Handala’s Surge Signals a New Wave of Wartime Cyberattacks

This edition of the Bitdefender Threat Debrief covers several developments in the threat landscape, including Handala’s surge in activity, an update on Qilin’s tactics, a Chinese threat actor’s use of prominent ransomware, and more.

As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time. 

For this month's report, we analyzed data from March 1 to March 31 and recorded a total of 855 claimed ransomware victims.   

Featured Story: Handala’s Surge of Wartime Cyberattacks

Conflict Expands Beyond the Battlefield

Alongside aerial strikes and disruptions to trade and transportation, a parallel front in the war with Iran has intensified: cyber operations targeting organizations in Israel and the United States. One group, in particular, emerged at the center of this surge.

Handala, also known as Handala Hack, has sharply increased its activity, claiming 23 ransomware victims in March alone. That single month accounts for more than half of the group’s total claimed victims in 2026 so far (33), and represents a significant jump from 2025, when the group claimed 50 victims across the entire year. The geographic focus of these attacks is equally telling.

At least a third of Handa’s victims in March are based in Israel. This is a notable escalation compared to previous months, where the region averaged fewer than four victims. When looking at other groups who have claimed victims in Israel over the past two years, Handala remains in the lead with 45 victims. The message is clear: cyber operations are becoming a more aggressive and deliberate extension of geopolitical conflict; Handala is mobilizing with great speed and intention. (chart, below)

Image: Top 10 ransomware groups targeting Israel.

A Resilient Threat Actor Strikes Under Pressure

This surge in activity comes despite direct disruption efforts. Following an order from the U.S. Department of Justice, law enforcement seized several domains associated with Handala. Yet the group has continued operations. Recent victims span multiple sectors, including healthcare, education, research, financial services, and utilities; these are industries that are both operationally critical and highly sensitive to disruption. Handala has also demonstrated a willingness to target high-profile individuals. The group has claimed responsibility for breaches affecting a U.S. intelligence leader’s personal account, as well as accounts tied to former Israeli military leadership. In parallel, it has escalated rhetoric, even offering a reported $50 million reward for information related to the top leaders of the U.S. and Israel.

US federal agencies have connected domains managed by Handala to Iran’s MOIS branch or Ministry of Intelligence and Security. As a result, Handala, despite claiming less than 20 victims a month can acquire the resources they need to sustain their operations through the Iranian state. This backing by the state also grants Handala a greater level of protection when facing barriers to operations such as law enforcement investigations. It’s far more likely that contingency planning is already in place to preserve infrastructure and evade prosecution.

Blurring Lines: Ransomware or Hacktivism? 

At first glance, Handala’s tactics resemble those of a ransomware group.

The organization conducts data exfiltration, threatens to leak sensitive information, and positions itself to profit from stolen data. These are familiar hallmarks of financially motivated cybercrime.

But the underlying intent tells a different story. Handala’s operations appear to be less about financial gain and more about disruption, influence, and reputational damage at scale. Data leaks are weaponized not just for profit, but for maximum visibility and psychological impact. Many targets appear to be selected for their symbolic or strategic value. This places Handala in an interesting category of threat actors: hacktivist collectives operating with ransomware-like tactics.

While Handala’s claimed victim count may appear modest compared to large-scale ransomware operations, their ability to sustain activity, even under legal and operational pressure, suggests access to external resources. This changes the risk profile significantly. Handala is not simply a criminal organization reacting to opportunity; their operations are part of a broader strategic effort aligned with geopolitical objectives.

A Playbook for Modern Conflict

Since emerging in 2023, Handala has steadily expanded its capabilities and adopted a broader, more sophisticated playbook for attacks.

These include:

• Identity-focused compromises targeting individuals and privileged accounts
• Living off the land (LOTL) techniques to evade detection
• Data wiping and destructive attacks
• Doxxing and public exposure of sensitive information
• Threats of physical violence
• Website defacement and messaging campaigns

The Bigger Picture: Using Cyber Operations as a Force Multiplier

Handala’s recent surge is not an isolated development. It reflects a broader trend: cyber operations are becoming a significant tool for influence, disruption, and escalation during times of conflict. For organizations in affected regions, and even those outside them, the implications are significant. Attacks may no longer be driven solely by financial incentives and traditional assumptions about threat actors may no longer apply. The battlefield has expanded and cyberattacks will likely be a key part of future worldwide conflicts.

What Can Be Done to Improve Defenses and Combat These Tactics?

Timely, informed responses are key in strengthening defenses. Bitdefender recently released a trends report on ransomware attacks affecting organizations in the United States, which includes relevant recommendations, including mitigating living off the land techniques and the importance of implementing robust access controls and other hardening practices.

Other Notable Ransomware News

Now, let’s explore the notable news and findings since last month’s Threat Debrief.

• Qilin Surpasses 1,800 Ransomware Victims: In March, Qilin claimed another 151 victims, and reached a new milestone. It now has breached more than1,800 victims since its inception as a RaaS group in late 2022. The ransomware group has also recently leveraged another defense-evasion tactic by exploiting the vulnerable drivers rwdrv.sys (ThrottleStop) and hlpdrv.sys in BYOVD (bring your own vulnerable driver) attacks. One aspect that separates this attack from past attacks is an upgraded evasion measure that includes the disabling of callback monitoring. This underscores the importance of considering modern MDR solutions for continuous, layered defenses, including kernel API monitoring.
  
  
• The SBU Seizes Kairos Infrastructure: The SBU (Security Service of Ukraine) took down the Kairos ransomware group’s data leak site and announced that members would be prosecuted when caught. If the criminals are identified (as foreign nationals) and successfully extradited to the United States or Europe, then they would likely face harsher sentencing for their crimes compared to other regions, like Russia. A LeakBase admin was recently arrested in Russia and the recent LeakBase infrastructure was also seized by the Bureau of Special Technical Events, a department under the Russian Ministry of Internal Affairs. However, there are doubts about whether the LeakBase admin’s sentencing will reflect the scope of their involvement in LeakBase’s operations, including the maintenance of a community accessible to over 140,000 users.
  
  
• Chinese Threat Actor Deploys Medusa Ransomware: Storm-1175 executes Medusa ransomware after establishing initial access to systems such as servers and RMM consoles via known and zero day exploits; this allows the threat actor to execute campaigns in rapid succession. The Medusa ransomware group emerged in 2023. While Storm-1175’s historical use of Medusa ransomware dates back to that year, Medusa’s highest number of victims per year to date is 324, recorded in 2024. In addition to Storm-1175’s use of conventional tactics such as living off the land techniques and PowerShell scripts, other patterns of malicious behavior include the use of PDQ Deployer for lateral movement, Impacket and Mimikatz for credential dumping, and BandZip for packaging target data.
  
  
• APT73-Bashe Operations Continue to Receive Scrutiny After Hiatus: APT73 is back in action and has claimed victims in the financial services, government, and education and research industries over the past few months. This followed a significant break in activity from March 2025 onward. However, the group has a history of falsely claiming victims and even adopting antics and a DLS appearance similar to LockBit, which leaves many researchers questioning the authenticity of any of their claims in 2026. Another group steeped in similar claims of illegitimate victims that has gradually increased their presence online is ALP-001. Both APT73 and ALP-001's pattern of misrepresenting victims is reminiscent of 0APT’s behavior earlier this year.
  
  
• LockBit Gains Traction with Repeated Top 10 Rank: LockBit has secured a spot in our Top 10 ransomware groups list for the second month this year. However, it’s uncertain whether LockBit will maintain this momentum. Past challenges, such as growing their affiliate base and evading coordinated detection and takedown efforts by law enforcement, have thwarted their standing among threat actors and cast a shadow on their projected growth. LockBit has claimed 207 victims to date following the release of their 5.0 RaaS platform. The majority of victims that LockBit has claimed thus far in 2026 are organizations in manufacturing, healthcare, government, and construction.

Top 10 Ransomware Families

Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method captures the number of victims claimed, not the actual financial impact of these attacks.

Top 10 Most Attacked Regions

Ransomware gangs prioritize targets where they can squeeze the most money from their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.

Israel (IL on chart, above) ranks in the Top 10 Regions for the first time in 2026: It’s no surprise that with Handala’s recent increase in activity, Israel has finally ranked in the 10th position. Handala claimed the greatest number of victims based in Israel (7 of 11), followed by KillSec (2 of 11 victims), INC Ransom (1 of 11 victims), and Genesis (1 of 11 victims).

Top 10 Most Attacked Industries

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications of specific industries, and how specialized services and clientele are affected, is crucial for assessing risk.

The Top 10 Industries trends we’ve captured have followed a similar pattern over the last few months, with manufacturing taking the lead and industries like technology and construction ranking in close succession. One item worth mentioning is the increase in attacks against infrastructure in the public sector, which may have significant gaps in security due to the use of older systems or outdated software. This month marked the return of government into the Top 10 Industries as it placed in the 10th rank.

MDR Insights for March 2026

Bitdefender's MDR Insights consolidates key findings each month captured from real-world incidents. During March 2026, our MDR teams found that hallmarks of threat actor activity included:

• The abuse of valid credentials
• Web-based initial access and post-exploitation
• The use of remote access tools for persistence
• Fileless attacks and in-memory code execution
• The use of defense evasion tactics before ransomware deployment

Here's an insight from our MDR team:

“Attackers don’t start by executing ransomware—they start by stealing credentials. This is a pattern observed with ransomware groups, including Akira, PLAY, and LockBit. They access RDP or a VPN and perform credential dumping. That looks like extracting the contents of the SECURITY hive and LSA secrets. Then the threat actor can inject code into the memory of legitimate processes, and proceed with destroying and modifying systems.”

• Credential dumping before a domain-level compromise
• Web-based initial access and post-exploitation attempts
• Fileless execution and process injection  
• Defense evasion prior to ransomware deployment  

Explore Bitdefender MDR and read the updated Bitdefender Ransomware white paper for more information on how to protect against ransomware.

About Bitdefender Threat Debrief

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.

We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, and Andrei Mogage for their help with putting this report together. 

About Bitdefender

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed Bitdefender technology and added it to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discovers 400+ new threats each minute and validates 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.