Recent Ransomware Attacks and Cyber-Extortion 2026: Key Lessons for CISOs

Ransomware attacks and extortion campaigns continue to pose serious threats to corporations even in 2026. In today’s distributed network systems, securing corporate data and information from adversarial threats has become a crucial responsibility for organizations. Between March and April 2026, Marcus & Millichap, Snowflake customer environments, and Itron, Inc. were linked to incidents that only further highlight the growing concern. In most of these cases, customer, employee, and other sensitive business data related to the organizations have made their way to the dark web channels and threat channels as part of extortion campaigns.

To contain these incidents with efficiency, CISOs need continuous visibility into external threats, identity exposure, SaaS integrations, vendor risk, dark web activity, and attacker-visible assets before exposure turns into data theft or operational disruption. 

The Rising Trend of Ransomware Attacks and Cyber-Extortion in 2025–2026

Ransomware attacks remain the top concern for CISOs in 2026, while supply chain disruption ranks second. The World Economic Forum’s Global Cybersecurity Outlook 2026 frames the current cyber landscape as one defined by accelerating AI adoption, geopolitical volatility, widening cyber inequity, and increasingly complex supply chains. The report notes that cyber risk in 2026 is accelerating because of advances in AI, geopolitical fragmentation, and supply chain complexity. The same WEF survey also shows that CEOs have shifted their top concern toward cyber-enabled fraud and phishing, but CISOs continue to rank ransomware as their leading operational risk.

This difference in executive risk perception is important. CEOs are increasingly focused on business fraud, brand damage, and financial loss, while CISOs are still dealing with the operational consequences of ransomware, involving service disruption, credential compromise, data exfiltration, regulatory exposure, recovery cost, and customer trust erosion.

The World Economic Forum’s report also highlights that digital supply chains are deeply interconnected and often poorly mapped. A breach or disruption at one supplier can cascade across customers, production systems, operations, and downstream partners. This directly aligns with the pattern seen in recent incidents where attackers do not always need to compromise the crown-jewel system directly. They can gain leverage through SaaS records, third-party access, identity abuse, or connected infrastructure.

1. Marcus & Millichap Cyberattack: Phishing-Led Access and Alleged Salesforce Data Extortion

On April 12, 2026, Marcus & Millichap disclosed unauthorized access to one of its systems through a phishing attack targeting an employee’s credentials. The company said it activated incident response protocols with outside cybersecurity experts to contain the activity.

In this recent ransomware attack, the attacker's claim involved more than 30 million Salesforce records, allegedly including PII and internal corporate data. However, Marcus & Millichap’s public statement described the potentially accessed data more narrowly, indicating that the information appeared limited to internal materials such as forms, templates, marketing content, or general contact information, and that systems and operations were unaffected. Have I Been Pwned later listed approximately 1.8 million unique email addresses allegedly tied to the incident, with associated names, phone numbers, employers, job titles, and physical company addresses. 

How it happened

Based on the company’s public statement, the confirmed initial access vector was phishing against an employee's credentials. Public threat-intelligence reporting links the incident to alleged Salesforce data access, which fits a broader 2026 pattern of SaaS-centric extortion where attackers target CRM, collaboration, identity, and cloud platforms rather than only traditional file servers.

Progress and response

Marcus & Millichap said it contained the activity with outside cybersecurity support and that its systems and operations continued to run normally. The company’s investigation was still described as ongoing in public reporting at the time of disclosure. 

2. Snowflake Customer Data Theft: SaaS Integrator Breach and Token-Based Extortion

In April 2026, BleepingComputer reported that more than a dozen companies were affected by data-theft attacks after a SaaS integration provider was breached and authentication tokens were stolen. While multiple cloud storage and SaaS vendors were reportedly targeted, most observed activity focused on Snowflake customer accounts. Snowflake confirmed unusual activity affecting a small number of customer accounts linked to a specific third-party integration, but stated that the activity did not involve a vulnerability or compromise of Snowflake’s own systems. The incident was later traced to Anodot, a third‑party integration platform, with ShinyHunters allegedly claiming responsibility for exploiting stolen authentication tokens to access data from numerous companies. 

How It Happened

The attack appears to have followed a SaaS integration compromise model rather than a direct platform exploit. According to BleepingComputer, authentication tokens were stolen after a third-party SaaS integration provider was breached. These tokens were then allegedly used to access connected customer environments, with Snowflake accounts becoming the primary target. This is significant because token abuse can bypass many traditional perimeter controls. Instead of exploiting a vulnerability in Snowflake itself, the attackers allegedly abused trusted integration access between SaaS platforms. 

