Ransomware Shifts, MuddyWater's Silent Grip, and the Structural Collapse of Encryption-Based Detection

Ransomware Shifts, MuddyWater's Silent Grip, and the Structural Collapse of Encryption-Based Detection

18 March 2026 — A13E Intelligence Operations

Three converging storylines demand attention from cloud security teams today: a multi-source structural confirmation that encryption-based ransomware detection is now a rearguard strategy; Tier-1 corroboration that Iranian threat group MuddyWater has pre-positioned destructive backdoors across US banking, aviation, and software-supply-chain networks; and a critical-severity SQL injection in FortiClient EMS with full public technical disclosure — weaponised exploits are likely days away.

Beneath those: a nascent ransomware group named Sinobi has reached the energy sector, a three-phase supply chain attack called GlassWorm has compromised 400-plus code repositories, and AI-enabled attacker tooling has crossed a threshold where more than half of published CVEs can be converted into working exploits by chained AI models.

Each finding below covers what happened, why it matters, and what to do.

Iran Cyber Threat: Formally Downgraded to Monitored — But the Detection Gap Is Real

The Downgrade

CISA Acting Director Nick Andersen, speaking at the McCrary Institute on 17 March, described the current Iran threat environment as "a steady state" — the first official indication in more than 20 days that the elevated alert posture was being revised downward. His exact words: "We still are seeing a steady state. [Industry groups] have not seen an increase in the rise of threat actor activity, which is fantastic."

That is the most direct public signal from US federal government in weeks, and it carries weight. It is not, however, a clearance.

Why a Full Stand-Down Would Be Premature

Three structural constraints prevent treating this as a resolution:

MuddyWater Dindoor pre-positioning remains confirmed and unretracted. Axios, citing Symantec and Broadcom's Carbon Black team, reported on 17 March that Iranian threat group MuddyWater — also tracked as Seedworm — has installed Dindoor backdoors in US company networks since at least late February 2026. CybersecurityDive independently corroborated active Seedworm presence in US networks on the same day. Six independent sources now confirm this finding. The affected sectors include banking, aviation, non-profit organisations, and software supply chain companies. Activation does not require new initial access. It requires only a command decision.

CISA and FBI institutional capacity is structurally degraded. A Lawfare analysis published 18 March — "Iran Will Retaliate in the U.S. We May Not See It in Time" — argues directly that the coordination pipeline required to detect Iranian pre-positioned operations has been weakened through personnel departures, budget reductions, and institutional disruption. This argument was reinforced by separate reporting from BankInfoSecurity and GovInfoSecurity (16–17 March) on a Congressional watchdog probe into CISA's former acting director and two failed polygraph tests. The core Lawfare argument is that "steady state" may reflect a collection gap rather than true operational quiet.

Insurance markets are formalising around this risk, not receding from it. NetDiligence — whose claims data feeds underwriting models at Lloyd's, Chubb, and Beazley — published Vol. 290 on 18 March with a featured section titled "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran." This is the first time a primary insurance-sector source has categorised the Iran conflict as a formally tracked breach risk category. War exclusion clause litigation for Q2 claims is now being formally anticipated in the market, and renewals from April through June will include Iran-specific coverage review questions.

What to Do

Do not reduce IR team readiness. MuddyWater Dindoor backdoors remain pre-positioned in US networks regardless of the posture downgrade.

Conduct IOC checks against network telemetry using the Hunt.io Iran botnet indicators (published at hunt.io/blog/iran-botnet) — see F9 below for technical detail on what that infrastructure looks like.

Review MDM/Intune mass-wipe detection rules. The Stryker compromise — discussed below — demonstrates that compromised admin accounts, not novel malware, are the entry vector of choice.

Begin preparing for Q2 insurance renewal conversations that will include Iran-specific coverage questions.

FortiClient EMS CVE-2026-21643 (CVSS 9.1): Full Technical Disclosure, Patch Now

What Happened

Bishop Fox published a full technical deep-dive for CVE-2026-21643 on 17–18 March, covering FortiClient EMS version 7.4.4. The vulnerability is an unauthenticated pre-authentication SQL injection in the HTTP header — a parameter used for tenant routing. That header value is passed directly to PostgreSQL without sanitisation before any authentication check is performed.

The consequence is severe: a single crafted HTTP request yields unauthenticated SQL execution. From there, an attacker can extract administrator credentials, obtain a complete inventory of all managed endpoints, disable security policies, and access certificates for every endpoint under management. No credentials are required. No user interaction is required.

A critical detection gap amplifies the risk: time-based blind injection — the exploitation technique disclosed — bypasses standard FortiClient EMS error log monitoring. Organisations relying on FortiClient EMS logs to detect attacks against the management server will not see this exploitation.

