Executive Summary
The week of March 27 – April 3, 2026, saw Qilin continue its record-breaking campaign with fresh claims against US government agencies, European non-profits, and a Canadian broadcaster, while DragonForce extended its reach into European critical infrastructure by targeting a Berlin district heating provider. ShinyHunters published over 350 GB of data stolen from the European Commission’s AWS cloud infrastructure on March 28 and followed up with an extortion demand against Cisco on March 31, while the Dutch Ministry of Finance continued investigating a separate breach disclosed earlier in the week. In the United States, Qilin posted the Georgia State Road and Tollway Authority and the Faulkner County Sheriff’s Office in Arkansas within 24 hours of each other, a ransomware attack on Jackson County, Indiana’s sheriff’s office left the department “rebuilding from ground zero,” and the Minot, North Dakota water treatment ransomware attack drew national attention after FBI confirmation. A significant ecosystem development emerged on March 25 when a threat actor launched Leak Bazaar, a new criminal marketplace designed to process and monetize the massive data dumps that ransomware groups exfiltrate — effectively turning raw stolen data into structured, searchable intelligence products for sale.
Key Statistics:
- Global: March 2026 closed with 780–808 victims claimed by 65 ransomware groups, a 13% increase over February; Qilin led with 131–140 claims for the month; utility sector attacks surged 630% from February to March
- Europe: 12+ incidents — ShinyHunters published 350 GB of European Commission data; Dutch Ministry of Finance intrusion; Port of Vigo (Spain) forced to manual operations; DragonForce hit Fernheizwerk Neukolln (Berlin district heating) and Fountain (Belgium); Qilin claimed Die Linke and Jursaconsulting (Germany), ASB Saarland (Germany); Akira targeted BHS Bau (Germany); TheGentlemen claimed Groupe Courtois Automobiles (France)
- Asia: 3+ incidents — ALP-001 claimed JAXA (Japan, 6.9 TB); Qilin listed Kerjaya Prospek Group (Malaysia); DragonForce claimed Kalima Resort (Thailand)
- US: 15+ incidents — Qilin claimed State Road and Tollway Authority (Georgia), Faulkner County Sheriff’s Office (Arkansas), Neurologic Associates of Central Brevard (Florida), and AMHC mental health centre (Maine); Jackson County Sheriff’s Office (Indiana) crippled by ransomware; ShinyHunters extorted Cisco and breached Infinite Campus; Minot ND water treatment ransomware confirmed by FBI; Foster City state of emergency ongoing; DragonForce hit Klean Kanteen and Elara Engineering; Akira posted Sheladia Associates and four other firms; SafePay/Conduent breach notifications reached 25 million individuals
- Other: XP95 hit Statistics South Africa (154 GB HR data); Qilin claimed CHEK News (Canada); DragonForce hit STS Travel (Mexico) and Bunch Ltd. (Canada); Leak Bazaar criminal marketplace launched; Bearlyfy/GenieLocker campaign against 70+ Russian firms publicly attributed
1. EUROPE
1.1 Government
The European Commission confirmed on March 27 that a cyberattack had struck its Amazon Web Services cloud infrastructure hosting the Europa.eu web platform. The breach was detected on March 24 and quickly contained, according to Commission officials, who stressed that internal systems were not affected. On March 28, the ShinyHunters group published over 350 GB of stolen data on the dark web, including employee databases and email server contents affecting data from more than 30 EU entities. The initial access vector was subsequently confirmed as a Trivy supply-chain compromise, and CERT-EU published security recommendations on April 3. The incident highlights how third-party cloud environments and supply-chain dependencies create attack surfaces that even supranational institutions struggle to defend.
The Dutch Ministry of Finance continued its investigation into a breach disclosed on March 25, which had been detected the previous week after a third party flagged suspicious activity on March 19. The ministry took affected systems offline and restricted employee access. Systems managing tax collection, import/export regulations, and income-linked subsidies — handling over 9.5 million annual tax returns — remained unaffected. No threat group has claimed responsibility, and whether sensitive data was exfiltrated remains undetermined.
