The Common Vulnerability Exploit CVV-2023-0669 was the main culprit for the skyrocketing number of attacks. This exploit used a common business file transfer service called GoAnywhere MFT. Ransomware-as-a-Service (RaaS) provider Clop discovered the exploit and, over the next ten days, stole from 130 companies.
NCC Group, which measures the number of attacks from different threat actor groups, has placed Clop on top. They also note that North America "was the target of almost half of March's activity, with 221 victims."
Who was targeted the most in March? The Industrial sector.