March Threat Intelligence Spotlight Report

Each month, our Cyber Threat Intelligence team compiles data from our engagements to determine key industry trends. We look at the initial access methods threat actors are using to gain entry into a network, types of incidents most commonly impacting organizations, which sectors are being more heavily targeted, and which threat groups are most prevalent.

Our Methodology

Kroll CTI monthly spotlights are based on intelligence from Kroll’s cyber incident response engagements where we are engaged to respond, manage, or mitigate a cybersecurity incident.
Kroll’s incident response work is informed by intelligence gained from the thousands of engagements handled per year by the Kroll Cyber Risk team.
Data is collected and processed by the Kroll Cyber Threat Intelligence team during the initial scoping intake as well as during the lifecycle of a Kroll engagement.

Download the March Report

I would like to receive invitations, insights and thought leadership content from Kroll.

We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Key Takeaways for March 2026

Initial Access Methods

Phishing: Link (43%)
Misconfiguration (14%)
Phishing: Voice (11%)

Most Impacted Industries

Professional, Scientific, and Technical Services (18%)
Finance and Insurance (14%)
Health Care and Social Assistance (12%)

Top Ransomware Variants

AKIRA
FULCRUMSEC
LYNX

Top Threat Incident Types

Email Compromise (42%)
Ransomware (24%)
Unauthorized Access (16%)

Industry Analysis

Professional, Scientific, and Technical Services was the most impacted industry in March 2026

Email Compromise was the top threat incident type impacting the Professional, Scientific, and Technical Services industry.
In March, threats against the Professional, Scientific, and Technical Services industry most often involved Phishing: Link as the initial access method.

Finance and Insurance was the 2nd most impacted industry in March 2026.

Unauthorized Access was the top reported threat incident type impacting the Finance and Insurance industry.
In March, threats against the Finance and Insurance industry most often involved Valid Accounts as the initial access method.

Ransomware Analysis

AKIRA was the most common ransomware variant observed by Kroll in March 2026.
In March, Professional, Scientific, and Technical Services and Manufacturing were the top industries targeted by ransomware actors across Kroll engagements.
Ransomware actors primarily gained initial access through Drive-by Compromise.
Manufacturing was the top industry for victims posted to ransomware actor-controlled shaming sites and blogs.
North America was the top region for victims posted to ransomware actor-controlled shaming sites and blogs.

Connect with Us

Anjori Radia

Associate Managing DirectorCyber and Data ResilienceLondon

Anjori.Radia@kroll.com +44 207 147 8752

Eric Strom

Global Head of Threat IntelligenceCyber and Data ResilienceWashington DC

Eric Strom eric.strom@kroll.com +15716788814

Stay Ahead with Kroll

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Learn more

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Learn more

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Learn more

Mobile Device Forensics

With a global mobile device forensics team and a proven track record in investigation and litigation support, Kroll enables key digital insights to be accessed quickly and securely.

Learn more