Cybercriminal groups are using artificial intelligence to compress attack timelines, expand ransomware campaigns and turn stolen identity data into a faster route into corporate networks, with Fortinet’s 2026 Global Threat Landscape Report warning that the threat economy has become more coordinated, automated and industrialised.
Telemetry from 2025 shows attackers moving beyond isolated campaigns towards an ecosystem in which access brokers, botnet operators, ransomware affiliates and AI-enabled tools work across the intrusion chain. FortiGuard Labs found that time-to-exploit for critical outbreaks has narrowed to 24 to 48 hours, compared with 4.76 days in earlier reporting, leaving security teams with shrinking windows to patch exposed systems or contain active compromise.
The report, based on FortiGuard Labs telemetry and FortiRecon adversary intelligence, identified 7,831 confirmed ransomware victims worldwide in 2025, up from about 1,600 in the previous annual report. That 389 per cent rise underscores how ransomware has become less dependent on elite technical skill and more reliant on repeatable tooling, stolen credentials and service-based criminal infrastructure.
Manufacturing remained the most targeted sector, with 1,284 confirmed victims, followed by business services with 824 and retail with 682. The geographic concentration of victims also remained pronounced, led by the United States with 3,381 cases, followed by Canada with 374 and Germany with 291. The numbers reflect not only high levels of exposure but also the attractiveness of large digital supply chains, data-rich operating environments and business disruption as a pressure point.
AI-enabled offensive services are lowering the barrier for less sophisticated actors. FortiRecon observed tools and services advertised in underground markets, including enhanced versions of WormGPT and FraudGPT, as well as HexStrike AI and BruteForceAI. Such tools can support reconnaissance, attack-path generation, intelligent form analysis and multi-threaded credential attacks, allowing operators to scale activity without building every capability themselves.
Derek Manky, chief security strategist and global vice-president of threat intelligence at Fortinet FortiGuard Labs, said cybercrime had become “one of the world’s most pervasive and costly threats” and warned that malicious actors were beginning to use agentic AI to execute more sophisticated attacks. The challenge for defenders, he said, is to move cybersecurity operations towards industrialised defence and adopt AI-enabled tools that can respond at the same velocity as modern threats.
Credential theft remains central to the threat landscape. FortiCNAPP intelligence found that most confirmed cloud incidents in 2025 began with stolen, exposed or misused credentials rather than direct exploitation of cloud infrastructure. Hospitals, physician clinics and retail establishments ranked among the leading targets, reflecting the value of large identity populations, federated access models and complex cloud integrations.
FortiGate intrusion prevention telemetry recorded about 67.65 billion brute-force events globally in 2025, equal to roughly 185 million attempts per day. At the same time, brute-force attempts fell 22 per cent year on year, suggesting attackers are becoming more selective and efficient. Global exploitation attempts rose 25.49 per cent, indicating a shift towards better-targeted activity rather than indiscriminate volume alone.
Stolen data is also changing in character. A 500 per cent increase in logs from systems compromised by infostealer malware was recorded in the previous annual report, and FortiRecon found a further 79 per cent rise in 2026 reporting. Stealer logs accounted for 67.12 per cent of advertised and shared dark-web datasets, well ahead of combolists at 16.47 per cent and leaked credentials at 5.96 per cent. These logs often contain browser data, session material and contextual identity artefacts that allow attackers to bypass basic login defences and accelerate account takeover.
Among credential-stealer families, RedLine dominated FortiRecon telemetry with 911,968 infections, or 50.80 per cent of observed activity. Lumma accounted for 499,784 infections, while Vidar represented 236,778. The figures show how infostealers remain a feeder system for ransomware, fraud and cloud intrusion, even when individual malware operations face takedowns or disruption.
The Fortinet findings align with a wider shift across the cybersecurity sector. Public-facing applications, software supply chains, identity systems and cloud services are now more exposed as attackers use automation to identify weak authentication controls, unpatched vulnerabilities and misconfigured systems. Generative and agentic AI have not replaced traditional methods such as phishing, credential theft and vulnerability exploitation; they have made those methods faster, cheaper and easier to repeat.
