At approximately 5 a.m. on March 11, 2026, something began happening to computers inside Stryker Corporation.
Stryker is one of the largest medical device companies in the world — a $22 billion revenue business that makes surgical equipment, hospital beds, implants, and the instruments that operating rooms depend on. That morning, workstations started going dark. Across 79 countries, devices running in Stryker's Microsoft environment began receiving remote wipe commands. By the time anyone understood what was happening, over 200,000 corporate devices had been wiped. Order processing went down. Shipping went down. Production went down. The company's Global Administrator-level access to its own Microsoft environment had been taken over by an Iranian hacktivist group called Handala.
This was not a ransomware attack in the traditional sense. Nobody encrypted the files and demanded payment. Handala claimed the attack was retaliation for a US military strike on a girls' school in Minab, southern Iran. The goal was not money. The goal was maximum disruption — and by that measure, it worked.
One week later, on March 19, the city manager of Foster City, California declared a state of emergency. A ransomware attack had taken down the city's computer systems, suspending all public services except emergency operations. City officials warned residents that personal information may have been compromised. City services were offline for over a week.
Two weeks before that, in late February, a ransomware attack on the University of Mississippi Medical Center forced the closure of all 35 of its clinic locations statewide. Scheduled appointments were cancelled. Elective surgeries were postponed. UMMC's EPIC electronic medical records system — the system that clinicians use to see patient histories, medication lists, allergy records — went dark. Doctors and nurses reverted to pen and paper.
These three incidents happened within the same month. None of them was the lead story on most news sites for more than a day.
This is what normal looks like in 2026.
The Franchise Model
To understand why this keeps happening, you need to understand how ransomware is actually organised — because the image most people carry of a hacker in a dark room writing sophisticated malware is about fifteen years out of date.
Modern ransomware operates as Ransomware-as-a-Service. The developers who build and maintain the malware never touch a victim's network. They are software companies. They build the tools — the encryption engines, the exfiltration utilities, the negotiation portals where victims enter their payment details — and they offer them to affiliates on a subscription or revenue-share basis, typically around 20 to 30% of whatever ransom is collected.
The affiliates handle everything else. They identify targets, gain initial access, deploy the payload, manage negotiations, and in some cases handle customer service for victims who need help understanding how to buy cryptocurrency to pay the ransom. Neither the developer nor the affiliate needs to be exceptional at everything. They just need to be competent at their part.
This division of labour has done to cybercrime what franchising did to fast food. It standardised operations, lowered the barrier to entry, and allowed the industry to scale without requiring any individual operator to possess the full range of skills that running the operation previously required. The result is that attacking a hospital or a city government no longer requires nation-state level sophistication. It requires knowing how to use the affiliate portal.
Q1 2026 recorded 2,318 ransomware victims across 70 active groups — broadly flat from Q1 2025's 2,251 victims across 67 groups. The headline number sounds like stability. The detail is more unsettling: the number of active groups is increasing even as overall victim counts plateau, meaning the ecosystem is fragmenting into more numerous, smaller operators rather than consolidating around a few dominant players. Law enforcement takedowns of major groups create vacuums that are filled by the affiliates and mid-level operators who immediately spin up new operations.
Triple Extortion: The Baseline Shifted
Three years ago, the ransomware playbook was straightforward: encrypt the victim's files, demand payment for the decryption key. If the victim had recent backups, they could often recover without paying. This was the model's primary limitation.
Attackers noticed. Double extortion became standard: before encrypting, exfiltrate the most sensitive data you can find. Now the victim faces two problems. Even if they restore from backups, the data is still gone — and the attackers have it. Refuse to pay, and your employees' payroll data, your customers' personal information, your unreleased financial statements start appearing on dark web leak sites.
Then came triple extortion: while running the encryption and exfiltration, simultaneously launch a distributed denial-of-service attack against the victim's external infrastructure. This adds pressure. It disrupts customer-facing systems. It signals to the victim that the attackers have resources and patience and are not going away.
Some groups have extended this to a fourth vector: contacting the victim's clients, regulators, and business partners directly. "We have data about your customers from [Company]. They are refusing to cooperate. You should know." The psychological pressure this creates — not just on the victim company but on its relationships — is difficult to overstate.
Telus Digital experienced the new scale of this in 2026. ShinyHunters claimed to have extracted nearly one petabyte of data from the Canadian telecommunications firm over several months. Not gigabytes. One petabyte. The group alleged access to extensive customer data from Telus's business process outsourcing division, plus call records from the telecom operation itself. Telus stated it would not engage with the threat actors. The data still exists. The leverage doesn't disappear because the target refuses to negotiate.
The Shift Nobody Is Talking About
Something changed in 2026 that is not fully captured in the ransomware statistics, and the Stryker attack is the clearest example of it.
