AI-Powered Cybercrime Fuels 389% Surge in Global Ransomware Victims: Fortinet Report

Bengaluru: Fortinet has warned that artificial intelligence-enabled cybercrime is rapidly transforming the global threat landscape, with ransomware victims surging by 389 percent year-on-year as cybercriminal groups increasingly deploy AI-driven offensive tools and automated attack systems.

In its newly released 2026 Global Threat Landscape Report, Fortinet’s FortiGuard Labs said cybercrime has evolved into a highly organised ecosystem where malicious actors operate through interconnected digital supply chains supported by AI-powered “shadow agents,” access brokers, and cybercrime-as-a-service platforms.

The report, based exclusively on FortiGuard Labs telemetry and analysis mapped to the MITRE ATT&CK framework, revealed that confirmed ransomware victims worldwide increased to 7,831 in 2025 compared to around 1,600 victims identified in the company’s previous annual report.

According to the report, sectors most targeted by ransomware attacks included manufacturing with 1,284 victims, followed by business services with 824 and retail with 682. The United States recorded the highest concentration of ransomware victims at 3,381, followed by Canada and Germany.

Chief Security Strategist and Global Vice President of Threat Intelligence at Fortinet Derek Manky said cybercriminals are increasingly leveraging agentic AI technologies to execute attacks with unprecedented sophistication and speed.

“As cybercriminals increasingly use AI to bolster their tactics, cyber defenders must evolve cybersecurity operations into an industrialized defense and adopt AI-enabled tools that respond at the same velocity as modern threats,” Manky said.

One of the report’s key findings highlighted the shrinking “time-to-exploit” window for newly disclosed vulnerabilities. Fortinet said advanced threat actors are now capable of launching exploitation attempts within 24 to 48 hours of vulnerability disclosure, compared to an average of 4.76 days reported earlier.

The company cited real-world incidents where exploitation attempts targeting critical vulnerabilities began within hours of public disclosure.

The report also identified growing adoption of AI-powered cybercrime tools such as WormGPT, FraudGPT, HexStrike AI, and BruteForceAI, which are being marketed on dark web forums to automate reconnaissance, credential theft, and multi-threaded attack operations.

Fortinet said AI is enabling cybercriminals to work more efficiently rather than merely increasing attack volumes. While brute-force login attempts declined by 22 percent year-on-year, global exploitation attempts rose by over 25 percent, indicating more targeted and intelligent attack strategies.

The report estimated that cybercriminals still generated nearly 67.65 billion brute-force events globally during the year, averaging approximately 185 million attempts daily.

Fortinet’s intelligence also revealed that cybercriminals are increasingly shifting from leaked credentials to stolen “stealer logs” — bundled datasets containing browser data, authentication tokens, session information, and identity material that enable immediate account compromise.

According to the report, stealer logs accounted for more than 67 percent of dark web database activity, far exceeding traditional leaked credentials and combolists.

Credential-stealer malware continued to remain one of the most lucrative cybercrime industries globally. Fortinet identified RedLine malware as the dominant infostealer family, followed by Lumma and Vidar.

The report further warned that identity-based attacks now represent one of the biggest cloud security threats, with most cloud incidents during 2025 linked to stolen, exposed, or misused credentials rather than infrastructure vulnerabilities.

Hospitals, physician clinics, and retail establishments were identified among the most vulnerable sectors because of complex cloud integrations and extensive identity ecosystems.

Fortinet also highlighted its ongoing collaboration with global law enforcement and international organisations to combat cybercrime networks.

The company said operations such as “Operation Red Card 2.0,” conducted in collaboration with INTERPOL and the World Economic Forum Cybercrime Atlas initiative, had resulted in the disruption of cybercriminal infrastructure involved in online scams, mobile money fraud, and fraudulent loan applications in Africa.

Fortinet additionally announced efforts such as the Cybercrime Bounty programme launched with Crime Stoppers International to encourage anonymous reporting of cyberthreat intelligence.

The company urged enterprises to adopt AI-enabled security operations, advanced threat intelligence systems, and faster incident response capabilities to cope with increasingly industrialised cyber threats.