Ransomware victims jump to 7,831 as AI crime tools speed up global attacks
5 min. read 
Published on
Ransomware attacks grew sharply in 2025, with Fortinet reporting 7,831 confirmed victims worldwide in its 2026 Global Threat Landscape Report.
That is up from about 1,600 victims in the previous report, marking a 389% year-over-year increase. Fortinet linked the surge to a faster and more organized cybercrime ecosystem, including AI-enabled crime tools and ready-made attack services.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The report shows that attackers are no longer relying only on advanced technical skills. Crime service kits, stolen identity data, access brokers, botnet operators, and AI-assisted tools now help more groups launch attacks at scale.
Ransomware attacks are growing faster
Fortinet said ransomware victim counts rose across regions and sectors. Manufacturing was the most affected industry, with 1,284 confirmed victims, followed by business services with 824 and retail with 682.
The United States had the largest concentration of victims, with 3,381 confirmed cases. Canada followed with 374, while Germany recorded 291.
These numbers show where attackers see the most financial value. Large companies, critical suppliers, retailers, and service providers often hold sensitive data and depend on uptime, which can make them attractive ransomware targets.
At a glance
| Category | Details |
|---|---|
| Report | Fortinet 2026 Global Threat Landscape Report |
| Data period | 2025 threat activity |
| Confirmed ransomware victims | 7,831 |
| Previous report victim count | About 1,600 |
| Year-over-year increase | 389% |
| Top targeted sector | Manufacturing, with 1,284 victims |
| Top targeted country | United States, with 3,381 victims |
| Major drivers | AI-enabled tools, crime service kits, access brokers, stolen credentials, and faster exploitation |
AI crime tools lower the entry barrier
Fortinet named tools and services such as WormGPT, FraudGPT, HexStrike AI, and BruteForceAI as examples of offensive tooling advertised in criminal spaces.
These tools can help attackers write better lures, automate reconnaissance, analyze targets, generate attack paths, and run more efficient brute-force activity.
This does not mean every ransomware attack uses AI from start to finish. It means AI and automation now help criminals move faster at several stages of the attack chain.
Why time-to-exploit matters
Fortinet warned that the time between public vulnerability disclosure and active exploitation has become much shorter. For critical outbreaks, the window can shrink to 24 to 48 hours.
That creates a major problem for defenders. Many organizations still patch based on weekly or monthly cycles, while attackers can begin scanning and exploiting exposed systems within hours.
Fortinet also pointed to exploitation attempts that began within hours of the React2Shell vulnerability being publicly disclosed. The example shows how quickly attackers can turn public vulnerability information into real attacks.
How the ransomware ecosystem works
- Access brokers sell entry points into company networks.
- Infostealer operators collect browser data, passwords, cookies, and tokens.
- Botnet operators provide infected machines and traffic infrastructure.
- Ransomware groups use stolen access to deploy encryption and data theft tools.
- AI-assisted tools help attackers sort data, write lures, and speed up reconnaissance.
- Dark web markets connect these services into a larger criminal supply chain.
Stolen credentials are feeding more attacks
Fortinet said stolen identity data now plays a central role in modern intrusions. Many cloud incidents in 2025 involved stolen, exposed, or misused credentials rather than direct exploitation of cloud infrastructure.
Stealer logs dominated dark web database activity, accounting for 67.12% of advertised and shared datasets. Combolists made up 16.47%, while leaked credentials accounted for 5.96%.
This matters because stealer logs often include more than passwords. They can contain browser cookies, session data, tokens, autofill content, and other artifacts that help attackers impersonate a victim quickly.
Top stealer malware families
| Stealer malware | Reported infections | Share of stealer activity |
|---|---|---|
| RedLine | 911,968 | 50.80% |
| Lumma | 499,784 | 27.84% |
| Vidar | 236,778 | 13.19% |
Why stealer logs are so dangerous
A leaked password may still fail if the user changed it or if multi-factor authentication blocks the login. A stealer log can give attackers more context and a faster path into an account.
If a stolen browser session remains valid, attackers may try to bypass normal login steps. This can make some intrusions harder to detect because the activity may appear to come from a real user session.
Fortinet said stealer log availability rose another 79% after a 500% increase reported in the previous year. That means defenders now face a larger pool of stolen data that attackers can search, sort, and reuse.
Ransomware is becoming a speed problem
The report’s main message is clear: cyber risk now depends heavily on speed. Attackers scan faster, exploit faster, and reuse stolen identity data faster.
Fortinet also reported 122 billion exploitation attempts in 2025, showing how much automated activity now surrounds exposed systems.
For defenders, slow patching and manual response create a growing gap. Organizations need faster asset discovery, faster patch prioritization, and faster detection of suspicious identity activity.
What organizations should do now
- Patch critical vulnerabilities within 24 to 48 hours where possible.
- Track internet-facing assets continuously.
- Rotate credentials after suspected infostealer exposure.
- Move privileged users to phishing-resistant multi-factor authentication.
- Monitor for unusual session reuse, impossible travel, and abnormal login behavior.
- Block known malicious infrastructure and crimeware indicators quickly.
- Train employees to spot AI-written phishing messages and fake login pages.
- Use endpoint detection to identify infostealer behavior before ransomware follows.
- Back up critical systems and test recovery plans regularly.
What security teams should prioritize
| Priority | Reason |
|---|---|
| Credential protection | Stolen identities now drive many intrusions. |
| Fast patching | Critical vulnerabilities can face exploitation within 24 to 48 hours. |
| Infostealer detection | Stealer logs give attackers passwords, cookies, tokens, and session data. |
| Ransomware readiness | Confirmed victim counts have grown sharply year over year. |
| AI-aware defense | Attackers are using automation to reduce effort and increase speed. |
FAQ
How many ransomware victims did Fortinet report?
Fortinet reported 7,831 confirmed ransomware victims globally in its 2026 Global Threat Landscape Report.
How much did ransomware victim counts increase?
The count rose 389% year over year, from about 1,600 victims in the previous report.
Which industries were hit the most?
Manufacturing had the highest number of confirmed victims, followed by business services and retail.
How are AI tools helping cybercriminals?
AI-enabled tools can help attackers automate reconnaissance, improve phishing messages, analyze targets, generate attack paths, and make brute-force activity more efficient.
Why are stealer logs important in ransomware attacks?
Stealer logs can include passwords, cookies, tokens, browser data, and session information. Attackers can use this data to enter accounts faster and prepare ransomware attacks.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages