Ransomware Activity Peaks in March 2026

Author

Taylor Hawes
April 03, 2026

⚡ Weekend Threat Brief

Ransomware Activity Peaks in March 2026

Ransomware attacks surged in March 2026, reaching 780 incidents, a 13 percent rise from February’s 692 cases. This marks the highest monthly total of the year and the second-highest since February 2025. The spike points to sustained attacker momentum rather than isolated campaigns.

The utility sector recorded the sharpest increase, with attacks jumping from 3 in February to 22 in March, a rise of over 630 percent. These attacks targeted critical infrastructure across 16 countries, with the United States reporting the highest number of incidents. Manufacturers and government organizations also saw notable increases, rising by 36 percent and 30 percent respectively.

Takeaway: 

  • March recorded 780 ransomware attacks, the highest this year

  • Utility sector attacks rose by over 630 percent month-over-month

  • Critical infrastructure is a growing target for attackers

  • Manufacturing and government sectors also saw sharp increases

  • Attack patterns show a focus on disruption, not just financial gain

🎯 Tactical Playbook

What the U.S. Router Ban Means for Security Teams

The U.S. has moved to restrict the sale of new consumer routers made outside the country, citing cybersecurity and supply chain risks. The policy does not affect routers already in use or currently approved for sale. The concern centers on vulnerabilities in firmware and the risk of foreign control over critical infrastructure devices. Several past cyber incidents have exploited router weaknesses, which raised national security concerns.

Most networking hardware is produced overseas, so the rule could disrupt supply chains and limit access to newer models. It may also push vendors to shift manufacturing or seek special approvals. For organizations, this highlights the growing importance of hardware trust and supply chain visibility.

Key Takeaway:

  • The ban applies only to new routers, not existing devices

  • Security concerns focus on firmware and supply chain risks

  • Most router vendors rely on overseas manufacturing

  • Organizations must assess hardware trust as part of security strategy

  • Regulatory actions are starting to shape cybersecurity decisions.

🛡️ Research Watch

U.S. Energy Sector Strategy Focuses on Cyber Resilience

The U.S. Department of Energy has released a five-year strategy through its Office of Cybersecurity, Energy Security, and Emergency Response. The plan focuses on securing energy infrastructure against rising cyber and physical threats. It outlines three main priorities: developing advanced security technologies, strengthening infrastructure defenses, and improving response and recovery capabilities.

The strategy also calls for closer coordination between government and private sector operators. Energy systems are now seen as high-value targets, requiring stronger protection and faster incident response. The plan signals a shift toward measurable security outcomes rather than compliance-driven approaches.

🧩 Tool Tip of the Week

Using Invicti Security Scanner to Reduce False Positives

Invicti Security Scanner is a web application security testing tool that focuses on accuracy and automation. It uses dynamic application security testing (DAST) to scan websites, APIs, and modern applications for vulnerabilities such as SQL injection and cross-site scripting. One of its defining features is proof-based scanning, which automatically verifies whether a vulnerability is real. This reduces the time teams spend validating false positives and speeds up remediation.

Key Features:

  • Proof-based scanning confirms real vulnerabilities and cuts false positives

  • Works well for web apps, APIs, and modern single-page applications

  • Authenticated scans provide deeper visibility into application risk

  • Automation supports continuous testing across development cycles

  • Scales easily across large application environments without delays

🗣️ Community Signal

You paid the premium. You got the coverage. You checked the box. And you called it a cybersecurity strategy. It isn't. Insurance responds after the breach. After the encryption. After the chaos. After the customers start calling. What if the very policy you're counting on is giving you a false sense of security? - Melanie Padron

🗳️ Your Take - The Results

Advertise with Comparitech
Does your business offer services or products in cybersecurity? Get your product seen by IT leaders and professionals.

Advertise with us →

Until Monday’s edition - Let’s keep that zero-day count at zero!

*Terms & Conditions apply. Not available if with Metro in the last 180 days. If using >35GB/mo. May notice reduced speeds.