Comprehensive review of March 2026’s most disruptive ransomware and cyber attacks

March 2026 was a reminder that “cyber attack” is no longer shorthand for “ransomware encryption”. We saw data-theft-first extortion at telecom scale, destructive wiper activity aimed at maximum disruption, and a sharp rise in infrastructure and supply chain compromises that bypass traditional perimeter thinking.

Below is a practical, incident-led review of what mattered in March 2026 (with specific dates), what these events tell us about today’s threat actor playbooks, and what decision-makers should prioritise next—especially if your SOC runs on Microsoft’s security stack.

March 2026 in one page: what changed

Three themes stood out across the month:

1. Extortion is increasingly “leak-led” rather than “encrypt-led”. Large-scale theft and coercion are now a default path to pressure, even when encryption never happens (or is secondary). (techradar.com)
2. Destruction is back in the spotlight. Wiper-style outcomes are designed to create immediate operational pain, political messaging, and reputational damage—often faster than ransomware negotiations. (apnews.com)
3. Your dependencies are part of your attack surface. Edge devices (routers, firewalls) and developer supply chain components became headline risk multipliers in March 2026. (arstechnica.com)

For boards, this shifts the KPI from “did we get encrypted?” to “how quickly can we detect lateral movement, contain blast radius, and prove what data did (or didn’t) leave our environment?”

Major incidents: what happened and why it mattered

AkzoNobel: Anubis ransomware claim and US-site breach

In early March, AkzoNobel confirmed a network breach impacting a US site, with reporting linking the incident to claims by the Anubis ransomware operation. Public reporting indicated Anubis claimed theft of a large dataset (including a claim of ~170,000 files / ~170GB) and showed leak-site proof artefacts. (scworld.com)

Why this matters for manufacturing and enterprise IT

• This is the now-common pattern: intrusion + exfiltration + selective proof to force leverage, regardless of whether encryption becomes the main event.
• “One site impacted” still creates enterprise-wide risk when identity, shared services, or supplier connectivity is involved.

Board-level question to ask

• If a threat actor claims data theft, can we validate it quickly (not in weeks), and can we prove containment credibly to regulators, customers, and partners?

Telus Digital: ShinyHunters and petabyte-scale theft claims

Telus Digital confirmed a breach after the ShinyHunters group claimed theft of an enormous volume of data—reporting described claims of “almost 1 petabyte” (with some estimates lower, but still vast). (techradar.com)

Why this matters for telecom, outsourcers, and regulated supply chains

• The risk is not only the direct impact. Service providers can become a single point of concentration in November 2025 describing unauthorised access using valid credentials to a server consistently—without forcing every analyst to become awarefor LiteLLM PyPI releases (notably versions 1.82.7 and 1.82.8) were compromised, included credential-stealing functionality, andcould expose credentials through weak segmentation, push policy changes, or broader intrusions that LiteLLM PyPI releases (notably versions 1.82.7 and 1.82.8) were compromised, included credential-stealing functionality, and that weak segmentation, policy changes, or broader intrusions could expose credentials. They forLiteLLM PyPI releases (notably versions 1.82.7 and 1.82.8) were compromised, included credential-stealing functionality, and that weak segmentation, push policy changes, or broader intrusions could expose credentials. They include the client data, workflows, and downstream access.
• ShinyHunters-style operations reinforce that data extortion can be commercially devastating even without widespread encryption.

What to take from the ShinyHunters playbook

• Assume the attacker’s objective is leverage at scale: identity data, contracts, customer artefacts, and anything that fuels secondary fraud.

Stryker: Iran-linked “Handala” claims and wiper-style disruption

Stryker publicly reported a cyberattack that disrupted global networks, while multiple outlets covered claims by a group calling itself Handala, including allegations of large-scale wiping and data theft. This event drew attention precisely because of the destructive, coercive character of the claims and the operational disruption described. (apnews.com)

Why this matters for healthcare and medtech

• Wiper outcomes turn incident response into a business continuity crisis immediately.
• Even when details remain contested in public narratives, the operational lesson is stable: destructive capability paired with identity/device management reach is a worst-case combination.

If your clinical or manufacturing environments rely on centralised device management and identity controls, your incident response plan must explicitly cover “wiper-like” scenarios, not just ransomware encryption.

Healthcare impact spotlight: Catalyst RCM and the patient-data reality

Revenue cycle and healthcare-adjacent providers remain attractive because they combine sensitive data with operational urgency.

Catalyst RCM published a notice describing unauthorised access using valid credentials to access a server in November 2025, with notification activity surfacing publicly in 2026. (catalystrcm.com)

Why leadership should care

• “Authorised credentials used” is the phrase that should trigger investment, because it points to identity-driven compromise paths (stolen creds, phishing, session theft, weak MFA posture).
• These events tend to create long-tail costs: disclosure, legal overhead, patient trust damage, and vendor risk scrutiny.