Handala didn't use ransomware. They used Microsoft Intune — a legitimate enterprise mobile device management tool that Stryker's own IT team used to manage corporate devices. After gaining Global Administrator access to Stryker's Microsoft environment — likely via compromised credentials, with researchers at Outpost24 identifying 278 exposed Stryker credentials in threat intelligence data from October 2025 through March 2026 — the attackers used the company's own administrative tools to issue remote wipe commands across the fleet.
This is a meaningful shift. Traditional ransomware is software that an attacker smuggles into your environment. What happened at Stryker was an attacker who obtained the keys to your environment and used your own tools against you. Stryker's statement — "this was not a ransomware attack, and there is no evidence of malware deployed to our systems" — is technically accurate and practically irrelevant. Whether the tool is ransomware or Microsoft Intune, 200,000 devices got wiped across 79 countries in three hours.
The implication for defenders is significant. Endpoint detection systems that look for known malware signatures would not have detected this attack. Perimeter firewalls would not have stopped it. The attack surface was the identity layer — a compromised privileged account with access to legitimate administrative tools. Defending against that requires monitoring for anomalous behaviour by privileged accounts, not monitoring for malicious software.
Jonathan Trull, CISO of Qualis, which is based in Foster City and responded to the city's attack, was direct about the broader challenge at the RSAC Conference in San Francisco the week after the Foster City incident: "Municipalities are underfunded. They are part of critical infrastructure, but they don't always have the talent and the money to defend against such sophisticated attacks."
That observation applies far beyond municipalities.
What the Costs Actually Look Like
Numbers help here. The average ransomware recovery cost in 2026 is $2.73 million per incident. Healthcare breaches average $7.42 million — partly because of the direct recovery costs, partly because of the regulatory exposure under HIPAA, and partly because every day a clinical system is offline carries costs that don't show up neatly in financial reports. When UMMC closed 35 clinics for several days in February, patients with chronic conditions couldn't get refills. Procedures got delayed. Some of those delays had real medical consequences.
Global cybercrime costs an estimated $10.5 trillion annually. That figure is now larger than the GDP of every country except the United States and China.
78% of companies were hit by ransomware in some form in the past year. Of those, the majority faced demands. A significant fraction paid. The average ransom paid — not the average demanded, which is typically higher — continues to rise as attackers demonstrate a willingness to follow through on data publication and operational disruption threats.
The highest single ransom paid in 2026 was $75 million, to a group called Devils Angels. The attack wasn't publicly attributed to a named victim. That is its own data point.
Why the Same Mistakes Keep Appearing
There is something striking about reading incident reports from 2026. The root causes are almost never exotic. They are the same failures, repeated with slight variation across very different organisations.
In January 2026, a database containing 149 million records — nearly 100 gigabytes of sensitive information — was discovered publicly exposed on the internet. The cause was a misconfigured cloud environment. Not a sophisticated zero-day exploit. Not a nation-state attack. A misconfigured environment.
The Stryker attack almost certainly began with compromised credentials — 278 of them identified by external researchers, accumulated over five months, apparently undetected by Stryker's own security monitoring until after the wipe commands had already been issued.
The Foster City attack exploited the same vulnerability that has appeared in nearly every municipal ransomware case of the past three years: underfunded IT infrastructure, aging systems, and insufficient backup architecture. The CISO of the company literally next door had spent years responding to exactly this type of incident and could describe, in real time during a press conference, the standard playbook for recovery. The playbook exists. The preparedness often doesn't.
"Many of the biggest cybersecurity breaches of 2026 weren't unstoppable attacks," noted ACI Learning's post-incident analysis. "They were preventable failures."
That verdict appears in incident reports so consistently that it has almost lost its capacity to shock. It shouldn't. Every incident with a root cause in misconfiguration, unpatched credentials, or an untested incident response plan is an incident that did not need to happen.
The Part That Actually Matters
The franchise model of ransomware is not going to be dismantled by law enforcement action alone, though law enforcement action helps at the margin. The economics are too favourable. The barriers to entry are too low. The regulatory and judicial constraints on cross-border pursuit are too significant.
What changes the equation is not catching more ransomware gangs. It's making the attacks less successful. That requires organisations — and especially the underfunded municipalities, hospital systems, and mid-sized companies that make up the bulk of victims — to make the investments that turn ransomware from a reliable revenue stream into an unreliable one.
Reliable offline backups, tested regularly. Multi-factor authentication that can't be bypassed via credential theft alone. Monitoring for anomalous privileged account behaviour, not just for known malware signatures. Incident response plans that exist before the attack and are rehearsed against realistic scenarios.
None of this is complicated. None of it is new. The gap between what the security industry knows about how to defend against ransomware and what the average organisation actually does about it is the gap that attackers live in. It has been wide for years. The 2,318 victims in Q1 2026 represent the cost of leaving it open.