Why It Matters

Full public technical disclosure means a working exploit is a matter of days away, not weeks. Any FortiClient EMS deployment still running version 7.4.4 should be treated as fully compromised from the point of weaponised exploit availability. Given that EMS is a management plane that holds endpoint certificates and security policy for an entire organisation's managed fleet, compromise of a single management server grants an attacker comprehensive visibility into and control over the entire endpoint estate.

What to Do

Patch FortiClient EMS to version 7.4.5 immediately. This is not a patch that can wait for the next scheduled maintenance window. Any organisation on 7.4.4 should treat this as an emergency change.

MuddyWater Dindoor: The Clearest Iranian Pre-Positioning Signal in the Current Conflict Window

What Six Sources Now Confirm

The Dindoor backdoor finding has graduated from a single-source advisory to a six-source Tier-1 confirmation in 24 hours. Axios (17 March), citing Symantec and Broadcom's Carbon Black research, provided the most detailed public account: MuddyWater operators have installed Dindoor backdoors in US company networks since late February 2026, across banking, aviation, non-profit, and software supply chain sectors. CybersecurityDive independently corroborated active Seedworm presence the same day. SecurityWeek, SecurityAffairs, and Nextgov round out the source set.

This is the most strongly confirmed Iranian-direct US network persistence finding in the current conflict window.

What Pre-Positioning Means in Practice

Pre-positioned backdoors are operationally distinct from opportunistic intrusions. The attacker has already solved initial access. A destructive phase can begin without new infrastructure, new phishing, or new vulnerabilities. Detection before that phase requires the visibility and analytic capacity to distinguish legitimate administrative activity from pre-positioned dwell — and as the Lawfare analysis notes, that national-level detection capacity is currently under structural strain.

What to Do

Run MuddyWater Dindoor IOC checks against your network telemetry and endpoint telemetry. Indicators have been published by Symantec/Broadcom.

Audit privileged account activity in the affected sectors (banking, aviation, non-profit, software supply chain) for lateral movement patterns consistent with dwell.

Review CISA's Iran-specific CVE catalogue (CVIE, 136 CVEs) and verify coverage status in your vulnerability management programme.

Do not reduce incident response staffing or on-call coverage based solely on the CISA "steady state" statement.

Sinobi Ransomware: From New Actor to Energy Sector Threat in One Week

The Escalation

Sinobi has moved from a newly-tracked ransomware actor to an active, expanding group with confirmed energy sector targeting in under seven days. Four confirmed victims as of 18 March:

McAfee Tool and Die — US manufacturing (17 March)

Eco Sound Builders — US construction (17 March)

Summa Energy — US energy, 250 GB of data claimed (18 March), corroborated across ransomware.live, hookphish.com, ransomlook.io, and BlackFog

Teco HVAC LLC — US energy/HVAC (17 March), corroborated by RedPacketSecurity and Lumu Tradecraft

FalconFeeds additionally reported a 17 March dark web burst referencing three further victims and 643 GB of data associated with the group, though whether this figure overlaps with the Summa Energy figure or represents additional unreported victims is not yet clear. BlackFog's State of Ransomware 2026 is now formally tracking this group.

Why Sinobi Is Worth Watching

The progression from manufacturing to construction to energy across a single week follows a pattern consistent with a group either expanding its initial access broker relationships or operating from a larger victim backlog than has been publicly disclosed. The Babuk-derived cross-platform payload — confirmed as targeting both Windows environments and ESXi hypervisors — indicates technical competency beyond a first-generation operation. Entry vector and full TTP profile remain unknown, which limits defensive countermeasures to general posture hardening.

What to Do

Energy sector operators should review internet-facing infrastructure and VPN concentrators for signs of prior compromise; the absence of a confirmed entry vector makes broad exposure review the appropriate first step.

Check your organisation and supply chain partners against the confirmed victim list.

Ensure ESXi management interfaces are not directly internet-accessible; Babuk-derived payloads targeting hypervisors can encrypt entire virtual infrastructure with single operations.

GlassWorm Phase 3: The Developer Pipeline Is the Attack Surface

A Three-Phase Campaign in Sixteen Days

GlassWorm has executed a methodical, three-platform supply chain attack campaign that began on 3 March and reached its most recent phase on 16 March:

Phase 1 (3–14 March): Malicious VS Code and OpenVSX marketplace extensions accumulated over nine million installs while harvesting GitHub authentication tokens from developer machines.

Phase 2 (15–16 March): Using tokens stolen in Phase 1, the group deployed ForceMemo, a Python-based payload that force-pushed history rewrites to GitHub repositories — poisoning source code that other developers would subsequently clone, pull, or depend upon.

