AI-Powered Ransomware Attacks Surge, Victims Reach 7,831 Globally
Key Takeaways Global ransomware incidents surged by 389% in 2025, reaching 7,831 confirmed victims, largely driven by AI-powered criminal tools. The manufacturing sector, business services, and...
Key Takeaways
- Global ransomware incidents surged by 389% in 2025, reaching 7,831 confirmed victims, largely driven by AI-powered criminal tools.
- The manufacturing sector, business services, and retail were the hardest hit industries, with the United States experiencing the most attacks.
- AI-enabled tools like WormGPT and FraudGPT have democratized sophisticated cyberattacks, making them accessible to less skilled threat actors.
- The time-to-exploit (TTE) for critical vulnerabilities has dramatically shortened to 24-48 hours, with stealer malware fueling rapid credential compromise.
- Organizations must implement robust credential management, phishing-resistant MFA, and rapid patching to counter these evolving threats.
The global cybersecurity landscape witnessed an alarming spike in ransomware attacks in 2025, with confirmed victims soaring to 7,831 worldwide. This represents a staggering 389% increase from approximately 1,600 reported victims in the preceding year, according to Fortinet’s recently released 2026 Global Threat Landscape Report. This dramatic escalation underscores the transformative impact of AI-powered criminal tools on the effectiveness and scale of cyberattacks.
Table Of Content
This significant growth is not coincidental. The proliferation of readily available AI-driven cybercrime tools, such as WormGPT, FraudGPT, and BruteForceAI, has drastically lowered the barrier to entry for cybercriminals. These platforms enable even novice threat actors to execute sophisticated attacks that previously required advanced technical expertise. Available on dark web marketplaces, these tools have democratized capabilities once exclusive to elite hacker groups, leading to more frequent, targeted, and resilient ransomware campaigns.
Analysts and researchers at Fortinet’s FortiGuard Labs meticulously tracked these accelerating trends throughout 2025, leveraging extensive telemetry data to map attacker behaviors across the entire MITRE ATT&CK framework. Their findings highlight a shift in cybercrime operations from isolated incidents to highly structured, end-to-end criminal enterprises. These operations are bolstered by networks of access brokers, botnet operators, and shadow agents who offer specialized services, significantly compressing the time required from initial access to full system compromise.
The report also revealed a stark reduction in the time-to-exploit (TTE) window for vulnerabilities. While previous data indicated an average TTE of 4.76 days, FortiGuard Labs now observes critical vulnerabilities being exploited within 24 to 48 hours of public disclosure. A notable example cited was the React2Shell vulnerability, which saw active exploitation attempts mere hours after its public release, demonstrating the speed at which AI-driven reconnaissance and weaponization enable attackers to act.
Sector-wise, the manufacturing industry bore the brunt of these attacks, recording 1,284 confirmed ransomware victims. Business services followed with 824 victims, and retail accounted for 682. Geographically, the United States was the most targeted nation, with 3,381 victims, followed by Canada (374) and Germany (291). These figures underscore how threat actors prioritize industries and regions with large volumes of sensitive data and critical operations, making them financially attractive targets.
How AI-Powered Stealer Malware Fuels the Attack Chain
A primary catalyst behind the ransomware surge is the explosive proliferation of credential-stealer malware and the robust dark web ecosystem it supports. FortiRecon intelligence indicates that stealer logs now dominate dark web database activity, comprising 67.12% of all advertised and shared datasets. This significantly outpaces combolists (16.47%) and simple leaked credentials (5.96%), signaling a strategic shift by attackers towards richer, more immediately actionable data packages.
Stealer malware variants such as RedLine, Lumma, and Vidar covertly infect systems to harvest not only usernames and passwords but also comprehensive browser sessions, saved cookies, autofill data, and stored tokens. FortiRecon telemetry confirmed RedLine was responsible for 911,968 infections, representing 50.80% of all stealer activity. Lumma accounted for 499,784 infections (27.84%), and Vidar contributed 236,778 infections (13.19%). This bundled data provides attackers with everything needed to impersonate victims online instantly, bypassing the need to crack passwords.
The integration of agentic AI has further accelerated this process, enabling attackers to automate the large-scale sorting and exploitation of stolen datasets. The 2026 report highlights an additional 79% increase in stealer log availability compared to 2025, building upon a 500% spike recorded the previous year. Practically, this means organizations face credential-based intrusions that are faster, more elusive, and increasingly capable of circumventing traditional multi-factor authentication defenses.
What You Should Do
- Regularly audit and rotate all organizational credentials.
- Implement and enforce phishing-resistant multi-factor authentication (MFA) across all systems.
- Deploy advanced behavioral detection tools to monitor for infostealer activity and abnormal session behavior across all endpoints.
- Treat any stealer log exposure as an immediate, high-priority security incident, not a minor alert.
- Ensure all software and systems are patched for critical vulnerabilities within 24 to 48 hours of disclosure, given the accelerated time-to-exploit window.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.