March 2026 Ransomware Trends Report

The March 2026 AhnLab report summarizes ransomware sample counts, victimized systems, DLS-based statistics, and major Korean and global ransomware incidents, noting a methodological change in December 2025 that limits direct monthly comparisons. March was marked by attacks on critical infrastructure—including manufacturing, healthcare, and finance—with continued activity from groups such as Qilin, The Gentlemen, and INC Ransom and increased use of DLS-based data exposure and blackmail #Qilin #INC_Ransom

Keypoints

Ransomware sample counts and victimized system statistics were aggregated by detection name assigned by AhnLab.
The aggregation methodology changed beginning December 2025, so comparisons to earlier months should be made with caution.
March 2026 attacks focused on critical infrastructure sectors, especially manufacturing, healthcare, and finance.
Major groups such as Qilin, The Gentlemen, and INC Ransom remained active, and new ransomware groups emerged.
Attack patterns combined traditional data encryption with victim exposure and blackmail through Dedicated Leak Sites (DLS).
The report publishes top-10 country and industry statistics and three-year trends for leading ransomware groups on the AhnLab TIP and ASEC blog.
The report warns of persistent global ransomware threats and emphasizes sustaining monitoring, detection, and analysis capabilities.

MITRE Techniques

[None ] No MITRE ATT&CK techniques were explicitly mentioned in the article.

Indicators of Compromise

[No specific IOCs ] The article did not disclose concrete IP addresses, file hashes, domains, or file names—no examples provided.