March 2026 saw a massive influx of cybersecurity news, with a significant wave of ransomware and other malware attacks carried out by threat actors tied to North Korea, Russia and the Islamic Republic of Iran, potentially in concert with the conflict occurring between the latter and the U.S. While there has been action by different law enforcement agencies to counter some of these, the fallout from the attacks is still ongoing and your business should remain wary of the increased cyber risk going into April and the rest of 2026.
SWK Technologies has put together this month’s Cybersecurity News Recap to help your business keep track of the biggest threats and what they mean for your security posture:
Medusa Gang Attacks NJ Passaic County and Mississippi Hospital
The Medusa ransomware gang claimed credit for two high-profile attacks in March 2026, targeting the University of Mississippi Medical Center (UMMC) and Passaic County of New Jersey’s local government systems. The UMMC breach began February 19 and forced the closure of 35 clinics across the state, suspended elective surgeries and imaging appointments, and cut off access to the hospital’s Epic electronic health record system for nine days. Staff reportedly reverted to handwritten charts and some patients were diverted to other facilities.
Medusa added UMMC to its dark web leak site on March 12, claiming to have exfiltrated more than 1 TB of data including patient health information and employee records, and demanding $800,000 in ransom. Medusa also claimed a separate attack on Passaic County on March 17, demanding the same amount and disrupting phone lines and IT systems serving nearly 600,000 residents.
Operating a ransomware-as-a-service (RaaS) model, the group has been active and has a history of targeting critical infrastructure organizations from healthcare to the public sector. Medusa has already claimed various other victims in 2026, including Frauenshuh Commercial Real Estate, Acme Truck Line, Bell Ambulance, Grandview Family Medicine and many more. The gang seemingly became more active last year in the wake of international law enforcement actions that took down several of the leading ransomware groups.
Medtech Vendor Stryker Hit by Pro-Iran Hackers
The Iran-linked hacktivist group Handala claimed responsibility for a destructive cyber attack against medical technology manufacturer Stryker on March 11, framing the attack as retaliation for a U.S. airstrike on a school in Iran. The attackers, suspected to be linked to Iran’s Ministry of Intelligence and Security (MOIS), appear to have gained access to a Microsoft Intune device management console using compromised administrator credentials – potentially obtained through infostealer malware – then issued a remote wipe command that affected more than 200,000 devices across 79 countries.
Stryker claimed to have confirmed that the disruption was confined to its Microsoft environment and found no evidence of ransomware or malware deployed on its systems, and stated that Internet-connected medical products remained safe to use. As of March 15, 2026, the company was actively restoring impacted systems, with priority given to those supporting orders and shipping. The FBI and CISA actively engaged with Stryker during the investigation, and the former announced on March 19 that they had seized Handala’s data leak website, among several other domains tied to group (more on this below).
Named after a cartoon character drawn by a Palestinian artist, the Handala group emerged in 2023, claiming to be a pro-Palestinian hacktivist collective retaliating against Israel for its operations in Gaza at the time. Though they have claimed credit for multiple attacks against targets within the Israeli government and private sectors, the March 11 incident appears to be their first major attack against an American target.
Qilin Hits Texas Construction Firm and Puerto Rico Food Processor
The Qilin ransomware gang claimed responsibility for multiple new attacks on March 18, 2026, including:
- L.H. Lacy, a large Texas-based contractor serving the construction industry
- Productos La Aguadillana, a food and beverage processor in Puerto Rico
- Jacob & Sons, a retailer based in Pennsylvania
- BTX Global Logistics, a logistics service provider headquartered in Connecticut
All of the victims were hit with double extortion – wherein data is first stolen and then threatened to be leaked if a ransom payment is not received – which is typical of Qilin’s M.O.
The group had already claimed more than 400 victims in 2026 at the time of this writing, continuing a surge that saw it list over 1000 victims in 2025 and emerge as the most active ransomware gang of the year. Other high-profile attacks they have claimed includes breaches against the LISI Group of France, Nissan, Tulsa International Airport, the Tennessee Valley Electric Cooperative and the Church of Scientology, all within a six-month period. First observed in 2022, Qilin operates a RaaS model, is suspected to be linked to Russia, and consistently targets industries where data sensitivity and operational disruption increase pressure on victims to pay.
U.S. DOJ Claims Seizure of 4 Domains Linked to Iranian Hackers
The Department of Justice announced on March 19 the court-authorized seizure of four Internet domains operated by Iran’s MOIS, including two tied to the Handala hacker persona that claimed responsibility for the Stryker attack. The seized domains – Handala-Hack[.]to, Handala-Redwanted[.]to, Justicehomeland[.]org and Karmabelow80[.]org – were used to claim cyber attacks, publish stolen data, dox targets and issue death threats against Iranian dissidents, journalists and Israeli-linked individuals, according to the DOJ’s press release.
Court documents also revealed that an associated email account was used to send death threats to victims in the U.S. and abroad, as well as claimed coordination between the Handala group and the Jalisco New Generation Cartel – formerly headed by the late “El Mencho” – with declarations that personal information had been passed to enforcers of the latter. The Trump administration has stated that what they uncovered ostensibly proves the hacktivist group is a front for Iran’s MOIS, and FBI Director Kash Patel said that his agency would “hunt down every actor” behind both the cyber attacks and the threats made to the victims. However, several experts told outlet Cybersecurity Dive that the seizures will only minimally disrupt Handala’s capabilities for the time being.
CISA Warns of Microsoft Intune and SharePoint Risks
In the wake of the 2026 Stryker breach, CISA issued an alert on March 18 urging all U.S. organizations to harden their Microsoft Intune environments, warning that cyber attackers are increasingly targeting endpoint management systems to gain privileged access and execute destructive actions without deploying traditional malware. Key recommendations made by both the agency and Microsoft itself for securing Intune include enforcing least-privilege access through role-based controls, requiring phishing-resistant multifactor authentication (MFA) for privileged accounts and enabling Multi-Admin Approval for high-impact actions such as device wipes.
On the same day, CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities catalog – a critical remote code execution flaw in Microsoft SharePoint affecting versions 2016, 2019 and Subscription Edition, with a CVSS score of 9.8. Federal agencies were ordered to patch by March 21. CISA has not linked the flaw to any ransomware campaigns as of this writing, though the severity and low exploitation complexity make it a high-priority fix for any business running SharePoint on-premise.
Contact SWK to Learn More About the Latest Cyber Threats
March 2026 was a busy month for cybersecurity news, to say the least, but the incidents this month reflect a broader pattern of threat actors — state-linked and criminal alike — weaponizing the everyday tools businesses depend on to carry out attacks at scale. SWK Technologies will help you uncover and plug the gaps within your security posture that could put you at risk against emerging cyber threats, and work with your team to ensure your defenses are hardened from the inside and out against the most common types of attacks.
Contact SWK here to learn about our cybersecurity solutions and discover how we can help protect your network, systems and data from the latest threats.