Agentic AI’s impact on ransomware—it’s execution, its success and even who gets to play, is being widely felt. And we’re just getting started. 

The post Ransomware Victims up 389%, TTE in Less Than Two Days: How Can Defenders Stay Ahead? appeared first on Security Boulevard.

The IOCTA 2026 report released by Europol offers a detailed look at how cybercrime is evolving across Europe, with criminals increasingly using artificial intelligence, encryption, and cryptocurrencies to scale their operations. The latest edition of the Internet Organised Crime Threat Assessment outlines key trends shaping the threat landscape and calls for stronger coordination among law enforcement agencies. According to the IOCTA 2026 report, cybercrime is becoming more complex and interconnected, driven by rapid technological advancements. The findings highlight how criminals are adapting quickly, making it harder for authorities to detect, track, and disrupt their activities.

IOCTA 2026 Report Maps Evolving Cyber Threat Landscape

The IOCTA 2026 report serves as a roadmap for understanding emerging cyber threats, covering areas such as online fraud, ransomware attacks, and child exploitation networks. Edvardas Šileris, Head of the European Cybercrime Centre at Europol, emphasized that the report is intended to help law enforcement agencies respond effectively to these evolving risks. He noted that as cybercriminals continue to exploit new technologies, strengthening capabilities and improving collaboration will be essential to protect citizens and critical infrastructure.

Dark Web Fragmentation and Cryptocurrencies Fuel Crime

A key finding in the IOCTA 2026 report is the continued role of the dark web as a central hub for cybercriminal activity. Despite ongoing crackdowns, marketplaces and forums remain active, with criminals frequently shifting platforms to avoid detection. The report highlights how fragmentation and specialization across these platforms make investigations more difficult. Encrypted messaging services and anonymized networks are increasingly connecting surface and dark web environments, reducing the visibility of criminal operations. Cryptocurrencies also play a significant role, according to the IOCTA 2026 report. Privacy-focused coins and offshore exchanges are widely used to launder ransomware payments, making financial tracking more challenging. The report also points to a growing trend of younger individuals becoming involved in cryptocurrency-related activities, sometimes without understanding the legal risks.

AI-Driven Fraud Expands Across Europe

The IOCTA 2026 report identifies artificial intelligence as a major driver of online fraud. Cybercriminals are using generative AI tools to create highly targeted phishing campaigns and social engineering attacks. These tools allow attackers to:

• Personalize fraudulent messages at scale
• Mimic legitimate communication styles
• Automate large-scale scam operations

The report also highlights the use of caller ID spoofing and SIM farms, which enable attackers to send thousands of messages or calls simultaneously. This combination of AI and automation is increasing both the reach and success rate of fraud campaigns.

Ransomware and Data Extortion Remain Key Threats

Ransomware continues to be a dominant threat, as outlined in the IOCTA 2026 report. A large number of active ransomware groups were observed throughout 2025, with many adopting data extortion tactics. Instead of relying solely on encryption, attackers are increasingly threatening to release stolen data to pressure victims into paying. This shift has made cyberattacks more damaging, particularly for public institutions and large organizations. The report also notes growing links between state-sponsored actors and criminal groups, with some cybercriminals acting as proxies in broader geopolitical strategies. Emerging hacking coalitions are adding another layer of complexity to the threat landscape.

Rise in Online Child Exploitation and Criminal Networks

The IOCTA 2026 report highlights a concerning increase in online child sexual exploitation cases. The financial trade of child abuse material is growing, and the use of synthetic content is creating new challenges for investigators. Encrypted messaging platforms are widely used by offenders, making it harder for authorities to monitor and intervene. The report also points to the emergence of organized online communities that engage in multiple forms of criminal activity. These networks combine cybercrime with violent offenses, creating a complex and dangerous ecosystem that extends beyond digital spaces.

Need for Stronger Law Enforcement Collaboration

The findings of the IOCTA 2026 report reinforce the need for improved coordination between governments, law enforcement agencies, and industry stakeholders. As cyber threats become more advanced, isolated efforts are no longer sufficient. The report provides actionable insights and recommendations aimed at strengthening investigative capabilities and improving response strategies. It also stresses the importance of innovation in tackling new forms of cybercrime.

