The State of Ransomware: March 2026

March saw 90 publicly disclosed ransomware attacks, marking the second month this year in which incidents exceeded 90. Organizations in the United States accounted for 60% of all reported attacks, with smaller nations such as Andorra and Panama also included among the 24 countries impacted.  Healthcare remained the most targeted sector with 18 attacks, followed by government and manufacturing with 14 and 12 incidents, respectively. In total, 30 ransomware groups were linked to publicly disclosed attacks, with Qilin leading activity with eight attacks.

Keep reading to find our who made ransomware headlines in March.

1. DragonForce ransomware group claimed responsibility for an attack on the Getulio Vargas Foundation (FGV), a leading educational institution in Brazil, involving unauthorized access and the exfiltration of approximately 1.52 TB of data, including sensitive information such as names, identification details, and banking data. FGV confirmed it experienced a security incident that temporarily disrupted some of its systems and acknowledged that data associated with the institution has appeared on the dark web.

2. A cyberattack disrupted the Denmark School District in Wisconsin, leaving it without internet access for five school days and forcing teachers and students to switch to paper-based workarounds. District officials did not disclose which systems were impacted or whether any data was compromised. The INC ransomware group claimed responsibility, stating it had stolen 707 GB of data and issuing a six-day deadline for negotiations.

3. Qilin claimed responsibility for a breach of LISI Group, listing the French industrial component supplier on its dark web leak site. The company, which supplies parts to Airbus and Boeing, confirmed it experienced a cyber incident but stated that its impact was limited in scope. Samples released by the attackers reportedly include screenshots of bank transfers, sales plans, business documents, bank account details, and other sensitive files.

4. Anubis ransomware group claimed responsibility for a cyberattack on AkzoNobel, a global paints and coatings manufacturer, involving a breach at one of its U.S. sites. The attackers reportedly exfiltrated around 170GB of data, including sensitive information such as employee details, passport scans, internal documents, and client agreements. AkzoNobel confirmed the incident, stating it was contained and limited in scope, while investigations and notifications to affected parties are ongoing.

5. Community Health Action of Staten Island has notified certain individuals of a cybersecurity incident that may have involved unauthorized access to, or theft of, sensitive data. The breach notice offered limited details, confirming only that information such as names, Social Security numbers, and other personal data may have been affected. The Genesis ransomware group claimed responsibility, stating it exfiltrated around 200,000 records, including sensitive personal and medical data. According to the group, this includes approximately 60,000 records from HIV-tested patient databases, along with HIPAA-protected information and employee data.

6. QualDerm Partners recently disclosed additional details surrounding a December 2025 cyberattack, confirming that more than 3.1 million individuals were affected. The breach involved unauthorized access to parts of its network and the exfiltration of highly sensitive data, including personal information, medical records, treatment details, and health insurance data. Notification efforts are now underway, with impacted individuals being informed of the potential exposure. No known ransomware group has claimed the attack.

7. West Virginia law firm Katz Kantor Stonestreet & Buckner (KKSB) disclosed a data breach involving potential exposure of sensitive personal information. According to a notice on its website, the firm detected suspicious activity on its network and initiated an investigation, which confirmed that data such as names, Social Security numbers, and driver’s license details had been accessed. The Kairos ransomware group claimed responsibility alleging it exfiltrated approximately 700 GB of data.

8. 12,655 individuals have been notified of a data breach stemming from an August 2025 incident involving the Children’s Council of San Francisco. The breach notice did not clarify whether any of the compromised data related to children. Two weeks after the attack, the SafePay cybercriminal group claimed responsibility via its leak site, demanding an undisclosed ransom within 24 hours in exchange for deleting the stolen data. It remains unclear whether the organization engaged with the attackers.

9. Nephrology Associates Medical Group has begun notifying patients of a cyberattack and data breach initially identified in May 2025. The organization detected suspicious activity on its network and took steps to secure its systems and limit further unauthorized access. An investigation later confirmed that a third party had accessed the network and exfiltrated files containing patient information, including names, medical and health data, as well as billing and payment details.

10. Valley Radiology Consultants Medical Group announced a security incident and data breach that was first identified in September 2025. Immediate action was taken to secure its network, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. An investigation confirmed unauthorized access to its network and file containing patient information. 

11. LHT Holdings recently detected a cybersecurity incident involving unauthorized access to parts of its network, which led to the encryption of certain systems. The company quickly isolated affected systems, engaged external cybersecurity specialists, and notified the relevant authorities. Preliminary findings suggest the incident was contained, with no evidence that personal or confidential data was accessed. However, the INC ransomware group claimed responsibility, publishing a number of documents on its leak site to support its claims.

