Ransomware attacks surged dramatically in 2025, with global victims reaching 7,831. The sharp rise highlights how cybercrime has evolved into a highly organized, AI-driven ecosystem in which attackers operate at speed, with automation and scale.
This surge is largely fueled by the widespread availability of AI-powered cybercrime tools such as WormGPT, FraudGPT, and BruteForceAI, which lower the barrier to entry for attackers and accelerate operations.
One of the most critical shifts observed is the shrinking time-to-exploit (TTE). In 2025, attackers were able to weaponize vulnerabilities within 24 to 48 hours of disclosure, compared to an average of 4.76 days previously.
In some cases, exploitation attempts began within hours, as seen with the React2Shell vulnerability.
This rapid turnaround is driven by AI-assisted reconnaissance, automated vulnerability scanning, and pre-built exploit frameworks.
Data from FortiGuard Labs shows ransomware incidents increased nearly 389% year-over-year, jumping from around 1,600 cases in 2024.
Attackers no longer rely on manual processes; instead, they deploy intelligent systems that identify targets, generate attack paths, and execute campaigns almost instantly.
Cybercrime Becomes Industrialized
Fortinet describes modern cybercrime as an “industrialized” model. Threat actors now function like enterprises, supported by a network of service providers including access brokers, botnet operators, and developers of offensive AI tools.
Underground markets actively advertise tools such as:
- HexStrike AI, which automates reconnaissance and attack path generation.
- BruteForceAI, capable of intelligent credential attacks using large language models.
- Enhanced versions of WormGPT and FraudGPT for phishing and social engineering.
These tools allow even low-skilled actors to launch sophisticated attacks, while experienced groups scale operations globally.
The report identifies manufacturing, business services, and retail as the most targeted sectors. Manufacturing alone accounted for 1,284 ransomware victims, followed by business services (824) and retail (682).
Geographically, the United States recorded the highest number of victims at 3,381, followed by Canada (374) and Germany (291). The concentration reflects both economic value and digital exposure in these regions.
Identity Attacks Drive Cloud Breaches
Beyond ransomware, credential abuse remains a dominant threat vector. Most cloud security incidents in 2025 were linked to stolen or leaked credentials rather than infrastructure vulnerabilities.
Infostealer malware continues to play a major role. Variants such as RedLine, Lumma, and Vidar accounted for millions of infections, harvesting sensitive data including login credentials, browser data, and session tokens.
Notably, attackers are shifting from simple credential lists to “stealer logs,” which bundle credentials with contextual data, enabling faster and more effective account compromise.
Interestingly, brute-force attack attempts dropped by 22% year-over-year. However, this does not indicate reduced activity. Instead, attackers are becoming more precise, using AI to target high-probability accounts. This results in fewer attempts but higher success rates.
Despite this decline, global brute-force activity still reached massive levels, with billions of attempts recorded monthly.
To counter the growing threat, international collaboration is increasing. Operations such as INTERPOL’s “Operation Red Card 2.0,” supported by Fortinet, successfully dismantled cybercriminal infrastructure involved in scams and financial fraud.
Additionally, initiatives like the Cybercrime Atlas and new bounty programs aim to map cybercriminal networks and incentivize intelligence sharing.
As AI continues to reshape both attack and defense strategies, the report underscores a clear reality: cybersecurity must evolve at the same speed as modern threats, or risk falling behind in an increasingly automated threat landscape.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