1.2 Health, Municipalities & Non-commercial
Qilin claimed ASB Saarland (Arbeiter-Samariter-Bund Saarland), a prominent German humanitarian aid and social welfare non-profit. The group posted an extortion notice indicating that sensitive data would be leaked unless negotiations were initiated. The ASB Saarland attack was part of a broader wave of Qilin activity against German non-commercial organisations during the period, with Suchthilfe direkt Essen gGmbH, an addiction support services provider, also appearing on Qilin’s leak site. These attacks against charitable and social welfare organisations underscore the group’s indiscriminate targeting model — entities with limited IT budgets and high sensitivity around client data make particularly vulnerable victims.
The new ransomware entrant XP95 also attacked Eholo Health around March 30, a Spanish clinical management software provider for psychologists. XP95 claims to have exfiltrated approximately 165 GB including over 1.1 million medical notes and data on more than 600,000 users. Eholo Health allegedly refused a $300,000 ransom demand, after which XP95 released the data publicly. The compromise of a platform holding sensitive psychotherapy records represents a particularly egregious breach of patient trust.
1.3 Business
Qilin listed Die Linke, the German left-wing political party, and Jursaconsulting, a German consulting firm, in early April postings that formed part of a multi-country batch alongside Canadian and US targets. The targeting of a major German political party is notable, as party infrastructure typically holds member databases, donor information, internal strategy documents, and constituent communications — data with both extortion and intelligence value.
DragonForce claimed Fernheizwerk Neukolln GmbH on April 2, a district heating provider in Berlin. While heating supplies to Neukolln’s residential customers were not disrupted, accounting and internal communications systems were impacted. The attack comes amid the 630% surge in utility-sector ransomware attacks from February to March 2026 documented by BlackFog, and represents DragonForce’s continued expansion into European energy infrastructure. DragonForce also listed Fountain on April 1, a Belgian drinks vending and water cooler services company, extending its European business targeting.
Akira listed BHS Bau- und Handelsgruppe GmbH & Co. KG on March 27, a Dresden-based German construction conglomerate with operations spanning building materials extraction, asphalt production, and civil engineering. The leak post indicated that corporate financial data, employee records, and project documentation had been exfiltrated.
TheGentlemen claimed Groupe Courtois Automobiles on March 27, a French Honda automotive dealership group with locations across the Ile-de-France region. The attackers allege 13.15 GB of data was exfiltrated, threatening to publish unless negotiations commence.
Play ransomware posted a ten-victim batch on March 30 that included three UK firms: Witt UK Group (industrial manufacturing), Specflue (chimney and flue specialist), and Kivells (agricultural auctioneers), alongside Lucky Look in Germany and several US businesses. The coordinated batch posting continues Play’s pattern of simultaneous multi-victim disclosures.
Separately, the Port of Vigo in Spain — Europe’s largest fishing port, handling over EUR 3 billion in annual revenue — detected a ransomware attack at 05:45 on March 24, with disruptions continuing through the reporting period. Digital cargo management systems were taken offline, forcing port operations to revert to manual procedures and paper documentation. A ransom was demanded, though port authorities have not disclosed the amount. No timeline for full digital recovery has been provided, and the attack highlights the vulnerability of maritime logistics infrastructure to ransomware-driven operational disruption.
2. ASIA
2.1 Government
ALP-001, a relatively new threat actor believed to be an initial access broker transitioning into extortion, publicly claimed a breach of the Japan Aerospace Exploration Agency (JAXA) on March 26, alleging the exfiltration of 6.9 TB of data and setting an April 5 deadline for negotiations. Given JAXA’s role in satellite technology, space exploration, and national defence, any confirmed compromise would carry significant implications for Japan’s security posture. Japan has faced repeated intrusions against JAXA in recent years, though security researchers caution that there is currently no independent confirmation of the claimed data volume.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
Qilin listed Kerjaya Prospek Group on March 27, a major Malaysian construction company with a market capitalisation exceeding MYR 3 billion. This marks the third consecutive month that Qilin has targeted Malaysian firms, following Golden Clay Industries and the disputed Malaysia Airlines claim in earlier weeks, as Malaysia’s ransomware.live tracker now shows over 106 total victims nationally.