Progress and Response

Snowflake said it immediately launched an investigation, locked down potentially impacted customer accounts, notified potentially affected customers, and provided precautionary guidance. The company emphasized that the attacks were tied to a specific third-party integration and were not caused by a Snowflake system compromise.

BleepingComputer later reported that Snowflake confirmed Anodot as the third-party integration platform linked to the incident. Anodot’s status page also showed connector outages across regions, including Snowflake, S3, and Amazon Kinesis. Meanwhile, ShinyHunters reportedly began extorting multiple companies, demanding ransom payments to prevent the release of stolen data. 

3. Itron, Inc. Cyber Incident: Internal System Intrusion Affecting a Critical Infrastructure Technology Provider

Itron Inc disclosed unauthorized third-party access to its certain systems in an SEC 8-K filing on April 13, 2026. The company said it activated its cybersecurity response plan, engaged external advisors, notified law enforcement, removed the unauthorized activity, and had not observed further unauthorized activity within its corporate systems.

No ransomware or extortion group had publicly claimed responsibility at the time of publishing the article, and the initial access method was not confirmed. For that reason, this incident should be framed as a ransomware-relevant intrusion involving a critical infrastructure technology provider, not a confirmed ransomware attack.

Despite the unconfirmed status of its attack mechanism, this incident remains important because Itron provides technology for energy, water, gas, and smart-city operations. Even limited unauthorized access in this ecosystem can create concerns around customer trust, supplier dependency, regulatory scrutiny, and operational resilience.

How to Address Such Threats Before They Escalate

These incidents do not follow one identical attack pattern. However, they point to the changing adversary tactics where attackers are expanding beyond traditional ransomware deployment. 

For Marcus & Millichap, the confirmed initial access vector was phishing against an employee's credentials, while external reporting linked the incident to alleged Salesforce data exposure. This shows why identity controls, phishing resistance, SaaS visibility, and credential exposure monitoring must be treated as cyber threat-prevention priorities, not only as access-management tasks.

On the other hand, the Snowflake customer data-theft campaign highlights how exposures in trusted SaaS integrations can lead to larger attacks. In this case, attackers allegedly abused stolen authentication tokens from a third-party integration provider to access connected customer environments. In order to prevent such cascading attacks, security teams must govern third-party and extended vendor connectors, API tokens, OAuth permissions, service accounts, and supply chain data flows with the same rigor as privileged infrastructure access.

Itron adds another dimension with critical infrastructure and supplier ecosystem exposure. Although the incident was not publicly attributed to a ransomware group, unauthorized access involving a technology provider for energy, water, gas, and smart-city operations creates downstream concerns around customer trust, supplier dependency, and operational resilience.

To address these external threats, organizations need a unified approach that combines identity intelligence, SaaS exposure management, vendor monitoring, dark web intelligence, and continuous external threat exposure management. The goal is not only to detect ransomware after encryption begins, but to identify the access paths, leaked credentials, exposed integrations, and third-party weaknesses that attackers use to gain a foothold over your ecosystem.

How RiskProfiler Helps Reduce This Risk

RiskProfiler helps security teams move from reactive incident response to proactive exposure detection and remediation by connecting external threat intelligence across identities, SaaS platforms, vendors, cloud assets, dark web sources, and attacker-visible infrastructure.

For identity-led risks like the Marcus & Millichap incident, RiskProfiler’s Identity Intelligence and Dark Web Monitoring help detect exposed credentials, leaked employee information, phishing infrastructure, impersonation attempts, and compromised identity artifacts before they are used for initial access. This enables earlier action against credential-based compromise and social engineering campaigns.

For SaaS and token-driven risks like the Snowflake customer data-theft campaign, RiskProfiler’s External Threat Exposure Management helps security teams understand which cloud assets, SaaS-linked systems, exposed APIs, public storage instances, login portals, and internet-facing services could become part of an attacker’s external path. This is especially important when attackers do not exploit the SaaS platform directly, but abuse connected systems, misconfigured services, or trusted access routes around it.

