Executive Summary
The week of March 6–13, 2026, was dominated by the most destructive single cyber incident of the Iran–US conflict to date: Handala, the pro-Iranian hacktivist group, claimed a wiper attack on Stryker Corporation, the $21 billion US medical technology company, using the firm’s own Microsoft Intune mobile device management console to remotely wipe over 200,000 systems, servers, and mobile devices across 79 countries and exfiltrate 50 TB of data. While Stryker stated it found no evidence of ransomware and considered the incident contained, the operational disruption forced the company’s global workforce onto pen-and-paper workflows and triggered coverage from CNN, Al Jazeera, and Fox Business. The attack was explicitly framed as retaliation for coalition strikes on the Minab school in Iran.
On the criminal ransomware front, the Genesis group made a dramatic entrance by posting eight US victims in a single batch on March 7, including healthcare targets Brighton Eye and NADAP (a Medicaid-billing non-profit) and the City of Hart, Michigan. Qilin maintained its position as the most prolific operator globally, listing at least seven new victims during the week spanning Singapore, Spain, Peru, Brazil, and the United States. DragonForce continued its European expansion with claims against Tazzetti S.p.A. in Italy and MAA Architects in Finland. The week also saw the Interlock group deploy AI-generated Slopoly malware — a PowerShell backdoor likely written by a large language model — against Wagon Mound Public Schools in New Mexico, and AiLock ransomware threaten to leak 129 GB stolen from England Hockey, the governing body for 800 clubs and 150,000 players. A joint Five Eyes advisory warned of escalating INC Ransom attacks against Australian healthcare, and INTERPOL’s Operation Synergia III announced 94 arrests and the takedown of 45,000 malicious IPs across 72 countries.
Key Statistics:
- Global: 40+ new leak-site postings per day across major groups; ransomware attacks up 30% in 2026; AI-generated malware (Slopoly) observed in the wild for the first time in a ransomware campaign
- Europe: 6+ incidents — DragonForce claimed Tazzetti (Italy) and MAA Architects (Finland); Qilin hit Retamar school (Spain); NightSpire targeted CFTC Metallurgie (France) and Giaroli (Italy); AiLock claimed England Hockey (UK); Polish hospital in Szczecin forced to paper-based operations
- Asia: 3+ incidents — Qilin claimed RMZ Oilfield Engineering (Singapore) and Syed Professional Services; NightSpire listed CPG Documentation (Lithuania); Handala’s Stryker wiper affected operations across 79 countries
- US: 15+ incidents — Genesis listed 8 victims including Brighton Eye, City of Hart, and NADAP; NightSpire hit Taylor County Property Appraiser (FL); Interlock claimed Wagon Mound Public Schools (NM); Akira hit Exhibit Network and Extreme Trailers; Qilin listed multiple targets; ShinyHunters demanded $65M from Telus Digital (affecting US client operations)
- Other: Qilin claimed Curtiembre Austral (Peru) and Arimex Importadora (Brazil); Five Eyes warned of INC Ransom targeting Australian healthcare; INTERPOL Operation Synergia III made 94 arrests across 72 countries
1. EUROPE
1.1 Government
No new government-sector ransomware incidents were confirmed in Europe this week. However, the Polish military was deployed to restore IT systems at the Szczecin hospital (see section 1.2), and Poland’s government institutions faced an average of 3,200 cyberattack attempts per week, the highest rate in the region, reflecting ongoing Russian-linked targeting of Polish critical infrastructure.
1.2 Health, Municipalities & Non-commercial
The Independent Public Regional Hospital in Szczecin, Poland, was forced to revert to paper-based operations after a cyberattack on the night of March 7–8, 2026, encrypted parts of the hospital’s data and blocked staff access to critical digital records. Patient care continued but with significantly slower administrative procedures, and the Polish military was subsequently deployed to assist with IT restoration. Hospital spokesman Tomasz Owsik-Kozlowski stated that restoring IT access remained the facility’s top priority. While no ransomware group has publicly claimed the attack, the encryption of hospital systems is consistent with ransomware deployment.