Phase 3 (16 March): Pivot to the React Native npm ecosystem. Two packages were backdoored under the publisher identity: and . Both included malicious preinstall scripts designed to steal credentials and cryptocurrency wallet data from any developer running .

BleepingComputer confirmed 400-plus code repositories now affected across the three platforms.

Why the Sequencing Matters

This is not an opportunistic campaign. The progression — from IDE extensions to source code repository poisoning to package distribution — follows the natural trust propagation path of the modern software development workflow. Tokens stolen from VS Code extensions granted write access to GitHub repositories. Poisoned GitHub repositories feed into package ecosystems. Package ecosystems feed into production builds and mobile applications. Each phase leveraged the access and trust established by the previous one.

What to Do

Audit all React Native npm dependencies for the two identified backdoored packages and any others published by the publisher identity.

Audit Python files for packages sourced from repositories that may have been subjected to force-push history rewrites during 15–16 March.

Review VS Code extensions installed by developers on your team; revoke and rotate any GitHub tokens that were accessible on machines running extensions installed between 3 March and 14 March.

Enable npm package provenance verification and consider locking package versions to verified-hash pinning for production build pipelines.

The Ransomware Payment Rate Has Collapsed — and Defenders Haven't Caught Up

Five Independent Sources, One Structural Conclusion

In the 48 hours ending 18 March, five independent sources across four source classes reached the same conclusion about 2026 ransomware economics:

Dark Reading (17 March): "Less Lucrative Ransomware Market Makes Attackers Alter Methods" — reporting on the structural shift away from encryption-based monetisation.

Google GTIG (16 March): 77% of ransomware intrusions in 2026 now include data theft as a primary component; the encryption phase is declining as the central monetisation mechanism.

BlackFog State of Ransomware 2026 (15 March): Attackers are pivoting to exfil-first models to ensure monetisation as encryption-event detection improves.

Picus Red Report (prior sweep): 38% decline in encryption-stage deployment across tracked ransomware operations.

FBI (Agent Bilnoski): "Identity is the new perimeter — we're no longer seeing malware drop."

The Operational Consequence

Any detection model that relies on encryption events, ransom notes, volume shadow copy deletion, or ransomware-family signature alerts is now structurally blind to the dominant 2026 extortion model. Attackers have adapted precisely because defenders built good encryption-phase detection. The new model stages data in legitimate cloud storage (OneDrive, Google Drive, S3), exfiltrates over legitimate protocols, and never drops a payload. The breach is complete before any traditional ransomware indicator appears.

Organisations whose security posture is anchored to "we would see a ransomware alert if we were breached" are operating on a false assurance model. The World Leaks group — previously characterised as exfil-only — was confirmed by Darktrace to have deployed full encryption on 17 March, demonstrating that even groups known for extortion-only models retain and use encryption capability selectively.

What to Do

Audit your detection coverage for data staging, large outbound transfers over legitimate protocols, and credential access without lateral movement indicators. These are now the primary signals.

Brief your executive team: the absence of a ransomware alert does not mean the absence of a breach.

Review SIEM and EDR alert coverage against the exfil-only TTP profile, not just the encryption-payload profile.

Consider whether your existing security tooling has been tested for sensitivity to exfil-without-encryption scenarios.

Iranian Botnet Infrastructure: A Rare Technical Glimpse Inside

What Hunt.io Found

Hunt.io's AttackCapture capability detected a misconfigured open directory on Iranian-operated DDoS botnet infrastructure, originally discovered 24 February and amplified across the security research community on 17–18 March. The exposed contents are technically significant:

449 files including compiled C2 binaries and source code

Farsi-commented command-and-control scripts

An SSH brute-force propagation toolkit for autonomous botnet expansion

On-device compilation capability (the botnet can build its own tools)

A 15-node relay network architecture

Why the Architecture Matters

This is not a curiosity. The 15-node relay architecture technically documents something that was previously inferred: only 14% of malicious traffic attributable to Iranian operations traces directly to Iranian IP addresses (Akamai, 17 March). The remaining 86% traverses relay infrastructure, which is now confirmed from primary technical evidence rather than traffic analysis. Attribution based on source IP for Iranian-attributed attacks is highly unreliable at the traffic monitoring layer. Detection must look deeper.

IOC extraction is available at hunt.io/blog/iran-botnet.

Stryker Day 13: Contained, Not Recovered

The Stryker cyber incident entered its 13th day on 18 March, with Reuters (17 March) reporting the first formal use of "containment" language. Electronic ordering and shipping systems remain offline. CISA and FBI are formally engaged — CISA Acting Director Andersen confirmed direct agency involvement.

