker News reported on a large-scale malvertising campaign active since January 2026 that has been specifically targeting US individuals and businesses searching for tax-related documents. Attackers are buying Google Ads that impersonate legitimate tax software downloads. The fake installers deploy a tool that disables endpoint security software before deeper compromise takes hold.
Over 60 confirmed malicious sessions were identified. With April 15 approaching at the time of writing, the campaign is still active. The IRS also released its annual “Dirty Dozen” scam list, highlighting persistent threats including impersonation scams via email, text, and phishing. McAfee reported that nearly 1 in 4 US adults had been contacted by fake IRS entities, with spikes in W-2 phishing and over 1,400 malicious tax domains registered since late 2025.
Qilin Went After Dow Chemical and Romania’s Pipeline Operator
Qilin had a massive March beyond just the raw numbers. They claimed a hit on Dow Inc., the US-based chemical manufacturing giant, alleging they accessed corporate systems and exfiltrated internal data. Dow hasn’t publicly commented and the claims remain unverified. They also claimed Tennessee Valley Electric Cooperative, though they didn’t provide supporting evidence.
The group continued pursuing critical infrastructure targets — a theme they’ve been consistent with through Q1 2026. Combined with their 342 total victims across the first three months of the year, Qilin is operating at a pace that no other ransomware group can match right now.
Google Unleashed Gemini AI on the Dark Web
At RSAC 2026, Google announced it’s now using Gemini AI agents to crawl the dark web, processing upward of 10 million posts per day to identify relevant threats for specific organizations. The tool is available in public preview as part of Google Threat Intelligence.
The system builds an organizational profile, then automatically scours dark web forums for initial access broker activity, data leaks, insider threats, and other intelligence that matches the customer’s profile. Google’s team said internal tests showed 98% accuracy, compared to the 80-90% false positive rates from traditional keyword-scraping dark web monitoring tools. It’s a significant upgrade from the Dark Web Report tool Google killed back in February — except this one is aimed at enterprise customers, not regular users.
By the Numbers
March 2026 totals: 808 ransomware victims claimed across 65 groups in 75 countries. The US accounted for 50% of all claims. Manufacturing led with 76 victims. Utilities saw a 630% month-over-month jump. Ten brand new ransomware operators appeared. If March sets the new baseline rather than being a one-month spike, 2026 is on track for over 8,600 ransomware victims — a significant jump from 2025’s 7,308 total.
Weekly global cyber attacks averaged over 2,000 per organization for the second consecutive month. The Stryker wiper attack showed that destruction, not just encryption, is now on the table from geopolitically motivated groups. And a phishing platform that law enforcement spent months planning to dismantle was back at full capacity within three weeks.
April’s going to be fun.
