Executive Summary
The week of February 27 – March 6, 2026, was defined by the cyber spillover from the February 28 joint US–Israeli strikes on Iran (Operation Epic Fury / Operation Roaring Lion). Iran’s internet connectivity dropped to 1–4% in the hours following the strikes, but state-linked groups quickly pivoted to offensive operations: Symantec revealed that MuddyWater (Seedworm), an Iranian MOIS-affiliated APT, had deployed novel Dindoor and Fakeset backdoors on the networks of a US bank, a US airport, a Canadian non-profit, and the Israeli branch of a US defense software supplier. Meanwhile, the Handala hacktivist group escalated from its prior week’s Clalit healthcare breach to claim Sharjah National Oil Corporation (UAE) and Israel Opportunity Energy, exfiltrating over 1.3 TB of combined data including oil contracts and financial records. The pro-Iranian BaqiyatLock (BQTLock) RaaS began offering free affiliate access to anyone targeting Israeli entities, and on March 3 the Sicarii ransomware operation redirected its affiliates to BQTLock, consolidating pro-Palestinian ransomware operations under a single platform.
On the criminal ransomware front, March 2 saw a massive wave of leak-site postings, with Qilin, Rhysida, DragonForce, LockBit variants, and TheGentlemen all publishing dozens of new victims simultaneously. Qilin maintained its position as the world’s most prolific operator, claiming Tennessee Valley Electric Cooperative (a TVA power grid member), CJL Engineering, Golden Clay Industries (Malaysia), ATS Group (France), Outsourcia (Morocco), and ELC Security Products (Israel). DragonForce hit Fundacao Getulio Vargas in Brazil (1.52 TB allegedly exfiltrated), Graham County Electric Cooperative (US), Advanced Rehabilitation Technology (US healthcare), and New Generation Media (Turkey). Two major law enforcement developments marked the week: Phobos ransomware administrator Evgenii Ptitsyn pleaded guilty to wire fraud conspiracy facing 20 years, while two former US cybersecurity incident response employees pleaded guilty to conducting BlackCat (ALPHV) ransomware attacks.
Key Statistics:
- Global: 680 companies listed on leak sites in February 2026 across 54 groups and 72 countries; healthcare was the most targeted sector (31% of publicly disclosed attacks); massive multi-group posting wave on March 2
- Europe: 4+ incidents — Qilin claimed ATS Group (France); DragonForce hit Lincoln Green Brewing (UK); TheGentlemen listed Ricopia (Spain); INC Ransom defaced an Israeli industrial company’s listing with a swastika
- Asia: 4+ incidents — Qilin claimed Golden Clay Industries (Malaysia) and ELC Security Products (Israel); Handala breached Sharjah National Oil Corporation (UAE, 1.3 TB); TheGentlemen hit Reanthong Partcenter and Primus Autohaus (Thailand)
- US: 8+ incidents — Qilin claimed Tennessee Valley Electric Cooperative; DragonForce hit Graham County Electric Cooperative, Advanced Rehabilitation Technology, and The Delventhal Company; Rhysida listed Southold, NY (10 BTC demand); Seedworm backdoored a US bank and airport; LexisNexis confirmed FulcrumSec breach exposing 3.9M records
- Other: DragonForce hit FGV in Brazil (1.52 TB); TheGentlemen listed Gerleinco (Colombia) and Malia Group (Lebanon); Handala claimed Israel Opportunity Energy
1. EUROPE
1.1 Government
No new government-sector ransomware incidents were reported in Europe this week. However, the broader geopolitical context saw Unit 42 estimate 60 individual hacktivist groups active as of March 2, many engaging in DDoS and defacement campaigns against European targets linked to the US–Israeli coalition.
1.2 Health, Municipalities & Non-commercial
No incidents reported this week.
1.3 Business
Qilin claimed ATS Group on March 4, a France-based professional services organisation. The listing appeared alongside multiple other Qilin victims posted the same day, consistent with the group’s practice of batching leak-site publications.
DragonForce targeted Lincoln Green Brewing Company Ltd. in the United Kingdom on March 4, threatening data leaks if the craft brewery did not enter negotiations. The attack reflects DragonForce’s expansion into smaller European businesses following its higher-profile 2025 campaigns against Marks & Spencer and Co-op.
TheGentlemen listed Ricopia, a Spanish company, as a ransomware victim in early March, continuing the group’s high-tempo European operations. TheGentlemen has now exceeded 130 confirmed victims and continues to rely on FortiGate-focused initial access combined with BYOVD techniques.
INC Ransom (Tarnished Scorpius) listed an Israeli industrial machinery company on its leak site and replaced the company’s logo with a swastika, explicitly framing the attack as retaliation for the joint US–Israeli military strikes. This incident illustrates how traditional ransomware-as-a-service operations are being weaponised for geopolitical signalling in the current conflict environment.
