The global threat of ransomware has escalated dramatically, reaching alarming new heights. As outlined in the 2026 Global Threat Landscape Report by Fortinet, incidents have surged to 7,831 reported victims in 2025, a stark increase from the approximately 1,600 cases documented in the prior year. This represents a staggering 389% year-over-year rise, underscoring how AI-enhanced criminal tools have revolutionized cyberattacks.
AI Tools Amplify Cybercriminal Capabilities
The surge in ransomware cases is not coincidental. The proliferation of user-friendly crime tools such as WormGPT, FraudGPT, and BruteForceAI has significantly lowered the barrier for cybercriminals, allowing them to conduct sophisticated attacks with minimal technical expertise. These tools are readily available on dark web platforms, equipping even novice attackers with capabilities once reserved for elite hacker groups.
This accessibility has led to more frequent and targeted ransomware campaigns, complicating efforts to thwart them. Fortinet’s FortiGuard Labs has meticulously tracked these trends using extensive telemetry data from 2025, revealing that cybercrime has evolved into a structured, end-to-end criminal operation. Networks of access brokers, botnet operators, and shadow agents collaborate to expedite the process from initial access to full system compromise.
Rapid Exploitation and Vulnerability Targeting
The report highlights a dramatic reduction in the time-to-exploit (TTE) window. Previous data indicated an average TTE of 4.76 days, but recent findings show windows as short as 24 to 48 hours for critical vulnerabilities. In a specific case, exploitation attempts were launched within hours of the disclosure of the React2Shell vulnerability, illustrating the speed at which attackers can operate when aided by AI-driven reconnaissance and weaponization techniques.
Industries such as manufacturing, with 1,284 confirmed victims, bore the brunt of these attacks, followed by business services at 824 and retail at 682. Geographically, the United States led with 3,381 victims, with Canada and Germany following at 374 and 291, respectively. These figures highlight the sectors and regions with substantial volumes of sensitive data, making them prime targets for financially motivated cybercriminals.
Credential Theft and Dark Web Dynamics
A critical factor fueling the ransomware epidemic is the rapid growth of credential-stealing malware and the dark web infrastructure supporting it. According to FortiRecon intelligence, stealer logs dominate dark web activities, comprising 67.12% of all database activity, far surpassing combolists and leaked credentials. This trend signifies a shift towards comprehensive, immediately usable data packages over simple password leaks.
Malware such as RedLine, Lumma, and Vidar surreptitiously infiltrate systems to harvest not only usernames and passwords but also browser sessions, cookies, autofill data, and stored tokens. FortiRecon data confirmed that RedLine alone was responsible for 911,968 infections, accounting for over half of all stealer activity. The automation facilitated by Agentic AI has further accelerated the sorting and exploitation of these datasets, increasing their availability by 79% since last year.
Organizations are urged to regularly audit credentials, enforce robust multi-factor authentication, and monitor for signs of info stealer activity. Security teams should treat stealer log exposure as a critical incident and employ behavioral detection tools to identify unusual session activity. Timely software patching within 24 to 48 hours of vulnerability disclosures is now essential, given the rapid onset of exploitation attempts.
