Executive Summary
The week of March 20–27, 2026, was marked by a striking concentration of attacks against government institutions and public infrastructure on both sides of the Atlantic. The European Commission confirmed on March 27 that its Amazon Web Services cloud hosting the Europa.eu platform had been breached, with the attacker claiming over 350 GB of stolen data including employee databases. Days earlier, the Dutch Ministry of Finance disclosed that suspicious activity detected on March 19 had led to systems being taken offline, though tax collection infrastructure was unaffected. In the United States, Foster City, California, declared a state of emergency on March 24 — the sixth day of a ransomware-induced shutdown of nearly all municipal services — while WorldLeaks listed the City of Los Angeles and LA Metro restricted internal systems after detecting unauthorized activity on March 20.
The criminal ransomware ecosystem continued at a blistering pace. Qilin posted at least fourteen new victims in a single batch on March 26, spanning Belgian healthcare (Louise Medical Center), US tribal government (Washoe Tribe), Malaysian construction (Kerjaya Prospek Group), and Spanish timber manufacturing (Maderas Del Noroeste). Akira added six victims on March 27 including German construction firm BHS Bau and US infrastructure consultancy Sheladia Associates. DragonForce claimed luxury targets from eyewear retailer Edward Beiner to Thailand’s Kalima Resort & Spa. A new threat actor, ALP-001, made headlines by claiming a 6.9 TB breach of Japan’s Aerospace Exploration Agency (JAXA), while the Bearlyfy pro-Ukrainian hacktivist group was revealed to have deployed a custom GenieLocker ransomware strain against over 70 Russian firms since January 2025.
Key Statistics:
- Global: 45+ new leak-site postings during March 20–27; Qilin, Akira, DragonForce, WorldLeaks, and TheGentlemen among the most prolific operators; new entrants ALP-001 and CipherForce gaining traction
- Europe: 8+ incidents — European Commission cloud breach (350 GB); Dutch Ministry of Finance intrusion; Qilin hit Louise Medical Center (Belgium), SACOR and Arnaud (France/Portugal), Maderas Del Noroeste (Spain); Akira targeted BHS Bau (Germany); TheGentlemen claimed Groupe Courtois Automobiles (France)
- Asia: 4+ incidents — ALP-001 claimed JAXA (Japan, 6.9 TB); Qilin hit Kerjaya Prospek Group (Malaysia); Trio-Tech Singapore subsidiary breached by Gunra; DragonForce claimed Kalima Resort & Spa (Thailand)
- US: 12+ incidents — Foster City state of emergency; WorldLeaks listed City of Los Angeles; LA Metro unauthorized activity; Qilin claimed Washoe Tribe, Bedrosians Tile & Stone, Transgas, Kaemmerlen Solutions; Lynx hit NJ Pain Care Specialists; Medusa claimed Passaic County NJ; Akira targeted Sheladia Associates and others
- Other: DragonForce hit STS Travel (Mexico); Bearlyfy deployed GenieLocker against 70+ Russian companies
1. EUROPE
1.1 Government
The European Commission confirmed on March 27 that a cyberattack had struck its Amazon Web Services cloud infrastructure hosting the Europa.eu web platform. The breach was detected on March 24 and quickly contained, according to Commission officials, who stressed that internal systems were not affected. However, the attacker claimed to have stolen over 350 GB of data, providing BleepingComputer with screenshots as proof of access to employee databases and an email server. Early findings suggest some data may have been accessed, and potentially affected EU entities are being notified. The incident signals a growing appetite among threat actors for cloud-hosted government infrastructure and underscores the sensitivity of third-party cloud environments even for supranational institutions.
The Dutch Ministry of Finance disclosed on March 25 that a cyberattack detected the previous week had compromised some of its internal systems. A third party first flagged suspicious activity on March 19, prompting the ministry to take affected systems offline and restrict employee access. Critically, systems managing tax collection, import/export regulations, and income-linked subsidies — which handle over 9.5 million annual tax returns — remained unaffected. No threat group has claimed responsibility, and investigators have not yet determined whether sensitive data was exfiltrated.