12. Dutch plastic recycler Cabka identified a cybersecurity incident impacting portions of its IT systems. Upon detection, the company isolated affected systems and engaged external cybersecurity experts to carry out a forensic investigation, which remains ongoing. Play ransomware group claimed responsibility for the attack, issuing a four-day deadline for negotiations.

13. ShinyHunters listed Woflow on its dark web blog, threatening to release stolen data on March 6 if its demands were not met. The group claimed to hold hundreds of millions of records containing personal information, transaction data, and other internal corporate materials, although no sample data was provided. Woflow has not publicly confirmed or responded to these claims.

14. The City of Seal Beach, California, reported detecting unusual activity within its network. Officials stated that the environment was secured upon discovery and an investigation was initiated, though no further details have been released due to the ongoing nature of the case. Qilin ransomware group claimed responsibility, posting screenshots of alleged stolen documents on its dark web leak site, but did not specify the volume or type of data involved.

15. Qilin claimed to have breached Tennessee Valley Electric Cooperative (TVEC), based in Savannah, Tennessee. However, the group’s dark web post did not include details about the alleged attack or any data obtained, and no supporting evidence was provided. TVEC has not yet publicly responded to these claims.

16. The Warren County Sheriff’s Office in Kentucky confirmed it has notified an undisclosed number of individuals following a data breach identified in December 2025. An investigation into suspicious network activity determined that cybercriminals had accessed and exfiltrated data, including names, Social Security numbers, driver’s license details, and health insurance ID numbers. RansomHouse claimed responsibility, alleging it stole 743 GB of data, including weapons license records and “videos and investigative materials purportedly showing abuse of authority by officers.”

17. Universal Mailing Services (UMS) was reportedly targeted in a cyberattack claimed by the Securotrop ransomware group. The attackers allege that approximately 490 GB of data was exfiltrated, including around 500,000 documents that were later published on their leak site. According to their claims, the stolen data contains sensitive information relating to both employees and clients.

18. Australian fashion brand Helen Kaminski was reportedly targeted in a ransomware attack claimed by the Play group. According to the group’s dark web listing, the attackers allege they exfiltrated sensitive corporate data, including client documents, payroll information, financial and tax records, and identification data. A three-day deadline for negotiations was issued, although no evidence was provided to support the claims.

19. Ericsson’s U.S. subsidiary reported that data belonging to more than 15,000 employees and customers was compromised following a breach at one of its service providers. According to the company, the provider responsible for storing personal data identified the incident in late April 2025, triggering an investigation into its scope and impact. The exposed information is understood to include personal data, financial details, and medical information.

20. A manufacturer of smart electric vehicle chargers, ELECQ has warned customers that their personal data may have been compromised in a ransomware attack that encrypted and exfiltrated information from its cloud systems. The company detected unusual activity on its AWS platform and determined that parts of its infrastructure had been targeted. ELECQ stated that no financial data was affected by the incident. No known ransomware group has claimed responsibility for this incident.

21. Ransomware group Genesis added the City of Hart in Michigan to its leak site, claiming to have stolen 300 GB of data. City officials stated that the city responded to an IT incident involving unauthorized access to a limited portion of its network. An investigation into the incident remains ongoing, limiting the information that can be publicly shared. Genesis gave the city less than six days to meet its undisclosed ransom demands before data was published. 

22. In Pennsylvania, the Community College of Beaver County was impacted by a ransomware attack that resulted in the encryption of all its data. The incident came to light when the IT department discovered the college had been completely locked out of its systems and received a ransom note from the attackers. The administration has since been working with its insurance provider to help identify the threat actors and explore options to restore access before considering any ransom payment.

23. Wagon Mound Public Schools took its internet and networked systems offline after the superintendent informed families that a virus had disrupted access across the network. The district notified its insurance provider and began recovery efforts to restore systems. In early March, the Interlock group listed the district as a victim, claiming to have exfiltrated 80 GB of data, including staff and student information. The district has not publicly addressed these claims.

24. The Independent Public Regional Hospital in western Poland was forced to revert to paper-based processes following a cyberattack that impacted its IT systems. Hospital officials confirmed the incident temporarily disrupted digital operations, although patient care was not affected. It remains unclear whether any data was exfiltrated, and no ransomware group has claimed responsibility for the attack.