2. ASIA
2.1 Government
No government-sector ransomware incidents were reported in Asia this week. However, Iran’s internet connectivity dropped to 1–4% following the February 28 strikes, significantly disrupting state-level cyber operations from within Iran, though MOIS-linked groups operating from external infrastructure continued offensive campaigns.
2.2 Health, Municipalities & Non-commercial
Handala claimed a breach of Sharjah National Oil Corporation (SNOC) on March 2–3, the UAE’s state-owned energy company. The group alleges it exfiltrated 1.3 TB of sensitive data including financial records, oil contracts, and internal project documents, and stated it had also taken down critical infrastructure. Simultaneously, Handala claimed a breach of Israel Opportunity Energy, framing both attacks under its ongoing ideologically motivated campaign against Middle Eastern energy infrastructure. Neither claim has been independently verified.
2.3 Business
Qilin listed Golden Clay Industries Sdn Bhd on March 4, a Malaysian manufacturing company. This follows Qilin’s unverified claim against Malaysia Airlines the prior week and continues the group’s pattern of targeting Malaysian businesses — the country’s ransomware.live tracker now shows 105 total victims.
Qilin also claimed ELC Security Products on March 5, an Israel-based security products company. The listing appeared amid heightened targeting of Israeli commercial entities following Operation Epic Fury.
TheGentlemen attacked Reanthong Partcenter Co., Ltd. and Primus Autohaus in Thailand, both listed on March 4. Primus is an authorised Mercedes-Benz dealer, while Reanthong is a parts manufacturer. Thailand has emerged as a recurring target for TheGentlemen’s Southeast Asian operations.
DragonForce claimed New Generation Media on March 4, a prominent media production company in Turkey, threatening data leaks unless negotiations commenced.
3. UNITED STATES
3.1 Government
Rhysida’s March 2 leak-site posting for the Town of Southold, New York, brought renewed attention to the November 2025 attack that disrupted email, payroll, tax collection, and permitting systems. The group demanded 10 BTC (approximately $661,400) and gave the town seven days to pay before threatening to sell the data. Affected entities include Southold Town Senior Services and the Southold Police Department. Town officials have stated they will not pay the ransom.
3.2 Health, Municipalities & Non-commercial
DragonForce listed Advanced Rehabilitation Technology (ART) on March 6, a US healthcare company providing rehabilitation equipment and services. The posting appeared on DragonForce’s dark web leak site, though the full scope of compromised data has not been disclosed.
Qilin claimed Tennessee Valley Electric Cooperative (TVEC) on March 5, a member of the Tennessee Valley Authority public power partnership that provides electric service across Wayne and Hardin Counties via 2,000 miles of grid infrastructure. While technically an energy utility rather than a municipality, TVEC operates as a non-profit cooperative serving rural communities, and a ransomware-induced outage could directly affect residential power delivery. Qilin previously targeted two Texas electric distribution cooperatives in 2025, establishing a pattern of attacks on US rural electric infrastructure.
DragonForce also claimed Graham County Electric Cooperative on March 5–6, another US energy cooperative, suggesting coordinated or coincidental interest in rural electric utilities during this period.
3.3 Business
The LexisNexis breach was confirmed on March 3, after threat actor FulcrumSec exploited a React2Shell vulnerability in an unpatched React frontend app to access LexisNexis AWS infrastructure around February 24. The attackers leaked approximately 2 GB of data containing 3.9 million database records, including over 118 records belonging to US government personnel — federal judges, DoJ attorneys, SEC staff, and court clerks. LexisNexis stated the compromised systems mostly stored legacy data from prior to 2020, though the exposure of judicial and law enforcement records raises significant national security concerns.
Symantec’s Broadcom threat research team revealed that Iranian APT Seedworm (MuddyWater) had embedded itself in the networks of a US bank and a US airport using two novel backdoors: Dindoor (deployed on the bank’s network) and Fakeset (deployed on the airport and a non-profit’s network). Both backdoors were signed with certificates issued to fictitious identities. The campaign is assessed to have begun in early February 2026 and escalated following the US–Israeli strikes, with the software company’s Israeli operations appearing to be a primary target given its role as a defense and aerospace supplier.
Qilin claimed CJL Engineering on March 4, a US-based engineering firm, as part of its batch of new victim postings.
DragonForce listed The Delventhal Company and R&C Fence, Inc. (March 6), along with A C Scott Electric and ICS Electrical Services (March 6) — a cluster of small and mid-sized US construction and electrical services firms that suggests DragonForce affiliates are systematically targeting the sector.
4. REST OF WORLD
4.1 Government
No government-sector ransomware incidents were reported in Africa, South America, or Oceania this week.
