The Month in Numbers
These three numbers tell the story of March faster than anything else:
Manufacturing was the most targeted sector. The United States was the most targeted country. These aren't statistics about enterprise companies in Silicon Valley — they're about the kinds of organizations that look a lot like businesses right here in Cincinnati.
The Ransomware Landscape
The top ten ransomware groups by victim count in March were led by Qilin (136 victims), Akira (75), and Nightspire (66). These aren't new names — they're established criminal operations running ransomware-as-a-service programs, where affiliates pay to use their tooling and infrastructure in exchange for a cut of the ransom.
What's new — and worth paying attention to — is a group called Vect. They launched their affiliate recruitment program in late December 2025 and moved into active attacks almost immediately. By March they already had 21 confirmed company victims listed on their leak site with 15 more negotiations in progress.
What Makes Vect Different
Most ransomware groups build their tools from leaked source code of older malware families. Vect claims to have built their ransomware independently in C++, designed for Windows, Linux, and VMware ESXi environments. They also use the full double-extortion playbook: encrypt your files, steal your data, publish it publicly if you don't pay. In March they publicly announced a partnership with BreachForums — one of the largest criminal communities on the internet — and with TeamPCP, the group behind a series of supply chain attacks in March. Whether those partnerships are as significant as advertised or mostly marketing, the intent to scale quickly is clear.
What does Vect actually do once it's inside a network? The technical analysis is detailed, but the short version for a business owner: it disables your antivirus, deletes your Windows backup copies, locks every file it can reach, drops a ransom note in every folder, and then removes itself from the system to make forensic investigation harder. If you don't have immutable off-site backups that ransomware can't reach, your recovery options are limited to paying or starting over.
Real Breaches That Happened in March
Five significant incidents made the threat intelligence summary this month. All five have lessons that apply to businesses of any size.
European Commission — AWS Cloud Breach
The threat group ShinyHunters claimed to have stolen over 350GB of data from the Commission's cloud environment, including mail server data, databases, and confidential documents. The attack targeted cloud accounts, not on-premises infrastructure. Cloud environments are not automatically secure — they require the same discipline as any other system.
Nordstrom — Okta SSO & Salesforce Breach
Attackers compromised Nordstrom's Okta single sign-on system, which gave them access to Salesforce Marketing Cloud. They used that access to send crypto scam emails to customers from Nordstrom's own legitimate email address. The attack wasn't sophisticated — it exploited a compromised identity layer. This is exactly what identity monitoring and MFA enforcement are designed to catch.
Starbucks — Partner Portal Credential Theft
Attackers used fake sites impersonating Starbucks's internal Partner Central portal to steal employee login credentials. 889 employees were affected, with social security numbers, dates of birth, and financial information exposed. This is a phishing attack that bypassed the network entirely — it targeted human behavior, not technical vulnerabilities.
Stryker — 200,000 Devices Remotely Wiped
This one deserves a closer look. The Handala hacktivist group compromised a Stryker administrator account, created a new Global Administrator account, and used Microsoft Intune to remotely wipe tens of thousands of devices. No ransomware. No malware. Just legitimate enterprise tools being used by someone who shouldn't have had access to them. The lesson: identity security and admin account monitoring matter as much as endpoint security.
Vulnerabilities You Should Know About
The March vulnerability report covered ten high-severity CVEs. These are the ones most relevant to business environments:
| Vulnerability | What's Affected | Score |
|---|---|---|
| CVE-2026-20131 Cisco Firewall RCE |
Cisco Secure Firewall Management Center — multiple versions. An unauthenticated remote attacker can execute code as root. | 10.0 |
| CVE-2026-3055 Citrix NetScaler |
NetScaler appliances configured as identity providers. Actively exploited in the wild within days of disclosure. | 9.3 |
| CVE-2026-30903 Zoom Workplace |
Zoom for Windows before version 6.6.0. Allows privilege escalation via network access without authentication. | 9.6 |
| CVE-2026-3564 ScreenConnect |
Remote access tool versions before 26.1. Could allow unauthorized access including elevated privileges. | 9.0 |
| CVE-2026-3909 Google Chrome |
Chrome before version 146.0.7680.75. Out-of-bounds memory write via crafted web page. | 8.8 |
What this list tells you: Three of the five vulnerabilities above affect tools that are common in business environments — Zoom, Chrome, and remote access software. If your devices aren't being patched automatically and consistently, you're carrying risk you probably don't know about. Automated patching is one of the most cost-effective security controls a business can have.
The Phishing Campaign That Almost Looked Real
The March report also detailed a phishing campaign targeting businesses in the medical sector. The attack arrived as an email that looked like a routine business inquiry — a company in Qatar requesting a quote, with a file attached called a "Bill of Quantities."
The attached file wasn't a document. It was a disguised executable that, when opened, silently installed credential-stealing software on the victim's computer. The malware — a variant called Phantom Stealer — then harvested saved passwords, cookies, and credit card data from over 80 different browsers including Chrome, Edge, Firefox, and Opera, and sent everything to an attacker-controlled server via Telegram.
The tell: The email came from a real address — but the domain wasn't affiliated with the company claimed in the email. This is the kind of thing phishing training catches. The technical controls would have caught the malware execution. Both layers matter.
What This Means for Your Business
Reading a threat intelligence report as a business owner can feel like watching weather data without a forecast. Here's the forecast:
Patch management matters more than ever. Three of the five critical vulnerabilities from March affect software that runs on everyday business computers — Zoom, Chrome, and remote access tools. If your devices aren't being patched automatically and monitored for compliance, you're carrying avoidable risk every day.
Backups only matter if ransomware can't reach them. Vect and other ransomware groups specifically look for and delete Windows Volume Shadow Copies — the built-in backup mechanism most businesses rely on. Immutable, off-site backups that are physically or cryptographically isolated from your network are the only reliable recovery path.
Identity is the new perimeter. The Stryker attack used no malware. The Nordstrom attack used legitimate email infrastructure. The Starbucks attack used fake login pages. All three exploited the identity layer — usernames, passwords, access tokens. MFA, credential monitoring, and anomaly detection on user accounts are no longer optional.
Phishing training has a direct ROI. The Phantom Stealer campaign would have been stopped at the human layer by a trained employee who recognized that the sender's domain didn't match the claimed company. Security awareness training is measurable, affordable, and effective.
Want to Know Where Your Gaps Are?
We can walk through your current setup and tell you honestly which of these threat vectors you're covered on — and which ones you're not. No pressure, no sales pitch. Just a straight conversation.
Schedule a Conversation