The 2026 threat landscape continued to intensify in March, with ransomware attacks, expanding data breach activity, and a growing underground market for compromised access shaping the global cybersecurity environment. According to analysis from CRIL (Cyble Research & Intelligence Labs), organizations worldwide faced a highly active and coordinated threat ecosystem throughout the month.  CRIL’s findings point to a cybercriminal landscape driven by financial extortion, credential theft, and operational disruption. Attackers consistently targeted industries that rely heavily on uptime or store large volumes of sensitive data, reinforcing the urgency for stronger defensive strategies. 

Ransomware Attacks Dominate the 2026 Threat Landscape 

One of the most defining aspects of the March 2026 threat landscape was the scale of ransomware attacks. CRIL recorded 702 ransomware incidents globally, underscoring the continued dominance of ransomware as a primary attack vector.  Among the most active threat groups were Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom. Collectively, these actors were responsible for over 56% of all observed ransomware activity, reflecting their operational maturity and extensive affiliate networks.  Industries most affected by ransomware attacks included: 

• Construction  
• Professional Services  
• Manufacturing  
• Healthcare  
• Energy & Utilities  

Attackers frequently employed double-extortion tactics, combining data theft with system disruption to increase pressure on victims. Geographically, the United States remained the primary target, influenced in part by ongoing geopolitical tensions, including those involving Iran. 

Rise of Access Brokers in the CRIL Threat Analysis 

Another notable trend in the 2026 threat landscape, as identified by CRIL, was the continued growth of the compromised access market. During March, 20 separate incidents involving the sale of unauthorized network access were tracked across cybercrime forums.  The most targeted sectors for access sales were: 

• Professional Services (25%)  
• Retail (20%)  
• IT & ITES  
• Manufacturing  

A small group of threat actors, vexin, holyduxy, and algoyim, dominated this space, accounting for more than 55% of observed listings. These access brokers play a critical upstream role, enabling ransomware attacks, espionage campaigns, and financial fraud operations. 

Data Breaches and Leak Markets Stay Active 

CRIL also documented 54 significant data breach and leak incidents in March, further highlighting the scale of data exposure risks in the current 2026 threat landscape.  The most targeted sectors for data breaches included: 

• Government & Law Enforcement  
• Retail  
• Technology  

Several incidents stood out: 

• A threat actor known as “nightly” claimed to have stolen over 5TB of data from Hospitality Holdings, including biometric data, CCTV footage, and financial records. 
• Another actor, XP95, advertised 3.8TB of allegedly stolen South African government data for sale.  
• A separate breach exposed more than 95,000 travel-related records, including passport and payment information.  

Exploitation of Critical Vulnerabilities Accelerates 

The 2026 threat landscape also saw increased exploitation of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.  Key vulnerabilities targeted included: 

• CVE-2026-20131 (Cisco Secure Firewall Management Center)  
• CVE-2025-53521 (F5 BIG-IP APM)  
• CVE-2026-20963 (Microsoft SharePoint Server)  
• CVE-2026-33017 (Langflow AI)  
• CVE-2021-22681 (Rockwell Automation ICS)  

CRIL observed attackers exploiting both newly disclosed zero-day vulnerabilities and older, unpatched flaws. This trend reflects persistent gaps in patch management and exposure mitigation across organizations. 

Emerging Threat Developments in March 2026 

Beyond ransomware attacks and data breaches, CRIL identified several strategic developments shaping the 2026 threat landscape: 

• AI-Driven Attacks: Threat actors reportedly leveraged an open-source framework called CyberStrikeAI to target Fortinet FortiGate devices across 55 countries, compromising more than 600 systems. 
• Supply Chain Risks: North Korean-linked actors were associated with 26 malicious npm packages distributing remote access trojans (RATs) via infrastructure hosted on Pastebin and Vercel. 
• Geopolitical Cyber Activity: Iran-linked cyber operations are expected to increase, with potential ransomware attacks and hacktivist campaigns targeting organizations in the Middle East. 

