In March 2026, Rapid7 tracked more than 900 publicly reported ransomware incidents in a single calendar month — the highest monthly total on record. That number alone is jarring. But the detail that should get your attention is this: SMBs account for roughly two-thirds of those incidents. They are the primary target, not a bystander.
The same month produced two structural mutations. The Kyber group deployed post-quantum encryption in a confirmed production attack for the first time. And VECT ransomware turned out to contain a fatal encryption flaw that permanently destroys files rather than locking them. Both are symptoms of ransomware’s quantum-AI mutation: a threat landscape growing faster and mutating in ways existing defences weren’t designed to handle.
Here’s what the 900-incident record means for risk planning, defence investment, and the board conversations that can’t be avoided any longer.
How Did March 2026 Become a Record Month for Ransomware?
Rapid7’s 900+ figure reflects publicly reported incidents — confirmed attacks where victims appear on leak sites or disclosed breaches. Infosecurity Magazine counted 672 in the same month using different criteria. Both are record-level volume. The gap is methodology, not contradiction.
The surge is structural, not a spike. Ransomware attacks grew 50% year-on-year through 2025. By Q3 2025, a record 85 groups were operating simultaneously. The primary driver is Ransomware-as-a-Service: developers build the toolkits and run the infrastructure; affiliates pay in with a percentage of each ransom and get a professional-grade attack operation in return. No technical expertise required. Qilin offers affiliates an 85% revenue share, which tells you everything about how competitive this market has become.
Three groups — Akira, Qilin, and DragonForce — accounted for roughly 40% of March incidents. Lone wolf operators running open distribution models matched Inc Ransom at 13% market share each. VECT took this further: every registered BreachForums member received a personal affiliate key. See VECT: AI-coded ransomware that became a wiper.
Who Gets Hit: The SMB Targeting Pattern in Q1 2026 Data
Coveware‘s Q1 2026 data is unambiguous. Companies with 11–100 employees and companies with 101–1,000 employees are the two highest-volume attack tiers. Together they account for approximately two-thirds of all tracked incidents. Only 5% of victims have more than 100,000 employees.
It’s not that attackers can’t hit large enterprises. It’s that RaaS affiliate economics make SMBs the highest-ROI target. Affiliates are explicitly optimising for low cost, low payout, but high probability of payout attacks. Smaller businesses are more likely to lack dedicated IR teams and immutable backups, and more likely to pay — because business interruption at SMB scale is existential.
The initial access economics reinforce this. Compromised VPN credentials accounted for 48% of ransomware attacks — the leading entry vector. The cost of purchasing victim access from an initial access broker fell from $1,400 in 2023 to $439 in 2026. Attacking an SMB now costs less than a one-month gym membership.
For a deeper look at why credential-based initial access now dominates.
The Economics: What Ransomware Payments Actually Look Like in 2026
Coveware’s Q1 2026 managed-case data:
- Average ransom payment: $680,081 — up 15% from Q4 2025
- Median ransom payment: $300,750 — down 7% from Q4 2025
- Overall payment rate: 23% of engaged cases
The divergence matters. The $680k average is skewed by a handful of large enterprise targets where ransoms run into the millions. The $300k median is your financial exposure benchmark — three to six months of payroll for many companies in the 50–200 employee range.
Payment is also a partial resolution at best. In 73% of Q1 2026 cases, data was exfiltrated before encryption — double extortion as standard practice. Paying closes the encryption incident; it doesn’t close the data exposure. Re-extortion and data-default can take months or even a year to materialise. VECT ransomware is the starkest illustration: its encryption flaw permanently destroys most business-critical files. You can pay the ransom and receive a decryptor that doesn’t work.
Which Sectors Are Most at Risk — and Why Healthcare Leads
Healthcare accounted for 17.6% of Q1 2026 incidents; consumer services accounted for 15.3%. Together, nearly a third of all attacks in the quarter.
Healthcare leads because operational disruption is patient-safety critical — maximum payment pressure, high-value data, historically under-invested IT security.
For tech companies: the sector label matters less than what your data is worth to an attacker. SaaS with regulated customer data, HealthTech with protected health information, and FinTech with payment data face the same extortion leverage as healthcare. The Canvas/Instructure breach — connected to ShinyHunters — showed that education platforms aren’t exempt either.
Why Law Enforcement Hasn’t Slowed the Volume
After years of Operation Endgame, Operation Cronos, and RansomHub takedowns, March 2026 still set a new record. The answer is structural.
Dismantling a RaaS group triggers affiliate migration, not capability loss. When RansomHub shut down in April 2025, affiliates moved to Qilin. Open-affiliate models like VECT’s BreachForums distribution leave no central infrastructure to seize. An attack that starts with a purchased VPN credential contains no novel malware and no unique infrastructure — nothing for law enforcement to reverse-engineer.
Organisational resilience is the operative strategy. Waiting for enforcement to reduce the threat is not.
The Two Structural Mutations Hidden in the Numbers
Kyber was identified during a March 2026 Rapid7 IR engagement at a US defence contractor. The Windows variant implements Kyber1024 and AES-256-CTR — the first confirmed production ransomware deployment of post-quantum cryptography. The encryption key is unrecoverable without a functional large-scale quantum computer, eliminating the “harvest now, decrypt later” recovery hope. (The ESXi variant claims Kyber1024 in its ransom note but actually uses ChaCha8 with RSA-4096 — Rapid7 assesses the operator copy-pasted the note.) Full analysis: Kyber: the first quantum-safe ransomware.