England Hockey, the governing body for field hockey in England overseeing 800 clubs and 150,000 players, is investigating a potential data breach after the AiLock ransomware gang listed the organisation on its leak site around March 12. AiLock, a relatively new double-extortion operation that uses ChaCha20 and NTRUEncrypt to encrypt files, claims to have stolen 129 GB of data and threatens to publish it unless a ransom is paid. England Hockey has engaged external experts and law enforcement but has not yet confirmed a breach.
Qilin claimed Retamar, a prominent educational institution in Spain, on March 11, threatening to leak sensitive institutional data unless the school entered negotiations. The attack continues Qilin’s pattern of targeting educational institutions across Europe.
NightSpire listed CFTC Metallurgie, a French manufacturing trade organisation, on March 9, as part of the group’s ongoing high-tempo European operations.
1.3 Business
DragonForce claimed Tazzetti S.p.A. on March 10, an Italian company specialising in specialty gases and environmental services. The group threatened to release confidential data if ransom demands were not met, continuing DragonForce’s expansion into European industrial targets.
DragonForce also listed MAA Architects (maa-architects.com) on March 10, a Finland-based architectural firm, in the same batch of postings that included the Tazzetti claim.
NightSpire claimed Giaroli S.A.S., an Italian business, on March 11, and earlier in the week listed KLEIN Architectural Interior Systems, a Spain-based manufacturer, on March 5.
AkzoNobel, the Netherlands-based global paint manufacturer, confirmed a cyberattack affecting one of its United States sites after the Anubis ransomware group claimed on March 2 to have stolen 170 GB of data including employee records, passport scans, and confidential client agreements. Although AkzoNobel is headquartered in the Netherlands, the confirmed compromise affected a US facility, so the incident straddles both European and US reporting. The company stated the intrusion was contained and limited to the affected site.
LockBit listed Societa Italiana Alimenti on March 7, an Italian food and agriculture company, as the group continues to post new victims despite significant law enforcement disruptions in 2024.
2. ASIA
2.1 Government
No government-sector ransomware incidents were reported in Asia this week.
2.2 Health, Municipalities & Non-commercial
The Stryker Corporation wiper attack (see section 5 for full details) had significant impact across Asian operations, as the company’s offices in 79 countries — including major manufacturing and distribution centres in the Asia-Pacific region — were forced to shut down after Handala remotely wiped over 200,000 devices. While Stryker is a US-headquartered company, the attack’s global reach makes it relevant to every region.
2.3 Business
Qilin claimed RMZ Oilfield Engineering on March 13, a Singapore-based oilfield services company. The listing indicated encrypted systems and potential data exfiltration, consistent with Qilin’s standard double-extortion approach.
Qilin also listed Syed Professional Services on March 12, as part of its sustained wave of global victim postings.
NightSpire claimed CPG Documentation on March 7, a Lithuania-based professional services firm, reflecting the group’s geographic reach across Baltic and Northern European markets.
3. UNITED STATES
3.1 Government
Genesis listed the City of Hart, Michigan on March 7 as part of a batch of eight US victim postings. The City of Hart is a small municipality in Oceana County, and the claim appeared alongside healthcare and professional services targets, underscoring persistent ransomware pressure on under-resourced local governments.
NightSpire claimed the Taylor County Property Appraiser’s Office in Florida on March 9–11, alleging exfiltration of approximately 600 GB of data including SQL databases, scanned documents, and photographs. The office is responsible for property valuation across Taylor County, and exposure of this data could affect property records and taxpayer information.
3.2 Health, Municipalities & Non-commercial
Genesis posted Brighton Eye, a Brooklyn-based eye care centre, and OneSource Medical Group on March 7, threatening to expose sensitive healthcare data. Genesis also listed NADAP, a New York City-based healthcare non-profit providing addiction treatment and Medicaid billing services, on March 6. The group claimed to have obtained medical databases, personal data, Medicaid billing records, and financial and tax documents — a particularly sensitive exfiltration given NADAP’s work with vulnerable populations. A class action lawsuit investigation has been launched in connection with the breach.
Interlock claimed Wagon Mound Public Schools in New Mexico on March 9, alleging it obtained approximately 80 GB of data including staff and student personal information such as phone numbers, addresses, and passport numbers. The school district had shut down its network after discovering a virus around February 26, and staff computers were collected for scanning. This attack is notable because Interlock’s initial access was reportedly facilitated by Slopoly, an AI-generated PowerShell backdoor (see section 5 for details).