1.2 Health, Municipalities & Non-commercial
Qilin claimed Louise Medical Center on March 26, a Belgian healthcare provider, as part of an eight-victim batch posted to its dark web portal. The listing continues Qilin’s systematic targeting of European healthcare institutions and arrives amid heightened concern about ransomware impact on patient care. No details have emerged on the scope of data compromised or operational disruption.
1.3 Business
Qilin’s March 26 posting spree extended deeply into European commerce. SACOR, a French company, was listed alongside Arnaud, a Portuguese business (arnaud.pt), in what amounted to a single-day, multi-continent campaign. Maderas Del Noroeste de Espana SL, a Spanish timber and wood manufacturing company, was also claimed in the same batch, extending Qilin’s footprint across the Iberian Peninsula.
Akira listed BHS Bau- und Handelsgruppe GmbH & Co. KG on March 27, a Dresden-based German construction conglomerate with operations spanning building materials extraction, asphalt production, and civil engineering. The leak post indicated that corporate financial data, employee records, and project documentation had been exfiltrated.
TheGentlemen claimed Groupe Courtois Automobiles on March 27, a French Honda automotive dealership group with locations in Chambourcy, Saint-Ouen-l’Aumone, and Montigny-le-Bretonneux. The attackers allege 13.15 GB of data was exfiltrated, threatening to publish unless negotiations commence.
2. ASIA
2.1 Government
The most headline-grabbing claim of the week came from ALP-001, a relatively new threat actor believed to be an initial access broker transitioning into extortion. On March 26, ALP-001 publicly claimed a breach of the Japan Aerospace Exploration Agency (JAXA), alleging the exfiltration of 6.9 TB of data and setting an April 5 deadline for negotiations. Given JAXA’s role in satellite technology, space exploration, and national defence, any confirmed compromise would carry significant implications for Japan’s security posture. However, security researchers caution that while ALP-001’s network access claims may be genuine, there is currently no independent confirmation of large-scale data exfiltration.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
Qilin listed Kerjaya Prospek Group on March 27, a major Malaysian construction company. This marks the third consecutive month that Qilin has targeted Malaysian firms, following Golden Clay Industries and the disputed Malaysia Airlines claim in earlier weeks. Malaysia’s ransomware.live tracker now shows over 106 total victims nationally.
Trio-Tech International, a California-based semiconductor testing company, disclosed to the SEC that its Singapore subsidiary was struck by a ransomware attack detected on March 11. The Gunra ransomware group claimed responsibility after stolen data appeared on its Tor-based leak site on March 18, escalating what the company had initially assessed as a non-material incident. The double extortion playbook — encrypt first, then threaten data publication — forced Trio-Tech to update its SEC filing.
DragonForce claimed Kalima Resort & Spa in Phuket, Thailand, a five-star luxury resort, in late March. The attack reflects DragonForce’s eclectic victim selection, which has ranged from craft breweries to energy cooperatives in recent weeks.
3. UNITED STATES
3.1 Government
Foster City, California (population 34,000), declared a state of emergency on March 24, the sixth day of a ransomware attack that had paralysed nearly all municipal computer systems since March 19. The city council voted 4–0 to authorise the declaration, unlocking supplementary financial support from outside agencies. All public services outside of emergency response were paused, though 911 and police dispatch remained operational. By the end of the week, the city was still working with cybersecurity specialists to determine the nature and source of the attack. No ransomware group had publicly claimed the incident as of March 27.
WorldLeaks listed the City of Los Angeles on its leak site on March 20, claiming 159.9 GB of stolen data. On the same day, LA Metro restricted access to internal administrative systems after detecting unauthorized activity, causing disruptions to station arrival time displays and the TAP card website, though bus and rail operations continued. Metro has not linked its system restrictions to the WorldLeaks posting, and no group has officially claimed the Metro incident.
Qilin claimed the Washoe Tribe on March 26, a federally recognised Native American tribe in Nevada. The listing appeared as part of Qilin’s eight-victim batch. Qilin’s targeting of tribal governments aligns with a broader pattern of attacks against US state, local, tribal, and territorial (SLTT) entities.