VECT expanded through a BreachForums open-affiliate program and reached further via TeamPCP’s supply-chain attacks — see the TeamPCP supply chain pattern. Check Point Research confirmed in April 2026 that VECT’s encryption discards the nonces required to decrypt any file above 128 KB. The result is permanent destruction, not encryption. Full breakdown: VECT: AI-coded ransomware that became a wiper.
One mutation makes the key unrecoverable. The other makes the data unrecoverable.
What the 900-Incident Month Means for Defence Investment
For an organisation in the 11–1,000 employee range, the question is no longer whether attack attempts will occur — it’s whether your defences are in place when they do.
Identity controls come first. If 48% of attacks begin with a compromised VPN credential, malware detection is solving the wrong problem. MFA on all remote access — VPN, RDP, management interfaces — combined with credential monitoring and zero trust principles is the highest-return investment available. More on why credential-based initial access now dominates.
Immutable backups are non-negotiable. Kyber’s Windows variant explicitly terminates Veeam, SQL, and backup services before encrypting. VECT’s nonce flaw means even a cooperative operator can’t provide a working decryptor. In both scenarios, immutable off-host backups are the primary — and sometimes the only — recovery path.
Patch management is now a race condition. Coveware notes the “agentic AI era” is compressing the window between vulnerability disclosure and exploitation. Exploited vulnerabilities drove 32% of confirmed manufacturing attacks.
For the board-level cyber insurance conversation: the $300k median is your financial exposure benchmark, but re-extortion and data-default tail risks extend well beyond the initial event. Coverage limits need to account for that tail, not just the headline ransom. For updating incident response for PQC and wiper scenarios, the playbook changes are specific and actionable.
The 900-incident month is not an anomaly to file and forget. It’s a baseline. For the full picture of how ransomware is mutating in 2026.
Frequently Asked Questions
What does “900 ransomware incidents in March 2026” actually mean?
Rapid7 tracks publicly reported incidents — confirmed attacks on leak sites, disclosed breaches, or confirmed IR engagements. Infosecurity Magazine counted 672 using different methodology. Both are record-level volume. The gap is tracking criteria, not a factual conflict.
Is my SMB actually at risk, or is this mostly about large enterprises?
Companies with 11–100 and 101–1,000 employees together account for approximately two-thirds of all tracked Q1 2026 incidents. Only 5% of victims have over 100,000 employees. RaaS affiliate economics explicitly favour SMBs: lower cost, lower payout, but higher probability of payment. If you’re in that range, this is your story.
Why is the average ransom ($680k) so much higher than the median ($300k)?
A small number of very large enterprise ransoms push the average up. The $300,750 median is the accurate benchmark for your organisation — it reflects the middle of the distribution, not the tail. That’s the number to take to your board.
Does paying the ransom guarantee data recovery?
No. Re-extortion and data-default can materialise months after payment. Double extortion occurred in 73% of Q1 2026 cases, so payment still leaves stolen data at risk. VECT presents the extreme case: its encryption flaw permanently destroys files over 128 KB — paying yields a non-functional decryptor.
Why are healthcare organisations hit the hardest?
Healthcare accounts for 17.6% of Q1 2026 incidents — operational disruption is patient-safety critical, the data is valuable for double extortion, and IT security has historically been underfunded. EdTech, FinTech, and HealthTech face the same targeting logic.
What is the Kyber ransomware group, and should I be worried about post-quantum encryption?
Kyber is the first confirmed production ransomware to use post-quantum cryptography (ML-KEM / Kyber1024) for key exchange. It doesn’t change recovery outcomes — files are still unrecoverable without the attacker’s private key. Immutable backups remain the primary recovery path, unchanged by the PQC implementation.
What is VECT ransomware and why is it called a wiper?
VECT 2.0 permanently destroys any file larger than 128 KB by discarding the nonces required for decryption — confirmed by Check Point Research in April 2026. The outcome matches purpose-built wipers like NotPetya. Paying yields a non-functional decryptor.
Why hasn’t law enforcement stopped the ransomware surge?
Group-level takedowns create affiliate migration, not capability reduction. When RansomHub shut down, affiliates moved to Qilin. Open-affiliate models like VECT’s BreachForums distribution leave no central infrastructure to seize. Credential-based initial access leaves no malware signature to track.
What is a RaaS open-affiliate model and why does it matter?
Traditional RaaS vets affiliates and manages negotiations privately. VECT’s BreachForums model distributed ransomware keys to every registered forum member — no vetting, mass scale. This expands the pool of attackers and makes attribution harder.
What is the 48% VPN credential figure and why does it matter for defence?
48% of ransomware attacks now use compromised VPN credentials for initial access. Nearly half of attacks start with a stolen password, not a phishing link. MFA on VPN and zero trust network access directly address this. Without MFA on remote access, you’re the easiest target on the block.
What should we do if we don’t have a dedicated security team?
Three controls address the most common attack vectors: MFA on all remote access (the 48% credential stat), immutable backups (covers both ransomware and wiper scenarios), and patch management (the 32% exploit-driven entry figure). Pre-agree a relationship with an external IR firm before an incident occurs.
How does ransomware volume affect cyber insurance premiums?
Average ransomware claims reached $1.18 million in 2025, up 17% year-on-year, with around 40% of claims denied in 2024 for failure to maintain security standards. Re-extortion and data-default tail risks need to be in the coverage discussion, not treated as afterthoughts.
