Ransomware Victims Jump to 7,831 as AI Crime Tools Scale Global

Confirmed ransomware victims globally surged to 7,831 in 2025, a dramatic increase from the approximately 1,600 reported the previous year. This alarming escalation comes from Fortinet’s newly released 2026 Global Threat Landscape Report.

That is a 389% increase year-over-year, a rise that reflects how deeply AI-powered criminal tools have changed the game for attackers.

This sharp growth did not happen by accident. The availability of ready-to-use crime tools such as WormGPT, FraudGPT, and BruteForceAI has made it easier than ever for cybercriminals to launch sophisticated attacks without requiring deep technical skill.

These tools are sold openly in dark web marketplaces, giving even low-level threat actors access to capabilities that were previously limited to advanced hacker groups.

As a result, ransomware campaigns have grown more frequent, more targeted, and harder to stop.

Analysts and researchers at Fortinet’s FortiGuard Labs identified these accelerating trends through extensive telemetry data gathered throughout 2025, mapping attacker behavior across all phases of the MITRE ATT&CK framework.

Their findings confirm that cybercrime now operates less like a series of random attacks and more like a structured, end-to-end criminal operation.

Threat actors are supported by networks of access brokers, botnet operators, and shadow agents who sell services on demand, compressing the time it takes to move from initial access to full compromise.

The report also found that the time-to-exploit (TTE) window has shrunk dramatically. Where earlier data pointed to an average TTE of 4.76 days, FortiGuard Labs now records TTE windows as short as 24 to 48 hours for critical vulnerabilities.

In one real-world case, active exploitation attempts began within hours of the React2Shell vulnerability being publicly disclosed, highlighting how fast attackers can act when AI accelerates their reconnaissance and weaponization steps.

The manufacturing sector bore the heaviest burden, with 1,284 confirmed ransomware victims, followed by business services at 824 and retail at 682.

Geographically, the United States recorded the highest concentration with 3,381 victims, followed by Canada with 374 and Germany with 291.

These numbers reflect where large volumes of sensitive data and critical operations make organizations the most attractive and financially rewarding targets.

How AI-Powered Stealer Malware Fuels the Attack Chain

One of the most significant drivers behind the ransomware surge is the explosive growth of credential-stealer malware and the dark web ecosystem built around it.

FortiRecon intelligence revealed that stealer logs now dominate dark web database activity, accounting for 67.12% of all advertised and shared datasets, far ahead of combolists at 16.47% and leaked credentials at just 5.96%.

This shift signals that attackers have moved away from simple password leaks and toward richer, more immediately usable data packages.

Stealer malware like RedLine, Lumma, and Vidar quietly infect systems, then harvest not just usernames and passwords but full browser sessions, saved cookies, autofill data, and stored tokens.

FortiRecon telemetry confirmed that RedLine was responsible for 911,968 infections, representing 50.80% of all stealer activity, while Lumma accounted for 499,784 infections at 27.84%, and Vidar added another 236,778 infections at 13.19%.

This bundled data gives attackers everything they need to immediately impersonate a victim online without ever needing to crack a single password.

Agentic AI has further accelerated this process by enabling attackers to automate the sorting and exploitation of stolen datasets at scale.

The 2026 report notes an additional 79% increase in stealer log availability compared to 2025, building on the 500% spike already recorded the previous year.

The practical result is that organizations face credential-based intrusions that are faster, harder to detect, and more likely to bypass traditional multi-factor authentication defenses.

Organizations are strongly advised to audit and rotate credentials regularly, enforce phishing-resistant multi-factor authentication, and monitor for signs of infostealer activity across all endpoints.

Security teams should treat stealer log exposure as an active incident, not a low-priority alert, and should deploy behavioral detection tools capable of identifying abnormal session activity.

Keeping software and systems patched within 24 to 48 hours of a critical vulnerability disclosure is now a baseline expectation, given how quickly exploitation attempts begin.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.