Medusa’s claim against Passaic County, New Jersey continued to develop during the week. The county, serving nearly 600,000 residents, had disclosed a malware attack on March 4 that disrupted IT systems and phone lines. Medusa demanded $800,000 and posted proof-of-claim screenshots on March 17. By March 18, the county stated that most operations had been restored but the investigation was ongoing.
3.2 Health, Municipalities & Non-commercial
Lynx ransomware targeted NJ Pain Care Specialists on March 26, threatening to leak sensitive medical data unless negotiations are initiated. The New Jersey-based pain management practice joins a growing list of US healthcare providers targeted by Lynx, which has been expanding its operations in 2026.
The University of Mississippi Medical Center (UMMC) resumed normal operations during the week, nine days after a ransomware attack beginning February 19 that blocked access to its Epic electronic medical record system. The Medusa group claimed the attack on March 12, demanding $800,000 and alleging over 1 TB of stolen data across more than one million files. The operational impact was severe: 650 elective surgeries were delayed and UMMC fell $34.2 million short of budget estimates — a roughly 20% revenue drop — as a direct consequence of the 9-day shutdown. UMMC houses Mississippi’s only children’s hospital, only Level I trauma centre, and only organ transplant programmes.
Navia Benefit Solutions, a Washington-based employee benefits administrator, began notifying 2.7 million individuals on March 18 of a breach that exposed names, dates of birth, Social Security numbers, and health plan details. The intrusion, which exploited an API vulnerability, lasted from December 22, 2025, to January 15, 2026. While no ransomware group has claimed responsibility and no encryption was deployed, the scale and sensitivity of the data — particularly affecting COBRA and flexible spending account participants — make this one of the largest healthcare-adjacent breaches of 2026.
3.3 Business
Qilin’s March 26 batch included several US commercial victims: Bedrosians Tile & Stone, a major tile and stone retailer; Transgas Inc, a natural gas transportation company; and Kaemmerlen Facility Solutions, a facility management company. All three were posted alongside the group’s European and tribal government victims in a single coordinated disclosure.
Akira targeted multiple US businesses on March 27, including Sheladia Associates, a multidisciplinary infrastructure development consultancy with projects in transportation, water, sanitation, and energy sectors. The leak post referenced a large volume of stolen data including employee personal documents, medical information, financial records, contracts, and NDAs. Other Akira victims included Frontier Technologies, GeoMechanics Technologies, Axiomatic Technologies Corporation, and Quality Carton and Converting.
DragonForce listed Edward Beiner on March 24, a luxury eyewear retailer based in Florida, and Durable Superior Casters Inc. on March 26, continuing the group’s pattern of targeting mid-sized American companies across diverse sectors.
4. REST OF WORLD
4.1 Government
No government-sector ransomware incidents were reported in Africa, South America, or Oceania this week.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
DragonForce claimed STS Travel on March 27, a travel service provider based in Mexico, threatening to release sensitive data unless its demands are met.
WorldLeaks listed Leighton on March 27, a multinational construction company, and CIM, alongside Sheraton Hotel — all discovered on the same date, reflecting the group’s high-tempo posting schedule.
The Bearlyfy pro-Ukrainian hacktivist group was revealed on March 27 to have attacked over 70 Russian companies since January 2025 using a custom Windows ransomware strain called GenieLocker, inspired by the Venus/Trinity families. Unlike traditional ransomware operations, Bearlyfy often manually crafts ransom notes — some mocking victims — and operates as a dual-purpose group combining financial extortion with ideological sabotage. GenieLocker has been in active deployment since early March 2026, marking a notable escalation in the Russia–Ukraine cyber dimension.
5. THREAT ACTOR ACTIVITY
Qilin maintained its position as the world’s most prolific ransomware operation, posting at least fourteen new victims on March 26 alone. The batch spanned Belgian healthcare (Louise Medical Center), US tribal government (Washoe Tribe), Malaysian construction (Kerjaya Prospek Group), French and Portuguese businesses (SACOR, Arnaud), Spanish manufacturing (Maderas Del Noroeste), and US commercial entities (Bedrosians, Transgas, Kaemmerlen). The group also listed a Voltamper entity and continued its multi-continent campaign of industrial-scale double extortion.