25. Approximately 90,000 individuals were affected by a ransomware attack on the National Association on Drug Abuse Programs (NADAP), attributed to the Genesis group. The incident, which occurred in late January 2026, involved the compromise of protected health information and personally identifiable data relating to clients and associated individuals. Genesis later claimed responsibility in March, alleging it exfiltrated 2 TB of data, including medical records and HR files, and provided an extended justification for targeting the nonprofit organization.

26. Lehigh Carbon Community College was forced to close following disruption to its IT systems caused by a ransomware attack. The disruption impacted the school’s network and school operations. A forensic investigation into the incident remains ongoing. Medusa claimed responsibility for the attack, posting a $100,000 ransom demand in exchange for an undisclosed amount of exfiltrated data. 

27. SafePay listed NSW-based dental practice Smile Team Orthodontics on its dark web leak site in mid-March, publishing documents allegedly obtained during the breach. The exposed data includes staff directories and personal details such as addresses and emails, as well as medical certificates, training and certification records, and hundreds of DentiCare patient payment plans. Additional internal documents and some patient treatment histories were also disclosed. Smile Team confirmed it experienced a cyber incident that resulted in unauthorized access to parts of its IT systems.

28. A cyberattack targeted ASB Saarland, a German humanitarian and social services organization, after attackers gained access to one of its servers containing sensitive data. According to the organization, the compromised system held personal information relating to current and former employees, applicants, and clients, including employment records, contact details, and in some cases health-related information. The affected server was quickly isolated and forensic investigations were launched, with authorities notified. Operations such as emergency services and patient care continued without disruption. Qilin claimed responsibility for the attack, allegedly stealing 72 GB of data and adding proof of claims documentation to its dark web leak site. 

29. MetroWest Community Federal Credit Union, a U.S.-based financial institution, reported that a data breach identified in September 2025 exposed the personal and financial information of more than 20,000 customers. The organization detected unauthorized access to certain systems, which allowed attackers to obtain sensitive customer and banking data. Akira ransomware group claimed responsibility, alleging it exfiltrated 294 GB of corporate data, including employee personal, financial, and employment records, as well as client files and non-disclosure agreements.

30. LockBit claimed responsibility for a cyberattack targeting the Alcorn School District in Mississippi. In response to suspicious activity that disrupted its systems, the district shut down its network. The group has reportedly issued a two-week deadline for the district to pay an unspecified ransom. The extent and type of any data exfiltrated remain unknown at this time.

31. A database purportedly linked to SUCCESS Magazine, containing over 141,000 subscriber records, has appeared on a cybercrime forum. The exposed data is said to include detailed customer information tied to the publication’s subscription and retail systems. Sample records indicate data such as names, email addresses, phone numbers, and physical mailing addresses was compromised. The party responsible for the incident has not yet been confirmed.

32. England Hockey, the national governing body for field hockey in England, is investigating a suspected data breach after being listed as a victim on the AiLock ransomware group’s leak site. The group claims to have exfiltrated 129 GB of data and has threatened to release the files unless an undisclosed ransom is paid. While England Hockey has acknowledged the incident, it stated that no further details can be shared at this stage due to the ongoing investigation.

33. Handala has claimed responsibility for a cyberattack against New York-based payment device manufacturer Verifone. The group alleged that the breach caused significant disruption to payment systems and terminals, and that all associated transaction and financial data was exfiltrated. Verifone has denied these claims, stating it found no evidence of any such incident and that its services have remained fully operational for customers.

34. DragonForce has released a batch of stolen documents on the dark web, allegedly obtained during a ransomware attack on Australian poultry producer Hazeldenes. The group claims to have exfiltrated 78.78 GB of data from the company. Hazeldenes launched an investigation into the mid-February incident and has since confirmed that data was indeed exfiltrated. The company stated that the affected information appears to be largely limited to historical operational and corporate data.

35. Telus Digital, a Canadian business process outsourcing firm, has confirmed it experienced a security incident after the ShinyHunters group claimed to have stolen nearly 1 petabyte of data over several months. The group alleged that the compromised data includes extensive customer information tied to Telus’ BPO services, as well as call records from its telecommunications division, and has reportedly attempted to extort the company. However, Telus Digital stated it is not engaging with the threat actors. While acknowledging the incident, the company added that its operations have remained fully functional, with no evidence of any disruption to service connectivity.

