Ransomware in Critical Infrastructure: Lessons from 2026 Breaches

Ransomware attacks on critical infrastructure hit harder in 2026 not because attackers got smarter, but because defenders kept trusting third parties they never fully audited. Two incidents from March alone show exactly how that plays out.

The Intoxalock attack took down vehicle breathalyzer systems across the US, leaving court-mandated drivers physically unable to start their cars. The Crunchyroll breach, confirmed March 24, exposed 6.8 million unique email addresses after a threat actor compromised an Okta SSO account belonging to a support agent at Telus Digital, Crunchyroll’s outsourced customer support partner. One compromised vendor credential. Millions of users exposed.

Both incidents share the same root cause: your security perimeter ends at your own door, but your attack surface does not.

How outsourcing creates the gaps attackers exploit

The Crunchyroll attacker did not breach Crunchyroll directly. They got into Telus Digital‘s environment, found an employee with privileged access to Crunchyroll’s Zendesk instance, and downloaded around eight million support ticket records before the access was revoked. Outsourced teams need broad access to do their job. That access is rarely scoped to least-privilege, rarely monitored with your internal SOC tools, and almost never covered in your incident response plan.

Healthcare saw this pattern repeatedly. 31% of all publicly disclosed ransomware incidents in February 2026 targeted healthcare providers, according to BlackFog. Most entry points traced back to third-party billing platforms, patient portal vendors, and outsourced IT helpdesks.

When ransomware stops being abstract

Intoxalock manufactures court-ordered ignition interlock breathalyzers. When its systems went down in March 2026, those devices could not complete verification checks. Drivers were stranded. Courts were disrupted. Parole conditions were affected.

This is the real shape of critical infrastructure risk. The target does not need to be a power grid. Any system where digital availability connects directly to physical outcomes qualifies. A zero trust architecture would have contained the blast radius, but most organisations running hardware-dependent compliance systems still operate on implicit trust network models.

A third-party risk framework that works

Checkbox vendor assessments do not protect you. Four controls that do:

1. Continuous access monitoring. Every third-party account touching your systems should appear in your SIEM. If a vendor employee authenticates from a new country at 2am, you need to know before they pull millions of records. See our SIEM tools comparison for platforms that handle this well.
2. Scoped credentials, not shared admin. Segment vendor permissions to exactly what the workflow requires, nothing more.
3. Contractual notification windows. Standard contracts require vendor notification within 72 hours of discovering a breach, meaning 72 hours after they know, not after you do. Build sub-24-hour clauses into contracts for any vendor with access to customer PII or operational systems.
4. Vendors named in your IR plan. Pre-agree escalation paths before an incident happens. A vendor breach should not be the first time you realise you have no direct line to their security team.

The Waterfall Security Threat Report 2026 flagged that attacks on operationally consequential systems are increasing as a share of total ransomware incidents. Attackers are shifting from data theft toward disruption because disruption forces faster decisions. Start your audit with your vendor access list: count how many third parties have standing access to production systems. For most organisations, that number is higher than the security team realises.

Frequently asked questions

What makes critical infrastructure a high-value ransomware target?

Downtime has immediate physical or public safety consequences. That pressure compresses the time organisations have to weigh options before paying, which is exactly what ransomware groups rely on.

How did the Crunchyroll breach connect to a third-party vendor?

The attacker compromised an Okta SSO account belonging to a support agent at Telus Digital, Crunchyroll’s outsourced support provider. That credential gave access to Crunchyroll’s Zendesk environment, from which approximately 6.8 million unique email addresses and support ticket records were extracted.

What was the physical impact of the Intoxalock cyberattack?

The March 2026 attack disrupted ignition interlock devices in vehicles of court-mandated DUI offenders across the US. Drivers were unable to start their cars because the devices could not complete verification checks.

What is the fastest way to reduce third-party ransomware risk?

Audit every vendor with standing access to production systems, apply least-privilege scoping to their credentials, and add their authentication activity to your SIEM monitoring. Most organisations have not done all three for every vendor.