Ransomware Attacks Surge Nearly 400% as AI Fuels Cybercrime

In a new report, Fortinet’s FortiGuard Labs revealed that ransomware attacks have increased nearly 400% in the last year. The report attributed the rise to the increase in criminal supply chain services using AI tools, such as WormGPT, FraudGPT and BruteForceAI.

These AI tools have reduced the barriers to entry for any would-be hacker and have made it easier for criminals to access financial and personal data. Last year there were 7,831 confirmed ransomware victims worldwide, compared to only about 1,600 in the previous report.

Attackers Operate Smarter, Without Stress, Using AI Tools

The research reveals a fascinating shift in attacker behavior. Telemetry from Fortinet’s intrusion prevention system saw a 22 percent drop in extreme force attempts year over year. This decline does not signal less criminal activity. Instead, it shows that attackers now make fewer, more targeted attempts against carefully selected victims.

AI-powered offensive tools allow criminals to operate with much greater efficiency. Products like HexStrike AI offer automated reconnaissance and attack path generation. BruteForceAI integrates large language models for intelligent form analysis and can execute sophisticated multi-threaded attacks. These tools reduce the skill requirements for entry-level hackers while dramatically speeding up their workflows.

According to Derek Manky, who works for Fortinet’s FortiGuard Labs as their Chief Security Strategist, there’s an emergence of sophisticated cyberattacks that are using agentic AI to automate the process of launching new attacks. Defenders need to update their cybersecurity operations to industrialized defenses and have AI-enabled tools that can act as quickly as modern threats.

The other key findings from the report include a significant change in how cybercriminals target and exploit cloud environments. The majority of cloud incidents that occurred in the year 2025 were the result of either exposed, stolen, or misused credentials, instead of through exploitation of the underlying infrastructure itself. Cybercriminals predominantly targeted hospitals, medical clinics and retail stores as a result of these types of credential-based attacks.

This focus on credential theft has led to massive data exposures. An alleged stealer log leak reportedly contains data from Apple, Google, and dozens of other global firms, highlighting how infostealer malware is being used to harvest login credentials from employees across virtually every industry sector.

Time to Exploit Shrinks from Days to Hours

One of the most alarming findings in the report concerns the speed of modern attacks. The average time to exploit critical vulnerabilities has collapsed from 4.76 days to just 24 to 48 hours, in some real-world cases, attackers launched active exploitation attempts within hours of a vulnerability becoming public.

The React2Shell vulnerability provides a stark example of this new reality. Security researchers observed active exploitation attempts within hours of its public disclosure. Douglas Santos, director of advanced threat intelligence at FortiGuard, warned that with AI accelerating reconnaissance, weaponization, and execution, it is only a matter of time before hours or even minutes become the norm.

Manufacturing emerged as the most heavily targeted sector with 1,284 confirmed ransomware victims. Business services followed with 824 victims, and retail came in third with 682 victims. The United States recorded the highest number of victims with 3,381, following are Canada with 374 and Germany with 291.

The report argues that cybercrime no longer functions as a series of isolated incidents. Instead, it operates as a connected economy where threat groups rely on specialist providers, such as botnet operators, access brokers, and developers of offensive kits sold as services.

Stolen Credentials and Infostealer Logs Drive Dark Web Economy

The research also uncovered a massive increase in stolen data available on dark web markets. In 2025, FortiRecon intelligence observed a 500 percent increase in logs available from systems that infostealer malware compromised. In 2026, the data shows an additional 79 percent increase and reveals a shift toward theft of more comprehensive data sets.

Within the hidden web database environment, stealer logs now dominate the market. These logs account for 67.12 percent of advertised and distributed datasets, far exceeding combolists at 16.47 percent and leaked credentials at just 5.96 percent. Stealer logs bundle identity material with contextual artifacts, including browser-resident data, powering immediate replay and faster exploitation.

The three most frequently and actively used credential-stealing malware today are RedLine, Lumma, and Vidar. These malware have reportedly infected over 911,968 machines (RedLine), over 499,784 machines (Lumma), and over 236,778 machines (Vidar).

The hackers aggregate stolen credentials from infected machines, via browser stored passwords, cookies, and autofill data, into a complete identity profile for the perpetrator to utilize as opposed to just collecting separated usernames and passwords for multiple sites.

Fortinet recommends AI-based security solutions for organizations to help mitigate the evolving threat landscape. Traditional security methods cannot keep up with the speed of development and execution of attacks that are currently occurring at the machine level.

This report indicates that cybersecurity team operations need to grow into an industrialized level of defense to enable proper response times that match almost real-time speeds of actual current threat activity.