NightSpire listed Big Brothers Big Sisters, the US youth mentoring non-profit, on March 5, continuing its targeting of non-commercial organisations with limited cybersecurity resources.
3.3 Business
The Stryker Corporation wiper attack was the most consequential US incident of the week. On March 11, pro-Iranian hacktivist group Handala claimed responsibility for remotely wiping over 200,000 systems, servers, and mobile devices belonging to the $21 billion medtech giant, and exfiltrating 50 TB of data. The attackers exploited Stryker’s Microsoft Intune mobile device management console, using its legitimate remote-wipe capability against enrolled corporate devices. Offices across 79 countries were forced offline, though Stryker stated that connected medical devices including Mako surgical systems, Vocera communication badges, and LifePak35 defibrillators remained safe to use. The company denied finding evidence of ransomware or malware on its systems.
Telus Digital, the Canadian BPO subsidiary of telecom giant Telus, confirmed a security incident on March 12 after ShinyHunters claimed to have stolen nearly 1 petabyte of data belonging to the company and its clients. ShinyHunters stated they gained initial access via Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach, then used trufflehog to pivot into additional Telus systems. The group demanded $65 million and shared the names of 28 well-known client companies allegedly affected. While Telus Digital is Canadian, its BPO operations serve numerous US companies whose customer data may be among the stolen records.
Akira claimed Exhibit Network, a Houston-based trade show company, on March 10, threatening to release nearly 50 GB of corporate data. On March 12, Akira also listed Extreme Trailers, a major flatbed trailer manufacturer in Dover, Ohio, threatening to release 15 GB of data.
Qilin listed A-fast Tile & Coping and Advanced Animations, both US-based companies, on March 10. The group also posted Silvon Software and TDS Construction on March 12, maintaining its high-volume US targeting.
Genesis rounded out its March 7 batch with Sierra Management Group, Cornerstone Financial Advisors, and Sanders Legal Group, all US professional services firms.
Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, disclosed on March 10 that a criminal third party accessed customer names, phone numbers, and email addresses after suspicious activity on a non-critical part of its IT network. While not a ransomware incident in the traditional sense, the breach forced automatic logouts across all customer accounts. Passwords, health information, and credit card data were not compromised.
4. REST OF WORLD
4.1 Government
A joint advisory by the Australian Cyber Security Centre, New Zealand’s NCSC, and CERT Tonga warned on March 6 of escalating INC Ransom attacks against Australian and Oceanian critical infrastructure. The ACSC responded to 11 INC ransomware incidents in Australia between July 2024 and December 2025, predominantly targeting healthcare and professional services. INC affiliates use spear-phishing, unpatched system exploits, and purchased credentials for initial access, then deploy legitimate tools such as 7-Zip and rclone for data exfiltration to evade detection.
4.2 Health, Municipalities & Non-commercial
No new incidents reported this week in this category for Africa, South America, or Oceania.
4.3 Business
Qilin claimed Curtiembre Austral S.R.L. on March 11, a prominent leather manufacturing company in Peru, threatening to release sensitive data unless negotiations commenced. The same day, Qilin listed Arimex Importadora, a Brazilian import company, extending the group’s sustained targeting of South American businesses.
5. THREAT ACTOR ACTIVITY
Handala executed the week’s most significant attack — and arguably the most destructive single cyber incident of the Iran–US conflict — by wiping 200,000 Stryker devices across 79 countries and claiming 50 TB of exfiltrated data. The group’s innovation was tactical: rather than deploying custom wiper malware, they compromised Stryker’s Microsoft Intune MDM console and used the platform’s legitimate remote-wipe feature to brick enrolled devices at scale. This “living off the land” approach to destruction — turning a company’s own management tools against it — represents a significant escalation in hacktivist capability. Handala framed the attack as retaliation for coalition strikes on the Minab school in Iran.
Qilin maintained its position as the world’s most prolific ransomware operator, listing at least seven new victims during the week: RMZ Oilfield Engineering (Singapore), Retamar school (Spain), Curtiembre Austral (Peru), Arimex Importadora (Brazil), Silvon Software (US), TDS Construction (US), and A-fast Tile & Coping (US). Qilin’s 2026 pace continues to exceed its record 2025 output of 1,000+ victims, and its geographic reach now spans six continents.