Akira posted six victims on March 27, including German construction firm BHS Bau and US infrastructure consultancy Sheladia Associates, alongside Frontier Technologies, GeoMechanics Technologies, Axiomatic Technologies, and Quality Carton and Converting. Akira’s focus on professional services, manufacturing, and construction targets continues unabated.
DragonForce diversified its victim profile during the week, striking luxury eyewear (Edward Beiner, US), five-star hospitality (Kalima Resort, Thailand), travel services (STS Travel, Mexico), and industrial supply (Durable Superior Casters, US). The cartel-model RaaS now exceeds 400 known victims.
WorldLeaks demonstrated increasing ambition with its March 20 listing of the City of Los Angeles (159.9 GB claimed), followed by multinational construction firm Leighton and Sheraton Hotel on March 27. The group’s possible connection to the LA Metro disruption remains unconfirmed but reflects a willingness to target high-profile municipal infrastructure.
Medusa continued pressing its dual claims against UMMC ($800,000 ransom, 1 TB data) and Passaic County, New Jersey ($800,000 ransom), both of which had been posted earlier in March. The FBI, CISA, and MS-ISAC had previously issued a joint #StopRansomware advisory warning that Medusa had impacted over 300 critical infrastructure organisations.
ALP-001 emerged as a new threat actor of concern with its March 26 claim against JAXA. The group is believed to be an initial access broker transitioning into direct extortion. If the 6.9 TB exfiltration claim is genuine, it would represent one of the largest government data thefts of the year.
Interlock continued exploiting CVE-2026-20131, a critical Cisco Secure Firewall Management Center zero-day (CVSS 10.0) that the group had been leveraging since January 26 — 36 days before Cisco’s March 4 disclosure. Amazon threat intelligence confirmed active exploitation and CISA added the CVE to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by March 22.
Bearlyfy/Labubu was publicly attributed by The Hacker News on March 27 for over 70 attacks against Russian companies using custom GenieLocker ransomware, representing the most significant pro-Ukrainian ransomware operation documented to date.
6. KEY TAKEAWAYS
The dual breaches of the European Commission and Dutch Ministry of Finance in the same week underscore the escalating threat to government cloud infrastructure. The European Commission breach — targeting its AWS-hosted web platform rather than internal systems — illustrates how third-party cloud environments create attack surfaces that traditional perimeter defences may not cover. Organisations should audit cloud configurations against baseline security frameworks and implement cloud-native detection capabilities that can identify anomalous access patterns before data exfiltration occurs.
Foster City’s state of emergency declaration highlights the disproportionate impact of ransomware on small and mid-sized municipalities. A city of 34,000 residents saw all non-emergency services paralysed for over a week, requiring emergency financial support from external agencies. The incident reinforces the need for municipal governments to maintain offline backup systems and incident response plans that can sustain essential services during extended IT outages.
Qilin’s fourteen-victim batch posting on March 26 demonstrates the group’s industrial-scale operations, with simultaneous claims across six countries, four continents, and sectors ranging from healthcare to tribal government. Defenders should treat Qilin’s public posting dates as lagging indicators — actual compromises likely occurred days or weeks earlier — and prioritise threat intelligence sharing across sectors to identify common initial access vectors.
The JAXA claim by ALP-001, even if partially exaggerated, signals that aerospace and defence agencies remain high-value targets. Japan has faced repeated cyber intrusions against JAXA in recent years, and the emergence of new extortion-focused actors with potential initial access broker backgrounds suggests the market for government-level access is expanding.
The Interlock group’s exploitation of CVE-2026-20131 for 36 days before disclosure is a stark reminder that ransomware operators invest heavily in zero-day capabilities. Organisations running Cisco FMC should verify patching compliance immediately, as CISA’s March 22 federal deadline has passed and unpatched systems remain at acute risk.