36. Andorra’s Pyrénées Group has confirmed that a ransomware attack led to unauthorized access to certain internal records and customer data. The company stated that cybersecurity experts successfully contained the incident, identified its source, and restored full operations. The affected data includes names, email addresses, and, in some cases, payment information. The Akira ransomware group has claimed responsibility, alleging it exfiltrated 263 GB of data. Pyrénées Group also confirmed that it did not pay any ransom to the attackers.

37. A class action lawsuit has been filed against Nelson Worldwide following a ransomware attack that allegedly exposed employee information. The Chaos ransomware group claimed to have breached the company’s systems, exfiltrating 400 GB of data, including sensitive employee records. The group reportedly threatened to release the full dataset unless the company engaged in negotiations. Nelson Worldwide has not publicly responded to these claims.

38. Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, has notified customers of a cyberattack that led to the compromise of certain data. After detecting suspicious activity within a limited, non-critical segment of its network, the company determined that an unauthorized third party had accessed some basic corporate information. The group responsible for the incident has not yet been identified.

39. INC ransomware group has reportedly breached systems belonging to Hawk Law Group. The group listed the firm on its leak site, publishing a selection of documents as proof of its claims. Reports indicate that the compromised data may include clients’ personal information, such as government-issued identification and case-related details. Hawk Law Group has not yet issued a public statement regarding the incident.

40. Tieu Dental Corporation in California has begun notifying patients of unauthorized access to its computer systems that occurred last summer. The intrusion was detected in late July 2025, and a subsequent forensic investigation confirmed that the compromised files contained patient information, including names, medical records, and health insurance details. The total number of individuals affected by the breach has not yet been determined.

41. JEAN Group reported a cyberattack on its information systems that caused temporary disruption. The company stated that its security team promptly implemented defensive and recovery measures, while external cybersecurity experts were brought in to support the response. Initial assessments indicate no material impact on operations or financial performance. The LockBit ransomware group has claimed responsibility, reportedly giving the manufacturing firm a two-week deadline to pay an undisclosed ransom.

42. A ransomware attack targeted the DeKalb County Sheriff’s Department in Tennessee, disrupting its email and inmate booking systems. The department’s main server was affected, though it remains unclear what other systems may have been impacted. A third-party firm has been engaged to assess the incident and support data recovery efforts as the investigation continues.

43. Hudson River Housing has disclosed a data breach that occurred in March 2025, resulting in the compromise of personal information. A recently concluded investigation found that certain files containing sensitive data were accessed and may have been exfiltrated by an unauthorized actor. The Rhysida ransomware group claimed responsibility soon after the incident, posting sample images on its leak site as proof. The group reportedly demanded a ransom of $744,000.

44. Meadowlark Hills, a non-profit retirement community in Kansas, has reported a breach affecting the protected health information of 14,442 individuals. The organization detected unauthorized access to its network in mid-July 2025, and a subsequent forensic investigation determined that files containing personal and health data were exfiltrated. The compromised information includes names, government-issued identification, financial account details, and medical records. Beast ransomware group claimed responsibility, alleging it exfiltrated 750 GB of data.

45. MedPeds Associates of Sarasota has notified 21,430 individuals of a data breach involving personal and protected health information. The organization detected unauthorized access to its systems in September 2025, during which ransomware was used to encrypt files. A subsequent review determined that the affected data included names, dates of birth, contact details, and medical records. Beast ransomware group claimed responsibility, alleging it exfiltrated 400 GB of data.

46. Medusa ransomware group claimed responsibility for a cyberattack on Passaic County, New Jersey. The group who reportedly demanded an $800,000 ransom with a 16-day deadline, published samples of allegedly stolen documents on its dark web leak site. Passaic County confirmed it experienced an attack affecting its IT systems and phone lines and has engaged federal and state authorities to assist with the investigation and containment efforts.

47. Health Dimensions Group reported a data breach impacting 450 individuals. The organization who became aware of the incident in October 2025, initiated its incident response procedures, and engaged cybersecurity specialists to conduct an investigation. The review determined that certain files were accessed and exfiltrated, containing information related to independent contractors. Worldleaks group has claimed responsibility and has published the stolen data.

48. Cedar Valley Services in Minnesota has confirmed that a data incident resulted in the exposure of individuals’ protected health information. Limited details about the incident have been made public. Qilin claimed responsibility in December 2025, listing the organization on its leak site and sharing screenshots of data allegedly obtained during the attack.

49. ShinyHunters cybercrime group claimed responsibility for a recent data extortion attack against Aura, a U.S.-based digital security firm, which the company confirmed resulted in the compromise of at least 900,000 records. The breach stemmed from a targeted voice phishing attack that enabled unauthorized access to an employee account for a short period, during which the threat actor exfiltrated a large dataset primarily consisting of names and email addresses.  ShinyHunters alleged it stole additional corporate data and attempted to extort Aura by threatening to publish the information after failed negotiations.  Aura stated that highly sensitive data such as Social Security numbers, passwords, and financial information were not compromised, and that its core systems remained secure despite the incident.

50. INC claimed responsibility for a cyberattack on Namibia Airports Company (NAC), alleging it exfiltrated nearly 500 GB of data. NAC confirmed that it detected a cybersecurity incident impacting certain IT systems, involving unauthorized access to network infrastructure and administrative accounts. The organization stated that there is currently no evidence of data exfiltration, although investigations remain ongoing to determine the full extent of the incident.

51. Foster City, California was forced to suspend all public services, except for emergency operations, following a ransomware attack. The city manager declared a state of emergency as a result of the disruption. Officials warned that public information may have been compromised and advised individuals who have interacted with the city to update their account passwords. The incident left city services offline for a week. No threat group has claimed responsibility for the attack at this time.

52. A dataset allegedly linked to Russell Cellular, a major U.S. wireless retailer, containing more than 6.3 million customer records, is being offered for sale online for $1,200. Advertised on a well-known hacker forum, the 61 GB dataset includes 209 database tables. The seller claims the data contains a broad range of sensitive customer and employee information. It is not yet clear whether the data originated from Russell Cellular’s internal systems or from a third-party service provider connected to its operations.

53. Navia Benefit Solutions has notified individuals impacted by a cyberattack that occurred in December 2025. The compromised data reportedly includes names, contact details, and Social Security numbers. According to the breach notice, approximately 2,697,540 individuals were affected, with the incident stemming from unauthorized access to Navia’s network over the course of a month. The party responsible for the attack has not yet been identified.

54. Worldleaks ransomware group has claimed responsibility for a cyberattack on Los Angeles Metro that led to system disruptions. According to local media, unauthorized activity was detected on Metro’s internal systems, prompting restricted access and impacting station arrival displays. Despite the disruption, rail and bus services continued to operate as normal, and no customer or employee data was reported to be affected. Worldleaks alleged it exfiltrated 159.9 GB of data, publishing three screenshots on its leak site as proof of claims.

55. Westport Fuel Systems reported detecting unauthorized access to portions of its network, which impacted certain internal IT business applications as well as some business and employee information. The company noted that its manufacturing systems were not affected. An investigation into the incident is ongoing. Embargo ransomware group claimed responsibility, alleging it exfiltrated 1.8 TB of data from the organization.

56. Handala group claimed responsibility for a cyberattack targeting Lockheed Martin, alleging it exfiltrated 375 TB of data from the aerospace and defense firm. The group asserts that the stolen information includes sensitive materials such as F-35 aircraft blueprints and other corporate data. It has also issued further demands exceeding $400 million in exchange for not selling the data to U.S. adversaries. A Lockheed Martin spokesperson acknowledged that the company is aware of the claims.

57. In the Philippines, a reported cybersecurity incident involving the Department of Public Works and Highways (DPWH) is under investigation following claims of data exfiltration posted on the dark web. Bashe (APT73) ransomware group listed the agency on its leak site, alleging it had stolen 50 GB of data, including internal documents, emails, financial records, and personal information. However, initial findings from the investigation indicate there is no evidence that any files were accessed or exfiltrated from DPWH’s internal systems.

58. Semiconductor testing firm Trio-Tech International identified a cyberattack in mid-March that resulted in the encryption of files across its network. In response, the company took affected systems offline and engaged cybersecurity specialists to manage the incident. The breach also led to the unauthorized exposure of certain company data. The Gunra ransomware group claimed responsibility, although it did not specify the volume of data allegedly exfiltrated.

59. The Lapsus$ group claimed responsibility for a significant data breach involving global biotechnology and pharmaceutical company AstraZeneca, alleging the theft of 3 GB of sensitive intellectual property. The stolen data reportedly includes application source code, private cryptographic keys, authentication tokens, Vault credentials, and Terraform configurations for AWS and Azure environments. The group shared previews of the data, including screenshots, on dark web forums and invited interested buyers to pay for access to the repositories. AstraZeneca has not commented on the claims.

60. DragonForce ransomware group has allegedly breached Conrad Capital’s servers, claiming to have stolen clients’ personal and financial information. The group states it exfiltrated 74.23 GB of data and issued a five-day deadline for the finance company to enter negotiations. Conrad Capital has not yet publicly responded to the claims made by DragonForce.

61. SATS AS, a training and fitness service provider, has identified unauthorized access to parts of its IT systems, resulting in a data breach. After detecting the incident, the company acted quickly to remove the intruders, contain the breach, and prevent further unauthorized access. External cybersecurity experts have been engaged to assess the full scope and impact. Preliminary findings suggest that the compromised data includes internal administrative documents, as well as personal information relating to a group of employees. The Gentlemen ransomware group has claimed responsibility for the attack.

62. Infinite Campus has notified customers of a data breach following an extortion attempt by the ShinyHunters group. According to notification letters, the incident stemmed from unauthorized access to an employee’s Salesforce account. The attackers reportedly set a March 25 deadline for the company to initiate negotiations to prevent the release of stolen data; however, Infinite Campus stated it will not engage with the threat actors. ShinyHunters claims the stolen data includes Salesforce records containing personally identifiable information and internal corporate data, though the company maintains that its investigation found no evidence that customer databases were accessed.

63. Duffy’s Sports Grill was impacted by a ransomware attack attributed to the Qilin group, which disrupted its internal systems and operations for at least a week. The incident affected both customers and staff, with several locations unable to process credit card payments, and the company’s MVP loyalty program also experiencing outages. The ransomware group did not specify how much data may have been accessed during the attack.

64. Mazda Motor Corporation recently disclosed that a December 2025 cyberattack led to the exposure of data belonging to employees and business partners. An internal investigation found that attackers exploited vulnerabilities in the company’s warehouse management system, resulting in unauthorized access to a portion of the data stored within it. A total of 692 records were accessed, none of which involved customer information. The compromised data includes names, email addresses, company names, user IDs, and business partner IDs. The Clop ransomware group claimed responsibility for the incident in November 2025. 

65. Kaplan, a Florida-based education services company, has disclosed that a cybersecurity incident late last year resulted in the exposure of sensitive personal information belonging to at least 230,000 individuals. Unauthorized actors accessed files containing names, Social Security numbers, and driver’s license numbers. No threat group has claimed responsibility for the incident.

66. NYC Health + Hospitals Corporation has disclosed that personally identifiable information and protected health information were exposed in a data security incident. Suspicious activity was detected within its network in early February, prompting an immediate response and the launch of an investigation. Findings revealed that an unauthorized third party had access to the network for nearly 11 weeks. To date no ransomware group has claimed responsibility. 

67.  ShinyHunters listed Ameriprise Financial as a victim, threatening to release allegedly stolen data if a ransom is not paid. The group also warned that the data leak would be accompanied by “several annoying (digital) problems.” It claims to possess Salesforce records containing personally identifiable information, along with more than 200 GB of compressed internal SharePoint data. Ameriprise Financial has not yet publicly responded to these allegations.

68. Aroostook Mental Health Center (AMHC), a major behavioral healthcare provider in Maine, was recently targeted in a ransomware attack attributed to Qilin. The incident caused network disruption that impacted some business operations and connectivity, prompting the organization to engage external cybersecurity specialists to investigate and respond. Qilin added AMHC to its dark web leak site and claimed to have obtained data, reportedly issuing threats to publish it if negotiations were not initiated. AMHC has stated it is not engaging with the threat actors, and while the investigation remains ongoing, the organization has not confirmed whether any sensitive data was accessed or exfiltrated.

69. A newly emerged ransomware group known as ALP-001 claimed responsibility for a cyberattack against Chinese surveillance technology giant Hikvision. The group listed the company on its dark web leak site, alleging it exfiltrated approximately 19.9 TB of data from internal systems.  The threat actors warned they would release the stolen data in stages if their demands were not met, though no specific ransom amount has been disclosed.  At this stage, the claims remain unverified, as sample data links provided by the attackers were reportedly non-functional, and Hikvision has not publicly commented on the incident.

70. Spain’s Port of Vigo was hit by a ransomware attack that disrupted key digital systems used for cargo management and logistics coordination. The incident led authorities to isolate affected servers and disconnect parts of the network, forcing port operations to rely on manual, paper-based processes while systems remained offline. Despite the disruption to digital services, physical operations such as ship movements and cargo handling continued. A ransom demand was reportedly issued, though no threat group has publicly claimed responsibility. Investigations are ongoing to determine the cause and full scope of the incident, with no confirmed timeline for full system restoration.