Genesis emerged as a notable new threat, posting eight US victims in a single day on March 7 — Brighton Eye, OneSource Medical Group, City of Hart, NADAP, Sierra Management Group, Cornerstone Financial Advisors, Sanders Legal Group, and one additional target. The group’s immediate focus on healthcare and municipal targets, combined with its claims of accessing Medicaid billing data and medical databases, makes it a priority watch for US healthcare defenders.
Interlock/Hive0163 gained attention after IBM X-Force revealed that the financially motivated group deployed Slopoly, a PowerShell backdoor likely generated by a large language model, during a ransomware campaign. The AI-generated malware maintained persistent access for over a week, enabling data theft before Interlock’s ransomware payload was deployed. The Wagon Mound Public Schools (NM) attack is associated with this campaign. X-Force assessed that the LLM-generated code showed characteristic patterns of AI authorship but could not determine which model was used.
DragonForce continued European expansion, claiming Tazzetti S.p.A. (Italy) and MAA Architects (Finland) on March 10. The group now counts over 400 known victims globally since its inception and operates a RaaS cartel model.
NightSpire maintained high operational tempo with at least five victims during the week across four countries: Taylor County Property Appraiser (US), Big Brothers Big Sisters (US), CFTC Metallurgie (France), Giaroli (Italy), and CPG Documentation (Lithuania). The group has surpassed 150 confirmed victims and continues to target manufacturing, government, and non-profit organisations.
Akira claimed two US manufacturing/events companies — Exhibit Network (Houston) and Extreme Trailers (Ohio) — consistent with its preference for small-to-medium businesses in the manufacturing and professional services sectors.
AiLock emerged as a new operation, claiming England Hockey with 129 GB of allegedly stolen data. The group uses ChaCha20 and NTRUEncrypt encryption, appends the .AILock extension, and operates both negotiation and leak sites.
Law enforcement: INTERPOL announced the results of Operation Synergia III, which ran from July 2025 to January 2026 across 72 countries, resulting in 94 arrests, seizure of 212 electronic devices, and takedown of 45,000 malicious IPs linked to phishing, malware, and ransomware infrastructure. Separately, Microsoft and Europol disrupted the Tycoon 2FA phishing-as-a-service platform by seizing 330 domains, though Tycoon 2FA was primarily a phishing credential-theft operation rather than a ransomware group.
6. KEY TAKEAWAYS
The Stryker wiper attack demonstrates that the Iran–US cyber conflict has moved beyond ransomware and hacktivism into operational destruction of enterprise infrastructure at a scale typically associated with nation-state military operations. Handala’s use of Microsoft Intune’s legitimate remote-wipe capability as a weapon highlights the risk that mobile device management platforms — designed to protect organisations — can be turned against them if access controls are compromised. Organisations using Intune, Workspace ONE, Jamf, or similar MDM platforms should urgently review administrative access controls, implement conditional access policies, and enable alerts on bulk device-management actions.
The emergence of AI-generated malware in an active ransomware campaign is a milestone for the threat landscape. While IBM X-Force’s analysis of Slopoly found the code functional but not particularly sophisticated, its deployment by Hive0163/Interlock demonstrates that LLM-assisted malware generation has crossed from proof-of-concept into operational use. Defenders should anticipate that AI-generated tooling will lower the barrier to entry for ransomware affiliates and accelerate the development of custom post-compromise tools.
Genesis’s immediate targeting of healthcare non-profits (NADAP, Brighton Eye, OneSource Medical Group) and its claimed access to Medicaid billing data underscore that groups entering the ransomware ecosystem in 2026 are deliberately seeking the highest-sensitivity data to maximise extortion leverage. Healthcare organisations handling government billing data should treat their systems as priority targets.
The Five Eyes advisory on INC Ransom’s targeting of Australian healthcare reflects a geographic shift for a group that previously focused on the US and UK. Australian and Oceanian healthcare providers should review the joint advisory’s indicators of compromise and ensure that common tools like 7-Zip and rclone are monitored for anomalous usage patterns.