A forensic update from TechCrunch on 17 March corrects a material detail from earlier reporting: the attacker used a compromised existing Intune administrator account rather than a newly created Global Admin account as previously characterised. This distinction matters for threat modelling — the attack succeeded through credential compromise of a legitimate account with elevated MDM authority, not through creation of unauthorised admin accounts that might have tripped new-account monitoring controls.

Censys scan data (referenced in X/Twitter security research community posts) identified approximately 2,000 Stryker internet-facing hosts, including over 150 login portals — documenting the exposed attack surface available to the threat actor.

Stryker is being characterised in some press and advisory contexts as potentially the most significant wartime cyberattack against a US company. That characterisation remains contested. What is not: a large medical device manufacturer has been operationally degraded for nearly two weeks with no confirmed recovery timeline.

AI Offensive Capability: The Exploit-at-Scale Threshold

Four Reports, One Directional Conclusion

Four independent reports from four separate source organisations in the 48 hours ending 18 March document a consistent AI-enabled attacker capability trajectory:

Booz Allen / CVE-GENIE project (January 2026 data): 51% of published CVEs are reproducible as working exploits using chained AI models. This is not a future projection — it is a measured capability assessment from January of this year.

CrowdStrike 2026 Global Threat Report: 89% increase in AI-enabled cyberattacks year-on-year; eCrime breakout time — from initial compromise to lateral movement — now averages 29 minutes, with the fastest recorded time at 27 seconds.

Armis 2026 Cyberwarfare Report: Autonomous AI agents are predicted to discover and weaponise 15% of zero-day vulnerabilities before human researchers identify them.

Google GTIG (16 March): Attackers are outpacing defenders in AI tool adoption — the third independent AI-attack-acceleration report from a Tier-1 source in 48 hours.

What This Means for Vulnerability Management

Patch prioritisation frameworks that rely exclusively on CVSS scores and CISA's Known Exploited Vulnerabilities catalogue were designed for a world where exploit development required significant human attacker effort and time. The Booz Allen finding — 51% CVE-to-exploit reproducibility via AI tooling — structurally changes that calculus. A CVE that was previously "low exploitation likelihood" because it required complex reverse engineering effort may now be weaponisable by any threat actor with access to current-generation AI tooling within hours of NVD publication.

The 27-second breakout time from CrowdStrike is the operational corollary: even if a defender's detection fires immediately on initial compromise, the attacker's subsequent lateral movement may complete before a human analyst has finished reading the alert.

Six Actions With the Highest Signal-to-Noise Ratio

Across all findings in this brief, the following six actions represent the highest return on response effort for security teams operating today.

Patch FortiClient EMS to 7.4.5 without delay.

CVE-2026-21643 (CVSS 9.1) has received full public technical disclosure from Bishop Fox. Unauthenticated SQL injection in the management plane means a weaponised exploit is days away. Any deployment on version 7.4.4 should be treated as an emergency change. This is the highest-urgency patch action in this brief.

Audit npm, Python, and VS Code dependencies for GlassWorm artefacts.

The npm publisher, force-pushed Python repositories (15–16 March), and VS Code extensions installed between 3–14 March are the three surfaces to check. Rotate all GitHub tokens on potentially affected developer machines. Four hundred compromised repositories means the blast radius of this campaign is wide enough to catch teams that were not directly targeted.

Run MuddyWater Dindoor IOC sweeps across your network and endpoint telemetry.

Six independent sources confirm Iranian pre-positioning in US banking, aviation, non-profit, and software supply chain networks. If your organisation or any of your critical suppliers operates in those sectors, a targeted IOC sweep is warranted. Use the Symantec/Broadcom-published Dindoor indicators and the Hunt.io Iran botnet IOCs (hunt.io/blog/iran-botnet) as your baseline.

Test your detection coverage against exfil-without-encryption scenarios.

Five converging sources confirm that encryption-based extortion is no longer the dominant 2026 model. If your detection capability has not been tested against data staging in temp directories, large outbound transfers over legitimate cloud storage protocols, and credential access without malware drops, you have an unquantified detection gap. Close it.

Lock down ESXi management interfaces and review hypervisor exposure.

Sinobi's Babuk-derived payload targets both Windows and ESXi. Any ESXi management interface accessible from the internet or from a compromised network segment without additional authentication controls is an elevated risk in the current threat environment. Network-level segmentation of hypervisor management is the minimum adequate control.

Maintain Iran-level IR readiness despite the CISA posture downgrade.

The MuddyWater Dindoor backdoors are pre-positioned. The CISA/FBI detection pipeline is under structural strain. The NetDiligence insurance market is formally tracking Iran as a breach risk, not receding from it. CISA's "steady state" characterisation is a meaningful data point, not a clearance. Do not reduce incident response staffing, on-call coverage, or monitoring sensitivity in response to it.

All findings grounded in A13E intelligence sweeps through 04:30 UTC 18 March 2026.