Emerging threats in March 2026: not ransomware, still business-critical

KadNap botnet: ASUS routers conscripted into a resilient proxy network

Researchers reported a takedown-resistant botnet affecting around 14,000 routers/edge devices, largely ASUS, used to proxy traffic for cybercrime and anonymisation. The peer-to-peer design and persistence behaviours were highlighted as key challenges. (arstechnica.com)

Why this matters to CISOs and CIOs

• Compromised edge devices can become your “invisible” risk: outbound traffic, credential interception, staging, and reputation damage.
• Proxy botnets complicate attribution and make downstream attacks harder to block by IP alone.

Practical action

• Ensure your asset inventory includes “small” edge infrastructure, not just servers and endpoints.
• Treat router firmware and remote management settings as a compliance-grade control.

LiteLLM supply chain compromise: malicious PyPI releases and credential theft

In late March, security researchers reported that weak segmentation, pushes policy changes, or supports broader intrusions that LiteLLM PyPI releases (notably versions 1.82.7 and 1.82.8) were compromised and included credential-stealing functionality, and advised treating affected hosts/CI jobs as credential exposure events. (sonatype.com)

Why this matters beyond developers

• Supply chain incidents jump from “developer tooling” to “enterprise breach” quickly when secrets, CI/CD tokens, and cloud credentials are exposed.
• The operational challenge is speed: you need to identify where the package ran, what secrets were present, and what those secrets touched.

Executive takeaway

• Dependency risk is now operational risk. It belongs in governance, not just engineering.

Critical vulnerabilities: CVE-2026-20131 and why patch speed became the story

Cisco published a critical advisory for CVE-2026-20131 affecting Secure Firewall Management Centre (FMC), with a CVSS 10.0 rating and no workarounds listed—meaning patching is the primary control. (sec.cloudapps.cisco.com)

Independent reporting and threat bulletins also described in-the-wild exploitation activity and urgency around remediation. (f5.com)

Why this matters

• Firewall management planes are “force multipliers”. If compromised, they can become a control point to weaken segmentation, push policy changes, or support broader intrusion.
• Patch latency is no longer an IT hygiene issue; it is a risk acceptance decision that attackers actively monetise.

What these March 2026 attacks teach is that Anubis claimed theft of a large dataset (including ~170,000 files / ~170GB) and presented the theft of an enormous volume of data—reports described claims of “almost 1 petabyte” (with some estimates lower than that). Threat actor tactics are now the default path to pressure, even when encryption never occurs.

Across the month’s incidents, several tactical patterns repeated:

• Credential-led access (rather than exotic exploits) remains the most reliable entry point in many environments. (catalystrcm.com)
• Exfiltration first supports extortion regardless of encryption outcomes. (scworld.com)
• Narrative warfare is part of the attack lifecycle: leak sites, public claims, and timed pressure are operational tools, not just marketing. (axios.com)
• Edge and supply chain attacks reduce the need to “break in the front door” of a hardened enterprise. (arstechnica.com)

Priority actions for decision-makers (next 30 days)

If you lead security or technology for government, NHS-adjacent organisations, enterprises, MSPs, or MSSPs, these are high-return moves:

• Patch governance for critical edge systems: define owners, deadlines, and escalation paths for “CVSS 9–10” vulnerabilities that affect management planes. (sec.cloudapps.cisco.com)
• Prove your containment capability: can you answer “what data moved कहाँ?” with evidence, fast, during an extortion event?
• Harden identity and reduce standing privilege: credential misuse keeps showing up as a decisive factor. (catalystrcm.com)
• Treat CI/CD and developer tooling as production-grade risk: inventory what runs in pipelines, where secrets live, and how quickly you can rotate them post-exposure. (securitylabs.datadoghq.com)

Where SecQube fits: faster, simpler Microsoft Sentinel SOC automation

Many SOC teams struggle with the same bottleneck March 2026 exposed: too many alerts, too little time, and inconsistent triage quality when the pressure is highest.

SecQube’s platform is built for Microsoft Sentinel SOC automation, with a cloud-native, serverless SaaS approach in Azure and a strong focus on data sovereignty. Harvey®, SecQube’s conversational AI assistant, helps teams investigate, triage, and respond with consistency—without forcing every analyst to be a KQL specialist.

That matters in months like March 2026, because speed and repeatability are what reduce blast radius when:

• threat actors move from theft to coercion quickly,
• destructive actions remove your luxury of time,
• and critical vulnerabilities demand rapid, confident operational decisions.

Learn more about SecQube and Harvey AI at SecQube.

Suggested executive briefing agenda (15 minutes)

1. What happened in March 2026 (3 minutes)
2. Which scenarios match our environment (5 minutes)
3. Patch and identity decisions we must make this month (4 minutes)
4. What SOC automation and playbooks will we standardise (3 minutes)

Final thought: resilience now means answering hard questions quickly

March 2026 wasn’t just loud—it was instructive. The organisations that fare best aren’t the ones that never get targeted; they’re the ones that can detect faster, triage consistently, contain decisively, and communicate with evidence while the attacker is trying to control the narrative.

If you want, I can adapt this review into:

• a board-ready one-pager for CIO/CISO/CEO audiences,
• a sector-specific version (NHS-adjacent, local government, MSP/MSSP, manufacturing),
• or a Sentinel-focused checklist mapping these incidents to detection/response improvements.