Ransomware victims up nearly fivefold due to criminal AI use
The manufacturing industry, business services, and retail are the hardest hit by ransomware. The time between the discovery and exploitation of a new security vulnerability has dropped from 4 days to 24 hours. These are just two of the findings from the latest Global Threat Landscape Report by FortiGuard Labs.
According to FortiGuard’s research data, the time-to-exploit (TTE) for critical cyber threats was 24 to 48 hours in 2025. This represents a significant increase compared to previous reports, which indicated an average TTE of 4.76 days. An analysis of security incidents shows that every minute counts. Cybercriminals actively attempted to exploit security vulnerabilities. For example, this occurred within just a few hours of the disclosure of the React2Shell vulnerability.
Globally, 7,831 organizations fell victim to ransomware: a sharp increase compared to the approximately 1,600 victims reported last year. The availability of service kits for cybercriminals such as WormGPT, FraudGPT, and BruteForceAI contributed to this 389% increase compared to the previous year. The three hardest-hit sectors were manufacturing (1,284), business services (824), and retail (682). In terms of geographic concentration, most victims were in the United States (3,381), Canada (374), and Germany (291).
The proliferation of identities makes clouds vulnerable: most cloud-related security incidents in 2025 were not due to infrastructure hacks, but to stolen, leaked, or misused login credentials. A sector analysis indicates that hospitals, clinics, and retail chains are among the primary targets. An excess of identities, systems that provide access to multiple applications based on a single set of login credentials, and complex cloud integrations make these sectors a prime target for cybercriminals.
Cybercrime is no longer a series of isolated attack campaigns. Cybercriminals systematically go through a complete attack lifecycle and accelerate it by using shadow agents: autonomous AI agents that carry out actions unseen within their victims’ environments. The most capable cybercriminal groups operate like a business, relying on shadow agents, access brokers, and botnet operators who provide on-demand services.
Shadow agents require fewer technical skills and accelerate criminals’ workflows. These offer AI-powered attack tools on the dark web, such as enhanced versions of WormGPT and FraudGPT, and new services like HexStrike AI (an AI tool that automatically conducts reconnaissance and generates attack paths) and BruteForceAI, a tool that uses built-in large language models to perform penetration tests to identify targeted attack techniques across multiple levels.
With AI, criminals can work smarter rather than harder. The number of brute-force attack attempts in 2025 dropped by 22 percent compared to the previous year. Thanks to smarter brute-force techniques, criminals can carry out fewer attack attempts and better target their victims., which increases the success rate per password tried significantly.
Stolen datasets are more popular than leaked login credentials. In the 2025 Global Threat Landscape Report, researchers noted a fivefold increase in the number of log files that fell into the hands of cybercriminals after they had infected systems with infostealer malware. By 2026, this number had increased by 79 percent. There was also a shift toward the theft of more extensive datasets using agentic AI.
As for database activity on the dark web, stealer logs dominated the types of datasets offered and shared. These proved far more popular than combination lists (16%) and leaked login credentials (6%). Stealer logs make it easier for cybercriminals to combine identity data with contextual information, such as data stored in browsers. They can retrieve this login data directly to penetrate networks faster than is possible using brute-force attacks or password spraying.
The use of credential-stealing malware remains a lucrative activity for cybercriminals and one of the primary techniques for breaching organizational security. According to the telemetry data, the biggest culprits were RedLine with 911,968 infections (50%); Lumma with 499,784 infections (28%); and Vidar with 236,778 infections (13%).
The 2026 edition of the annual research report is based entirely on telemetry data from FortiGuard Labs. It also includes analyses of all attack tactics that are part of the MITRE ATT&CK framework.