4.2 Health, Municipalities & Non-commercial
DragonForce claimed Fundacao Getulio Vargas (FGV) on March 2, one of Brazil’s most prestigious universities and think tanks. The group alleges it exfiltrated 1.52 TB of data including personal information of students, faculty, and staff, along with confidential administrative and legal documents. FGV initially confirmed on February 20 that a server had experienced instability, but subsequently denied any confirmed data exfiltration. The attack employs DragonForce’s standard double-extortion model: encrypting systems while threatening to publish stolen data.
4.3 Business
TheGentlemen listed Gerleinco on March 6, a Colombian logistics provider with a long history in container control, multimodal transport, and project logistics. The group also claimed Malia Group on March 6, a Lebanese manufacturing conglomerate with operations across consumer goods, technology, fashion, engineering, and hospitality.
Qilin listed Outsourcia on March 4, a Moroccan business process outsourcing company, extending the group’s geographic reach into North Africa.
5. THREAT ACTOR ACTIVITY
Qilin continued as the world’s most prolific ransomware operation, posting at least six new victims during the week: Tennessee Valley Electric Cooperative (US critical infrastructure), CJL Engineering (US), Golden Clay Industries (Malaysia), ATS Group (France), Outsourcia (Morocco), and ELC Security Products (Israel). The group’s 2026 pace exceeds even its record 2025 output of 1,000+ victims, and its continued targeting of electric cooperatives and energy infrastructure raises the stakes for rural US communities.
DragonForce was the second most active group, claiming at least seven victims: FGV (Brazil, 1.52 TB), Graham County Electric Cooperative (US), Advanced Rehabilitation Technology (US), New Generation Media (Turkey), Lincoln Green Brewing (UK), The Delventhal Company (US), and a cluster of US electrical and construction firms. DragonForce has established a RaaS cartel model since March 2025 and now counts 397 known victims.
TheGentlemen maintained high-tempo global operations with at least five new victims across four countries: Reanthong Partcenter and Primus Autohaus (Thailand), Ricopia (Spain), Gerleinco (Colombia), and Malia Group (Lebanon). The group continues to exploit FortiGate vulnerabilities for initial access.
Handala escalated from healthcare (Clalit, week 9) to energy infrastructure, claiming Sharjah National Oil Corporation and Israel Opportunity Energy with combined 1.3 TB exfiltration. These attacks are explicitly framed as geopolitical retaliation.
BaqiyatLock (BQTLock) began offering free RaaS affiliate access to anyone targeting Israeli entities, and on March 3 the Sicarii ransomware operation redirected its affiliates to BQTLock, consolidating pro-Iranian/pro-Palestinian ransomware operations under one platform. This “franchise-for-ideology” model is unprecedented in the ransomware ecosystem.
Seedworm/MuddyWater (Iranian MOIS) deployed two novel backdoors — Dindoor and Fakeset — against US critical infrastructure (bank, airport, defense supply chain) in campaigns assessed to have intensified following Operation Epic Fury.
Law enforcement: Phobos ransomware administrator Evgenii Ptitsyn, 43, a Russian national pleaded guilty on March 4 to wire fraud conspiracy for overseeing a RaaS operation that collected $39 million in ransom from over 1,000 victims. He faces up to 20 years at sentencing on July 15. Separately, two former US cybersecurity incident response employees pleaded guilty to conducting BlackCat (ALPHV) ransomware attacks against US companies in 2023, with sentencing scheduled for March 12.
6. KEY TAKEAWAYS
The February 28 US–Israeli strikes on Iran have triggered the most significant geopolitically driven cyber escalation since the Russia–Ukraine conflict began in 2022. The Canadian Centre for Cyber Security issued an explicit threat bulletin warning that Iran will “very likely use its cyber program to respond,” while Palo Alto’s Unit 42 published a detailed threat brief documenting 60+ active hacktivist groups and the convergence of nation-state, hacktivist, and criminal ransomware operations. For defenders, this means the threat model has expanded: ransomware attacks against Israeli-linked businesses, Gulf energy infrastructure, and US critical infrastructure now carry both financial and geopolitical motivations, making attribution and response significantly more complex.
The BaqiyatLock free-affiliate model and Sicarii-to-BQTLock migration represent a structural innovation in the ransomware ecosystem. By eliminating the financial barrier to RaaS participation for ideologically aligned operators, these groups are effectively crowd-sourcing ransomware attacks against a specific nation — a tactic that could dramatically increase attack volume against Israeli targets in the coming weeks.
Qilin and DragonForce’s targeting of US electric cooperatives — three in a single week (Tennessee Valley, Graham County, and prior Texas cooperatives in 2025) — highlights the vulnerability of rural utility infrastructure. These cooperatives typically lack the cybersecurity resources of major utilities and serve communities with limited alternative power options.
The LexisNexis breach, while executed by a non-ransomware actor (FulcrumSec), exposed records of federal judges, DoJ attorneys, and SEC staff, demonstrating that legal and judicial data repositories are high-value targets in the current threat landscape. Organisations maintaining databases of government personnel should treat unpatched web application vulnerabilities as critical-priority remediation targets.