DragonForce claimed Kalima Resort & Spa in Phuket, Thailand, a five-star luxury resort, in late March. The attack reflects DragonForce’s increasingly eclectic victim selection, ranging from craft breweries to energy cooperatives to hospitality in recent weeks.
3. UNITED STATES
3.1 Government
Qilin claimed the State Road and Tollway Authority (SRTA) on April 1, a Georgia state agency responsible for operating the Peach Pass electronic toll collection system and managing toll revenue bonds for the state’s transportation infrastructure. The listing appeared on Qilin’s leak site without specific details on the scope of compromise or a stated ransom amount, though the targeting of a state-level transportation authority managing financial transactions across Georgia’s highway network raises concerns about the potential exposure of toll account holder data.
The following day, Qilin listed the Faulkner County Sheriff’s Office in Conway, Arkansas, issuing a warning that sensitive law enforcement data would be released unless demands were met. The attack on a county sheriff’s office — holding arrest records, investigation files, evidence databases, and officer personal information — illustrates the acute risk that ransomware poses to local law enforcement, where both operational continuity and data confidentiality carry direct public safety implications.
The Jackson County Sheriff’s Office in Brownstown, Indiana, disclosed on March 27 that a ransomware attack had totally crippled its IT systems, leaving the department “rebuilding from ground zero.” The FBI and DHS are investigating the incident, which originated from a malicious email. By March 30, the office was still without its primary computer systems, relying on manual processes for dispatch, records, and jail management. No ransomware group has publicly claimed the attack.
Foster City, California, remained under a state of emergency through the reporting period, now entering its second week since the March 19 ransomware attack paralysed nearly all municipal computer systems. The city council’s 4–0 emergency declaration on March 24 unlocked supplementary financial support from outside agencies. As of April 3, recovery efforts continued with no ransomware group having publicly claimed the incident.
3.2 Health, Municipalities & Non-commercial
Qilin listed Neurologic Associates of Central Brevard on April 1, a Florida-based neurology practice. The posting on the group’s leak site suggests patient medical records, diagnostic data, and personal health information may be at risk. In Maine, Qilin claimed Aroostook Mental Health Center (AMHC) during the week, a critical rural mental health provider serving one of the most underserved regions in the northeastern United States. The targeting of both a neurology practice and a mental health centre within the same week reflects the severe consequences of Qilin’s indiscriminate model for patients who depend on uninterrupted access to specialist care.
The ransomware attack on the City of Minot, North Dakota’s water treatment plant drew FBI confirmation during the week. The attack, initially discovered on March 14 when staff found a ransom note on a SCADA-connected server, forced 16 hours of manual operations, with staff conducting frequent on-location checks of water gauges to maintain safe service for the city’s approximately 50,000 residents. Minot officials never communicated with the attackers and did not pay any ransom. The delayed public disclosure — roughly two weeks after the incident — has drawn scrutiny, but the city’s rapid switch to manual operations is being cited by cybersecurity experts as a model response for small municipal utilities.
Conduent Incorporated, a government services contractor whose systems handle Medicaid, SNAP, and other benefit programmes for more than 30 states, continued issuing breach notification letters during the week. The SafePay ransomware group had spent three months inside Conduent’s network, exfiltrating 8.5 TB of data affecting over 25 million Americans, including Social Security numbers, medical records, and health insurance details. Oregon (10.5 million) and Texas (15.4 million) alone account for the majority of victims, making this potentially the largest government-related data breach in US history.
3.3 Business
ShinyHunters posted an extortion demand against Cisco on March 31, claiming stolen Salesforce data and setting an April 3 deadline. The group leveraged a Salesforce Aura vulnerability to access customer and partner records, following the same pattern as their European Commission operation. The same group also breached Infinite Campus, a K-12 student information system used by thousands of US school districts, with stolen data published on March 28.
DragonForce claimed Klean Kanteen on April 2, the well-known US consumer products manufacturer, and Elara Engineering on April 1, an Illinois-based consulting engineering firm. On April 3, the group listed Asmar Schor & McKenna, a construction law firm, continuing its pattern of targeting mid-sized American companies across diverse sectors.
The Everest ransomware group reached its April 3 deadline for Nissan North America, after claiming 910 GB of customer, dealership, and loan data stolen from a file transfer system used by Nissan and Infiniti dealerships. Everest published negotiation logs showing the initial breach occurred in January 2026 via unrotated, publicly exposed credentials. The incident underscores how third-party file transfer systems and basic credential hygiene failures continue to provide ransomware groups with low-effort initial access to high-value corporate networks.
Akira posted multiple US businesses on March 27, including Sheladia Associates, a multidisciplinary infrastructure development consultancy with projects in transportation, water, sanitation, and energy sectors. The leak post referenced employee personal documents, medical information, financial records, contracts, and NDAs. Other Akira victims in the same batch included Frontier Technologies, GeoMechanics Technologies, Axiomatic Technologies Corporation, and Quality Carton and Converting — a cluster of engineering, technology, and manufacturing firms that reflects Akira’s continued focus on professional services and industrial targets.
4. REST OF WORLD
4.1 Government
Statistics South Africa (Stats SA) confirmed on March 30 that a new ransomware group called XP95 had exfiltrated 453,362 files (154 GB) from an HR database used by job seekers. The group demanded $100,000 with an April 20 deadline. Stats SA stated it will not pay the ransom. XP95, which emerged in March 2026 with a retro Windows XP/95-themed interface, had previously claimed a breach of the Gauteng Provincial Government (3.8 TB, 3.6 million files), signalling a sustained campaign against South African government institutions.
4.2 Health, Municipalities & Non-commercial
Qilin claimed CHEK News in early April, an independent television broadcasting station serving British Columbia, Canada. CHEK is the sole remaining locally-owned conventional television station in Western Canada, and the compromise of a news organisation raises distinct concerns around source protection, unpublished journalistic material, and the potential chilling effect on press freedom. The attack was posted alongside the Die Linke, Jursaconsulting, and Neurologic Associates victims in a single multi-country batch.
4.3 Business
DragonForce claimed STS Travel on March 27, a travel service provider based in Mexico, threatening to release sensitive data unless its demands are met. The group also listed Bunch Ltd. on April 2, a Canadian oil and gas contractor, extending DragonForce’s energy-sector targeting into North America.
The Bearlyfy pro-Ukrainian hacktivist group was publicly attributed on March 27 for attacks against over 70 Russian companies since January 2025 using a custom Windows ransomware strain called GenieLocker, inspired by the Venus/Trinity families. Unlike traditional ransomware operations, Bearlyfy often manually crafts ransom notes — some mocking victims — and operates as a dual-purpose group combining financial extortion with ideological sabotage. GenieLocker’s active deployment since early March 2026 marks a notable escalation in the Russia–Ukraine cyber dimension and represents the most significant pro-Ukrainian ransomware operation documented to date.
5. THREAT ACTOR ACTIVITY
Qilin continued its industrial-scale campaign, posting victims across four continents during the week. The group’s targeting of the Georgia State Road and Tollway Authority and Faulkner County Sheriff’s Office within 24 hours signals a sustained focus on US government entities, while Die Linke (German political party), ASB Saarland (German non-profit), CHEK News (Canadian media), and Neurologic Associates (US healthcare) demonstrate the breadth of its indiscriminate model. Having claimed 131–140 victims in March alone — its highest single month ever and its third consecutive month above 100 — Qilin now far outpaces every other ransomware operation in volume. On the technical front, researchers documented on April 2 that Qilin is deploying a sophisticated malicious DLL (msimg32.dll) capable of disabling over 300 EDR drivers from virtually every major security vendor, representing a significant investment in defence evasion capabilities.
Play posted a coordinated ten-victim batch on March 30 spanning three UK firms (Witt UK Group, Specflue, Kivells), Lucky Look (Germany), and multiple US businesses, maintaining its position as a consistently active operation with a preference for simultaneous disclosures.
DragonForce had an exceptionally active week, posting at least eight new victims including Fernheizwerk Neukolln (Berlin district heating), Klean Kanteen (US consumer products), Elara Engineering (US), Asmar Schor & McKenna (US construction law), Fountain (Belgium), Bunch Ltd. (Canada oil and gas), Kalima Resort (Thailand), and STS Travel (Mexico). The group’s victim profile now spans energy, hospitality, consumer products, legal, and travel sectors across four continents, and its cartel-model RaaS platform exceeds 400 known victims.
ShinyHunters emerged as the week’s most impactful data breach actor, publishing over 350 GB of European Commission data on March 28 after exploiting a Trivy supply-chain compromise, then posting an extortion demand against Cisco on March 31 using a Salesforce Aura vulnerability. The group also breached Infinite Campus, a K-12 student information system. While ShinyHunters operates primarily as a data theft and extortion group rather than a traditional encryption-based ransomware operation, its multi-target campaign this week demonstrates the convergence of breach-and-extort tactics with the ransomware ecosystem.
Akira maintained its focus on professional services and construction, posting BHS Bau (Germany) and five US firms including Sheladia Associates on March 27. The group’s consistent targeting of engineering and infrastructure consultancies suggests deliberate selection of organisations holding sensitive project documentation and government contracts.
ALP-001 emerged as a threat actor of significant concern with its March 26 claim against JAXA (6.9 TB alleged). The group is believed to be an initial access broker transitioning into direct extortion, and if the exfiltration claim is genuine, it would represent one of the largest government data thefts of the year.
Leak Bazaar, a new criminal service launched on March 25 by a threat actor known as Snow (SnowTeam), represents a structural innovation in the ransomware ecosystem. The platform processes the massive, disorganised data dumps that ransomware groups exfiltrate and transforms them into structured, searchable intelligence products for sale — effectively an e-discovery service for stolen data. Operating on a 70/30 revenue split (70% to data suppliers), Leak Bazaar offers buyers exclusive or multi-buyer purchase options, turning single breaches into recurring revenue streams. This commoditisation of stolen data creates additional post-breach monetisation pressure on victims and enables follow-on crimes including fraud, business email compromise, and individual extortion.
6. KEY TAKEAWAYS
The European Commission cloud breach and Dutch Ministry of Finance intrusion, both confirmed during this reporting period, underscore the escalating threat to government cloud and administrative infrastructure. The Commission breach targeted AWS-hosted systems rather than internal networks, illustrating how third-party cloud environments create attack surfaces that traditional perimeter defences cannot cover. Organisations should audit cloud configurations against baseline security frameworks and implement cloud-native anomaly detection.
Qilin’s simultaneous targeting of a state tollway authority, a county sheriff’s office, a political party, humanitarian non-profits, a neurology practice, and a television station within a single week demonstrates that the group has effectively industrialised ransomware operations. With three consecutive months above 100 victims, Qilin’s scale now resembles automated mass exploitation rather than targeted campaigns, and defenders across all sectors should treat Qilin threat intelligence as universally relevant.
The 630% surge in utility-sector ransomware attacks from February to March 2026, punctuated by DragonForce’s Fernheizwerk Neukolln attack and the Minot water treatment incident, confirms that critical infrastructure targeting has moved from an occasional headline to a persistent operational reality. Municipal utilities with limited IT staff and aging SCADA infrastructure remain acutely vulnerable, and the Minot response — rapid manual operations fallback, refusal to communicate with attackers — should be studied as a model for comparable facilities.
The emergence of Leak Bazaar fundamentally changes the economics of post-breach data monetisation. By transforming raw data dumps into searchable intelligence products, the platform extends the revenue lifecycle of ransomware attacks well beyond the initial extortion window. Victim organisations that refuse to pay ransoms — the correct decision from a policy standpoint — should now assume their stolen data will be processed, structured, and resold to multiple buyers over an extended period, requiring sustained monitoring for follow-on fraud and individual extortion attempts.