RiskProfiler’s Vendor Risk Management helps security teams continuously monitor suppliers, SaaS vendors, integration providers, and third-party technology dependencies. In the Snowflake customer data-theft campaign, the risk did not originate from a direct Snowflake compromise, but from a third-party integration provider whose stolen authentication tokens were allegedly used to access connected customer environments. This is the exact type of supplier-linked exposure that requires continuous vendor visibility, not only annual assessments.

The RiskProfiler Cyber Threat Intelligence module helps CISOs and security teams monitor ransomware groups, leak sites, dark web activity, and access broker chatter for threat activities, trends, and attack mechanisms. For incidents like Itron, where unauthorized access was confirmed but attribution and technical details were limited, proactive threat intelligence helps teams track emerging indicators, understand adversary interest in their sector, and respond before an intrusion becomes an extortion or operational disruption event.

However, the core value of using a unified threat intelligence platform like RiskProfiler is correlated threat mapping. A leaked credential, exposed SaaS connector, risky vendor, dark web mention, or vulnerable external asset may look like a low-priority signal in isolation. RiskProfiler connects these signals into a unified risk view so CISOs, security analysts, and MSSPs can prioritize based on attacker relevance, business impact, and potential blast radius.

What CISOs Should Do Now

CISOs should treat these incidents as a warning that ransomware and cyber-extortion are no longer limited to endpoint compromise or encrypted infrastructure. The modern threat infrastructure includes identities, SaaS platforms, third-party connectors, cloud data stores, vendors, and critical infrastructure dependencies.

Strengthen identity and access management: Enforce phishing-resistant MFA, monitor abnormal SaaS logins, review privileged accounts, audit OAuth grants, rotate exposed credentials, and correlate leaked identities against employees, executives, contractors, and service accounts.

Govern SaaS integrations: Maintain a live inventory of SaaS connectors, API keys, authentication tokens, service accounts, OAuth scopes, and third-party data access. Remove unused integrations, restrict excessive permissions, and continuously review high-risk connectors for exposures and volatility.

Enable adaptive vendor risk management: Annual questionnaires are no longer enough to detect a compromised SaaS integrator, exposed supplier system, or emerging breach signals across a distributed digital environment. CISOs should adopt continuous vendor monitoring, breach intelligence, adaptive risk scoring, and integration-level risk reviews. With adaptive vendor risk questionnaires like RiskProfiler’s, security leaders can continuously monitor and detect posture changes and lapses in supply chain security in real-time, helping them contain risks with efficiency.

Ensure continuous external threat exposure visibility: Security teams should establish continuous visibility across domains, subdomains, cloud assets, public APIs, exposed storage, certificates, login portals, and externally reachable services. This helps identify external asset exposures and vulnerabilities before they become intrusion paths.

Operationalize dark web and ransomware intelligence: Monitor stealer logs, access broker listings, ransomware leak sites, exposed credentials, leaked customer records, Telegram discussions, and brand impersonation activity. It helps you stay aware of emerging threat infrastructure before the adversaries target you. 

Update incident response playbooks: Response plans should include token revocation, SaaS log review, vendor coordination, customer notification, compliance workflows, SEC disclosure readiness, law-enforcement engagement, and executive communications. Traditional ransomware playbooks that focused only on endpoint encryption are no longer sufficient to secure your digital environment against modern cyber threats.

Conclusion

The Marcus & Millichap, Snowflake customer data theft, and Itron incidents show that ransomware and cyber-extortion risks are expanding beyond endpoint encryption. Attackers are now abusing credentials, SaaS platforms, authentication tokens, third-party integrations, and supplier ecosystems.

For CISOs and security teams, prevention now requires continuous visibility into identity exposure, external threats, SaaS integrations, vendor risk, dark web activity, and attacker-visible assets. 

RiskProfiler helps security teams address this shift by bringing together External Threat Exposure Management, Vendor Risk Management, Cyber Threat Intelligence, Dark Web Monitoring, and Identity Intelligence into a unified risk view. In a threat landscape where attackers move through identities, SaaS connectors, exposed vendors, and cloud-linked systems, defenders need intelligence that connects these signals before they escalate into public breaches, extortion campaigns, or operational disruption. 

Sources:

Marcus & Millichap Announcement: https://www.marcusmillichap.com/news-events/press/2026/04/marcus-millichap-releases-information-regarding-cybersecurity-incident 

ITRON Inc. Announcement: https://www.sec.gov/Archives/edgar/data/780571/000119312526175249/d125229d8k.htm 

Snowflake breach: https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/ 

Cybersecurity Outlook 2026, World Economic Forum: https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf