This edition of the Bitdefender Threat Debrief covers several developments in the threat landscape, including Handala’s surge in activity, an update on Qilin’s tactics, a Chinese threat actor’s use of prominent ransomware, and more.
As ransomware continues to evolve, our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time.
For this month's report, we analyzed data from March 1 to March 31 and recorded a total of 855 claimed ransomware victims.
Alongside aerial strikes and disruptions to trade and transportation, a parallel front in the war with Iran has intensified: cyber operations targeting organizations in Israel and the United States. One group, in particular, emerged at the center of this surge.
Handala, also known as Handala Hack, has sharply increased its activity, claiming 23 ransomware victims in March alone. That single month accounts for more than half of the group’s total claimed victims in 2026 so far (33), and represents a significant jump from 2025, when the group claimed 50 victims across the entire year. The geographic focus of these attacks is equally telling.
At least a third of Handa’s victims in March are based in Israel. This is a notable escalation compared to previous months, where the region averaged fewer than four victims. When looking at other groups who have claimed victims in Israel over the past two years, Handala remains in the lead with 45 victims. The message is clear: cyber operations are becoming a more aggressive and deliberate extension of geopolitical conflict; Handala is mobilizing with great speed and intention. (chart, below)
Image: Top 10 ransomware groups targeting Israel.
This surge in activity comes despite direct disruption efforts. Following an order from the U.S. Department of Justice, law enforcement seized several domains associated with Handala. Yet the group has continued operations. Recent victims span multiple sectors, including healthcare, education, research, financial services, and utilities; these are industries that are both operationally critical and highly sensitive to disruption. Handala has also demonstrated a willingness to target high-profile individuals. The group has claimed responsibility for breaches affecting a U.S. intelligence leader’s personal account, as well as accounts tied to former Israeli military leadership. In parallel, it has escalated rhetoric, even offering a reported $50 million reward for information related to the top leaders of the U.S. and Israel.
US federal agencies have connected domains managed by Handala to Iran’s MOIS branch or Ministry of Intelligence and Security. As a result, Handala, despite claiming less than 20 victims a month can acquire the resources they need to sustain their operations through the Iranian state. This backing by the state also grants Handala a greater level of protection when facing barriers to operations such as law enforcement investigations. It’s far more likely that contingency planning is already in place to preserve infrastructure and evade prosecution.
At first glance, Handala’s tactics resemble those of a ransomware group.
The organization conducts data exfiltration, threatens to leak sensitive information, and positions itself to profit from stolen data. These are familiar hallmarks of financially motivated cybercrime.
But the underlying intent tells a different story. Handala’s operations appear to be less about financial gain and more about disruption, influence, and reputational damage at scale. Data leaks are weaponized not just for profit, but for maximum visibility and psychological impact. Many targets appear to be selected for their symbolic or strategic value. This places Handala in an interesting category of threat actors: hacktivist collectives operating with ransomware-like tactics.
While Handala’s claimed victim count may appear modest compared to large-scale ransomware operations, their ability to sustain activity, even under legal and operational pressure, suggests access to external resources. This changes the risk profile significantly. Handala is not simply a criminal organization reacting to opportunity; their operations are part of a broader strategic effort aligned with geopolitical objectives.
Since emerging in 2023, Handala has steadily expanded its capabilities and adopted a broader, more sophisticated playbook for attacks.
These include:
Handala’s recent surge is not an isolated development. It reflects a broader trend: cyber operations are becoming a significant tool for influence, disruption, and escalation during times of conflict. For organizations in affected regions, and even those outside them, the implications are significant. Attacks may no longer be driven solely by financial incentives and traditional assumptions about threat actors may no longer apply. The battlefield has expanded and cyberattacks will likely be a key part of future worldwide conflicts.
Timely, informed responses are key in strengthening defenses. Bitdefender recently released a trends report on ransomware attacks affecting organizations in the United States, which includes relevant recommendations, including mitigating living off the land techniques and the importance of implementing robust access controls and other hardening practices.
Now, let’s explore the notable news and findings since last month’s Threat Debrief.
Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method captures the number of victims claimed, not the actual financial impact of these attacks.
Ransomware gangs prioritize targets where they can squeeze the most money from their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest.
Israel (IL on chart, above) ranks in the Top 10 Regions for the first time in 2026: It’s no surprise that with Handala’s recent increase in activity, Israel has finally ranked in the 10th position. Handala claimed the greatest number of victims based in Israel (7 of 11), followed by KillSec (2 of 11 victims), INC Ransom (1 of 11 victims), and Genesis (1 of 11 victims).
Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications of specific industries, and how specialized services and clientele are affected, is crucial for assessing risk.
The Top 10 Industries trends we’ve captured have followed a similar pattern over the last few months, with manufacturing taking the lead and industries like technology and construction ranking in close succession. One item worth mentioning is the increase in attacks against infrastructure in the public sector, which may have significant gaps in security due to the use of older systems or outdated software. This month marked the return of government into the Top 10 Industries as it placed in the 10th rank.
Bitdefender's MDR Insights consolidates key findings each month captured from real-world incidents. During March 2026, our MDR teams found that hallmarks of threat actor activity included:
Here's an insight from our MDR team:
“Attackers don’t start by executing ransomware—they start by stealing credentials. This is a pattern observed with ransomware groups, including Akira, PLAY, and LockBit. They access RDP or a VPN and perform credential dumping. That looks like extracting the contents of the SECURITY hive and LSA secrets. Then the threat actor can inject code into the memory of legitimate processes, and proceed with destroying and modifying systems.”
Explore Bitdefender MDR and read the updated Bitdefender Ransomware white paper for more information on how to protect against ransomware.
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, and Andrei Mogage for their help with putting this report together.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed Bitdefender technology and added it to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discovers 400+ new threats each minute and validates 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.