71. St Anne’s Catholic School in Southampton was recently forced to close after a ransomware attack disrupted its IT systems. Threat actors gained access to the school’s network, impacting access to systems and temporarily halting teaching and learning activities. The school’s IT team acted quickly to contain the incident and prevent further spread, while reporting the breach to authorities including the Information Commissioner’s Office, the National Cyber Security Centre, and the police. Details surrounding the method of intrusion and any potential data compromise remain limited, with investigations ongoing.

72. Viva Ticket, a global ticketing and event management platform used by major museums, theme parks, and live events, was recently impacted by a ransomware attack that disrupted services across its network. The incident affected an estimated 3,500 partner organizations worldwide, including high-profile venues, and led to outages in online booking and ticketing systems.  While investigations are ongoing, reports indicate that certain customer data, such as names, email addresses, and purchase details, may have been exposed. There is currently no evidence that payment or banking information was compromised.  The attack has been linked to a ransomware operation, with some sources attributing it to the RansomHouse group, although full details of the breach and its impact are still being assessed.

73. Goodwill Industries of North Central Pennsylvania was recently listed as a victim by the Interlock ransomware group, who claims to have exfiltrated approximately 80 GB of data from the nonprofit organization. The group alleges that the stolen data includes personal information and financial documents related to employees and partners and has published the organization on its dark web leak site as proof of the breach. Reports indicate that the incident may be linked to wider system disruptions affecting some Goodwill operations, though details remain limited. At this time, Goodwill has not publicly confirmed the full extent of the breach, and investigations are ongoing to determine the scope and impact of the incident.

74. ShinyHunters has claimed responsibility for an attack targeting ZenBusiness, a U.S.-based business services platform. The group alleges it exfiltrated “several terabytes” of data from the company, reportedly obtained through access to cloud-based platforms such as Salesforce, Snowflake, and Mixpanel.  ShinyHunters issued a deadline for the company to initiate negotiations, warning that failure to comply would result in the public release of the stolen data along with additional disruptive actions.  While the exact nature of the compromised information has not been confirmed, sources suggest it could include internal corporate data and potentially personally identifiable information related to customers and employees. ZenBusiness has not publicly commented on the claims at this time.

75. Private healthcare provider IntraCare in New Zealand was recently impacted by a cyber breach that forced the organization to take its IT systems offline and defer at least 28 patient procedures. The incident disrupted operations and limited the provider’s ability to access patient records and contact affected individuals. In response, IntraCare engaged external cybersecurity experts, notified authorities, and launched a forensic investigation to determine the scope and impact. The Gentlemen ransomware group claimed responsibility for the attack.

76. Vantage Plastic Surgery disclosed a security incident involving unauthorized access to the protected health information of approximately 4,600 current and former patients. An investigation confirmed that patient data was exposed, with a review revealing that the compromised information included names, addresses, phone numbers, dates of birth, and medical record details.

77. Multinational communications and digital marketing firm Hightower Holdings has disclosed a significant data breach affecting 131,483 individuals. The company reported that unauthorized access to its network occurred in early January, enabling threat actors to obtain customers’ personal information. The compromised data includes names and Social Security numbers. No known ransomware group has claimed responsibility for the incident.

78. The Jackson County Sheriff’s Office in Indiana was recently hit by a ransomware attack that severely disrupted its operations, rendering its entire computer network, including PCs, Wi-Fi, and reporting systems, unusable. The incident, believed to have originated from a malicious email, forced the department to shut down systems and begin rebuilding its IT infrastructure from scratch. Law enforcement operations were significantly impacted, with officers reverting to manual processes and dispatch services temporarily relocated to another police department. Officials confirmed that no ransom would be paid.

79. Stockton Cardiology Medical Group has begun notifying patients of a recent security incident in which files containing patient information were accessed. The compromised data includes names, contact details, and billing records that may contain limited medical information. The Genesis ransomware group claimed responsibility, alleging it exfiltrated and published the 645 GB of data stolen information in mid-February.

80. Monmouth University in New Jersey was recently targeted in a ransomware attack claimed by the PEAR ransomware group. The threat actor alleges it exfiltrated up to 16 TB of data from the university’s systems and has posted sample materials as proof on its leak site.  The university confirmed that the incident involved unauthorized access to certain information on its network and has engaged cybersecurity experts and notified law enforcement to investigate.  While PEAR has threatened to release the stolen data if demands are not met, the full scope of the breach and the nature of the compromised information remain under review, with no confirmed operational disruption reported.

