Ransomware gangs claimed over 400 victims in the first three months of 2026. State-sponsored hackers wiped a Fortune 500 company using its own IT tools. And a criminal phishing platform that law enforcement took down in early March was fully operational again within weeks (the audacity).
March was not a slow month. Here is everything that happened and what it means for your business.
The Biggest Story: Stryker
You already know this one if you read our last post, but it belongs in any March roundup. On March 11, Iran-linked hacktivist group Handala used a compromised Microsoft Intune admin account to remotely wipe devices across Stryker’s global workforce, affecting operations in 79 countries. They used no malware and no ransomware; just a stolen password and a legitimate IT tool turned into a weapon. The FBI seized Handala’s websites on March 19. CISA issued an advisory urging all organizations to lock down their device management platforms immediately.
The takeaway: your IT management tools are a target. If admin accounts are not protected with multi-factor authentication and approval workflows, you have the same exposure Stryker had.
The Breaches
1. University of Mississippi Medical Center: Ransomware, 1TB of Patient Data
The Medusa ransomware gang hit UMMC starting February 19, forcing the closure of 35 clinics across Mississippi, suspending elective surgeries and imaging appointments, and cutting off access to the hospital’s Epic electronic health record system for nine days. Staff reverted to handwritten charts (in 2026, at a major medical center). Some patients were diverted to other facilities entirely. Medusa posted UMMC to its dark web leak site on March 12, claiming to have stolen more than 1TB of data including patient health information and employee records, and demanding $800,000 in ransom.
How it happened: Ransomware targeting healthcare, the most attacked sector in the country, through what researchers believe was phishing-based credential access.
2. Passaic County, NJ: Government Systems Down, 600,000 Residents Affected
Medusa struck again on March 17, this time hitting Passaic County‘s local government systems, disrupting phone lines and IT infrastructure serving nearly 600,000 residents and demanding the same $800,000 ransom. Public sector organizations remain one of ransomware’s most consistent targets because they hold sensitive data, operate on tight budgets, and often run legacy systems that are years overdue for updates (but hey, the budget meeting is next quarter).
How it happened: Medusa operates a ransomware-as-a-service model, meaning it is not one group but many affiliates using the same criminal toolkit. It claimed over 400 victims in 2026 alone before this attack.
3. Marquis: 672,000 People, 74 Banks Disrupted
A Texas-based financial services provider revealed this month that a ransomware attack from August 2025 had stolen data belonging to over 670,000 individuals and disrupted operations at 74 banks across the United States. It took seven months to disclose. That delay is its own problem, since breach victims had no idea their information was circulating for the better part of a year (and attackers absolutely did).
How it happened: Third-party financial infrastructure breach with cascading downstream impact across dozens of institutions.
4. Aura: 900,000 Records, via Vishing
Here is the irony of the month: Aura, a company that sells identity theft protection to consumers (let that sink in), confirmed a breach after one of its own employees fell for a voice phishing attack. A caller impersonated a trusted contact, convinced the employee to hand over access, and walked out with names, email addresses, home addresses, and phone numbers for roughly 900,000 people. Aura claims only about 35,000 were actual customers, but that does not make the lesson any less pointed.
How it happened: Vishing, which is voice phishing over the phone. No malware, no hacking; just a convincing phone call. AI is making these calls harder to detect by the day.
5. Tax Season Malvertising Campaign: Targeting Businesses Searching for IRS Forms
The Hacker News reported that a large-scale malvertising campaign active since January 2026 has been specifically targeting U.S. individuals and businesses searching for tax-related documents. Attackers are using Google Ads to serve fake installers that deploy a tool designed to disable endpoint security software before deeper compromise. Over 60 confirmed malicious sessions were identified. With April 15 approaching, this campaign is still active.
How it happened: Malicious Google Ads impersonating legitimate tax software downloads. If your team is downloading anything tax-related right now, make sure it is coming directly from the IRS website or your accountant, not a Google ad (which, to be fair, looks exactly like a real result).
The One Bright Spot (Sort Of)
On March 4, a coordinated international operation involving Microsoft, Europol, Proofpoint, Cloudflare, and law enforcement across multiple countries took down Tycoon 2FA, a phishing-as-a-service platform that had been used to bypass Microsoft 365 and Gmail multi-factor authentication for thousands of organizations. In February 2026 alone, it generated over three million malicious messages.
The catch: within weeks of the takedown, Tycoon 2FA was already back online and operating at full capacity. Takedowns slow these platforms down, but they rarely stop them.
What March Is Telling Us
Looking at the month as a whole, a few patterns are hard to ignore.
Healthcare and government are still the most targeted sectors, and they are still the least prepared. Ransomware gangs like Medusa are not slowing down; they are getting more organized. And the most damaging attacks of the month did not require sophisticated exploits. They required a phishing email, a convincing phone call, or a stolen admin password.
The businesses that did not make headlines this month were not lucky. They had MFA enforced, they trained their employees, and they knew what was running on their networks.
Ask yourself the same three questions we asked after February:
- Is MFA enforced on every account your team accesses?
- When did you last audit your vendors and third-party tools?
- Would you know if someone was inside your systems right now?
If any answer is no, March just showed you exactly what that costs.
The businesses that don’t get breached are not lucky; they are prepared.
If you are not sure where your gaps are, that is exactly what we are here for.
→ Schedule Your Free Security Assessment with Rob
→ Learn More About Our Cybersecurity Services
Published: Mar 31, 2026