The global surge in energy sector ransomware attacks intensified throughout 2025, exposing deep vulnerabilities in critical infrastructure. As organizations prepare for what’s coming next, the lessons are becoming harder to ignore. The systems that power homes, fuel industries, and sustain modern life are under siege, not by isolated hackers, but by highly organized ransomware groups operating at scale.  In 2025 alone, the energy and utilities sector recorded 187 confirmed ransomware attacks. These were not mere attempts, but successful breaches involving system encryption, data theft, and ransom demands.  

When Energy Sector Ransomware Disrupts Real Life 

Unlike typical cyber incidents, energy sector ransomware attacks have immediate and widespread consequences. According to the Cyble Energy & Utilities Threat Landscape Report 2025, Halliburton suffered a ransomware attack in August 2025; the company reported losses totaling $35 million. In another case, attackers deploying FrostyGoop malware targeted a municipal energy provider in Ukraine, cutting off heating in Lviv during freezing temperatures.  Several ransomware groups dominated the threat landscape in 2025. RansomHub led with 24 attacks (12.8%), followed by Akira with 20 incidents (10.7%) and Play with 18 attacks (9.6%). Alongside Qilin and Hunters/Lynx, these groups accounted for nearly half of all recorded ransomware activity in the sector.  

Why the Energy Sector Remains Vulnerable 

The continued rise of energy sector ransomware attacks can be traced to structural weaknesses unique to the industry. 

• Legacy Infrastructure: Many facilities still rely on decades-old operational technology (OT), including industrial control systems using outdated protocols like Modbus and DNP3. These systems were designed for reliability, not cybersecurity, leaving them exposed to modern threats. 
• IT-OT Convergence: As companies digitize operations, previously isolated OT environments are now connected to corporate IT networks. This convergence allows attackers to move laterally, from a phishing email on an employee device to critical systems like SCADA controls. 
• Distributed Systems: Energy infrastructure is geographically dispersed, spanning solar farms, substations, pipelines, and wind installations. Each site represents a potential entry point, making comprehensive security management extremely difficult. 

A Multi-Layered Threat Landscape 

Between July 2024 and June 2025, the energy sector faced a broad spectrum of cyber threats: 

• 37 instances of compromised network access being sold on underground forums
• 57 data breaches exposing sensitive operational information
• 187 ransomware attacks involving encryption and data exfiltration
• Over 39,000 hacktivist posts targeting energy infrastructure

Regionally, North America accounted for more than one-third of ransomware incidents, with Asia and Europe also heavily targeted. This distribution confirms that ransomware groups are not geographically selective; they exploit vulnerabilities wherever they find them. 

The Rise of Access Brokers 

A key driver behind the increase in energy sector ransomware attacks is the growing role of initial access brokers. These actors specialize in obtaining and selling network credentials.  During the reporting period, groups like Zerosevengroup, mommy, and Miyako were responsible for approximately 27% of observed access sales targeting the energy sector. The remaining activity was spread across numerous smaller sellers, indicating a low barrier to entry for cybercriminals.  In March 2025, Zerosevengroup reportedly offered admin-level access to a UAE-based power and water company, claiming control over 5,000 network hosts. Other listings included access to an Indonesian power plant subsidiary and a French wastewater treatment system.  

Hacktivism Meets Operational Technology

Beyond financially motivated ransomware groups, hacktivist activity also intensified. Some groups went beyond website defacement and data leaks, claiming direct access to operational systems.  For example, a pro-Russian group known as Sector 16 reportedly demonstrated access to U.S. oil and gas control systems, including shutdown interfaces and valve controls. Similarly, the Golden Falcon Team claimed access to a French wastewater platform, including controls over pH levels and water distribution. 

Persistent Vulnerabilities and Delayed Patching 

Throughout 2025, attackers exploited known vulnerabilities in widely used systems, including: 

• ABB ASPECT systems  
• Siemens SENTRON PAC3200 meters  
• Solar inverter platforms  
• Schneider Electric Jira systems  
• VMware, Ivanti, and Fortinet products  

Despite available patches, the average remediation time exceeded 21 days, while attackers often weaponized vulnerabilities within 72 hours. This gap creates a critical exposure window that ransomware groups repeatedly exploit. 