Telemetry from 2025 shows attackers moving beyond isolated campaigns towards an ecosystem in which access brokers, botnet operators, ransomware affiliates and AI-enabled tools work across the intrusion chain. FortiGuard Labs found that time-to-exploit for critical outbreaks has narrowed to 24 to 48 hours, compared with 4.76 days in earlier reporting, leaving security teams with shrinking windows to patch exposed systems or contain active compromise.
The report, based on FortiGuard Labs telemetry and FortiRecon adversary intelligence, identified 7,831 confirmed ransomware victims worldwide in 2025, up from about 1,600 in the previous annual report. That 389 per cent rise underscores how ransomware has become less dependent on elite technical skill and more reliant on repeatable tooling, stolen credentials and service-based criminal infrastructure.
Manufacturing remained the most targeted sector, with 1,284 confirmed victims, followed by business services with 824 and retail with 682. The geographic concentration of victims also remained pronounced, led by the United States with 3,381 cases, followed by Canada with 374 and Germany with 291. The numbers reflect not only high levels of exposure but also the attractiveness of large digital supply chains, data-rich operating environments and business disruption as a pressure point.
AI-enabled offensive services are lowering the barrier for less sophisticated actors. FortiRecon observed tools and services advertised in underground markets, including enhanced versions of WormGPT and FraudGPT, as well as HexStrike AI and BruteForceAI. Such tools can support reconnaissance, attack-path generation, intelligent form analysis and multi-threaded credential attacks, allowing operators to scale activity without building every capability themselves.
Derek Manky, chief security strategist and global vice-president of threat intelligence at Fortinet FortiGuard Labs, said cybercrime had become “one of the world’s most pervasive and costly threats” and warned that malicious actors were beginning to use agentic AI to execute more sophisticated attacks. The challenge for defenders, he said, is to move cybersecurity operations towards industrialised defence and adopt AI-enabled tools that can respond at the same velocity as modern threats.
Credential theft remains central to the threat landscape. FortiCNAPP intelligence found that most confirmed cloud incidents in 2025 began with stolen, exposed or misused credentials rather than direct exploitation of cloud infrastructure. Hospitals, physician clinics and retail establishments ranked among the leading targets, reflecting the value of large identity populations, federated access models and complex cloud integrations.
FortiGate intrusion prevention telemetry recorded about 67.65 billion brute-force events globally in 2025, equal to roughly 185 million attempts per day. At the same time, brute-force attempts fell 22 per cent year on year, suggesting attackers are becoming more selective and efficient. Global exploitation attempts rose 25.49 per cent, indicating a shift towards better-targeted activity rather than indiscriminate volume alone.
Stolen data is also changing in character. A 500 per cent increase in logs from systems compromised by infostealer malware was recorded in the previous annual report, and FortiRecon found a further 79 per cent rise in 2026 reporting. Stealer logs accounted for 67.12 per cent of advertised and shared dark-web datasets, well ahead of combolists at 16.47 per cent and leaked credentials at 5.96 per cent. These logs often contain browser data, session material and contextual identity artefacts that allow attackers to bypass basic login defences and accelerate account takeover.
Among credential-stealer families, RedLine dominated FortiRecon telemetry with 911,968 infections, or 50.80 per cent of observed activity. Lumma accounted for 499,784 infections, while Vidar represented 236,778. The figures show how infostealers remain a feeder system for ransomware, fraud and cloud intrusion, even when individual malware operations face takedowns or disruption.
The Fortinet findings align with a wider shift across the cybersecurity sector. Public-facing applications, software supply chains, identity systems and cloud services are now more exposed as attackers use automation to identify weak authentication controls, unpatched vulnerabilities and misconfigured systems. Generative and agentic AI have not replaced traditional methods such as phishing, credential theft and vulnerability exploitation; they have made those methods faster, cheaper and easier to repeat.
Topics
Technology