81. Omax Autos Limited confirmed that it was targeted in a ransomware attack affecting its IT infrastructure. The company stated that while unauthorized activity was detected and the incident has been verified, its core systems and manufacturing operations have not been impacted. Omax Autos has launched an investigation to assess the extent of any potential damage or data exposure and is implementing remedial measures to strengthen its cybersecurity posture. The full scope and impact of the incident remain under review.

82. Panama’s Social Security Fund (CSS) activated a contingency plan following a suspected cyberattack that affected parts of its digital infrastructure. The organization reported disruptions to its web services and quickly implemented response measures to contain the incident and maintain operations. The Gentlemen ransomware group has claimed responsibility for the attack. While details remain limited, CSS stated it is continuing to assess the potential impact and restore full functionality, with investigations ongoing.

83. Statistics South Africa (Stats SA) has reportedly been targeted in a ransomware attack that may have exposed large volumes of sensitive data. The agency confirmed the incident, while threat actors identified as the XP95 ransomware group claimed to have exfiltrated over 450,000 files totalling approximately 154 GB, including data from internal systems such as HR records. The group allegedly demanded a ransom of around $100,000 in exchange for not releasing the data. Sample files were posted on its leak site as proof of its claims.

84. Bangladesh’s largest supermarket chain, Shwapno, was listed on LockBit’s leak site in mid-March, with the group releasing more than 410 GB of data on the dark web. The exposed files reportedly include customer names, phone numbers, purchase histories, supplier information, contracts, bank deposit records, HR documents, and internal policies. The incident follows a separate ransomware claim made by the Qilin group approximately seven months earlier.

85. Woodfords Family Services has notified authorities of a ransomware attack in 2024 that resulted in the breach of personal and protected health information of 8,073 individuals. Suspicious activity was first identified in April 2024, with a comprehensive internal review only concluding in late January 2026. Medusa ransomware group claimed responsibility for the attack shortly after it occurred.

86. U.S.-based healthcare technology provider CareCloud, disclosed a cybersecurity incident involving unauthorized access to one of its electronic health record (EHR) environments. The attack caused a temporary network disruption lasting approximately eight hours, affecting the functionality and data access of part of its CareCloud Health platform. The company confirmed that an unauthorized third party gained access to systems containing patient information, though it is still assessing whether any data was accessed or exfiltrated. CareCloud engaged external cybersecurity experts, notified authorities, and has since restored all affected systems. At this time, no ransomware group has claimed responsibility, and the full scope and impact of the incident remain under investigation.

87. XP95 ransomware group has claimed responsibility for a cyberattack on the Gauteng City Region Academy, alleging it accessed and exfiltrated approximately 147 GB of private and personal data. The group is reportedly demanding a ransom of $100,000 in exchange for not releasing the information. The academy, a Gauteng provincial government entity focused on providing bursaries, internships, and training opportunities for young people, has not publicly responded to the claims.

88. XP95 ransomware group has claimed responsibility for a cyberattack on Eholo Health, a Spanish provider of clinical management software for psychologists. The group alleges it exfiltrated approximately 165 GB of data, including over 1.1 million medical notes and personal information relating to more than 600,000 users. According to XP95, the data was initially intended for sale after the company allegedly refused to pay a $300,000 ransom following several weeks of negotiations but was later released publicly. The exposed data reportedly includes sensitive clinical notes and patient details. Eholo Health has not publicly acknowledged the incident or confirmed whether affected individuals or regulators have been notified.

89. INC ransomware group claimed responsibility for a cyberattack on the City of Meriden, Connecticut, alleging it stole data from municipal systems. The city first reported an “attempted interruption” to its network in February, which caused weeks of service disruptions, including delays to water billing and ongoing issues at city clerk and tax offices. The group later listed Meriden on its leak site and shared sample documents as proof of its claims, though officials have not confirmed the breach or the extent of any data compromise. Investigations remain ongoing, and it is unclear what data, if any, was accessed or exfiltrated.

90. Qilin ransomware group claimed responsibility for a cyberattack targeting U.S.-based chemical manufacturing giant Dow Inc., alleging that it gained access to corporate systems and exfiltrated internal data. The claims have not been independently verified, and details regarding the type or volume of data allegedly compromised have not been disclosed. Dow has not publicly commented on the incident, and the full scope and impact remain unclear.