Strengthening Defenses Against Ransomware Groups 

To counter the growing threat of energy sector ransomware, organizations are adopting several defensive strategies: 

• Network Segmentation: Separating IT and OT environments reduces the risk of attackers moving between systems. Where connections are necessary, strict access controls and monitoring are essential. 
• Monitoring Criminal Markets: Tracking underground forums can help organizations detect whether their credentials are being sold, enabling faster responses before an attack occurs. 
• Faster Patch Management: Reducing patching timelines is critical. While updating OT systems is complex, delays significantly increase risk. 
• Incident Preparedness: Organizations must prepare for worst-case scenarios. This includes maintaining offline backups, isolating compromised systems, and ensuring the ability to operate manually if necessary. 

In this week’s cybersecurity roundup, The Cyber Express covers key global security developments, including a major supply chain disruption affecting a global manufacturer, rising concerns over security and legal risks linked to rapid AI adoption, and the continued escalation of cyber activity driven by geopolitical tensions.

Across industries, organizations are facing a mix of disruptive attacks and long-term espionage campaigns targeting both operational systems and critical infrastructure. Intelligence reports also continue to highlight sustained nation-state activity shaping the global threat landscape.

These developments reflect a cybersecurity environment where operational resilience, secure technology adoption, and coordinated defense strategies are increasingly essential to managing interconnected and fast-evolving risks.

The Cyber Express Weekly Roundup 

Stryker Cyberattack Disrupts Supply Chain, Recovery Timeline Unclear 

A cyberattack on Stryker Corporation has disrupted manufacturing, shipping, and order processing operations, with no clear recovery timeline announced. While internal systems were impacted, customer products have not been affected. The incident has been linked to the Handala group, and authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), are currently investigating the attack. Read more… 

AI Legal Risks Rise as Businesses Rush Adoption, Expert Warns 

Cybersecurity expert Lisa Fitzgerald has warned that rapid adoption of AI tools without proper governance can expose organizations to data breaches, regulatory violations, and loss of control over sensitive information. In an interview with The Cyber Express, she emphasized the importance of structured risk assessments, employee training, and clear governance frameworks to manage AI-related risks effectively. Read more… 

Bonnie Butlin Highlights Role of Collaboration in Modern Security 

Bonnie Butlin has stressed the importance of global collaboration in addressing complex cyber, physical, and geopolitical threats. She highlighted the need to break down industry silos, strengthen cross-sector cooperation, and build more inclusive leadership models to improve resilience against evolving risks. Read more… 

US Intel Warns China Is Top Cyber Threat Ahead of Other Nation-States 

A new U.S. intelligence assessment identifies China as the most persistent cyber threat actor, with ongoing operations reportedly embedded within critical infrastructure systems. The report also highlights cyber activities from Russia, North Korea, and Iran, each employing different tactics ranging from espionage and sabotage to cybercrime and disinformation campaigns. Read more… 

Middle East Cyber Warfare Intensifies Amid Rising Geopolitical Conflict 

According to Cyble Research and Intelligence Labs, cyberattacks in the Middle East are increasing in parallel with ongoing geopolitical tensions. Critical sectors such as energy, finance, and communications have been identified as primary targets in this escalating cyber conflict landscape. Read more… 

Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing complexity of the global cybersecurity environment, from supply chain disruptions and AI governance risks to escalating nation-state cyber operations and regional cyber warfare.  Organizations, governments, and individuals must remain vigilant, prioritize strong governance frameworks, and adopt proactive security measures, including timely patching and continuous monitoring, to effectively respond to the evolving threat landscape. 

Discover how the integration of large language models is transforming software security, lowering barriers for attackers, and necessitating autonomous defense platforms to keep pace with emerging threats.

The post The New Security Reality: When AI Accelerates Both Attack and Defense  appeared first on Security Boulevard.