Fortinet warns ransomware victims rise 389% amid AI

Fortinet has published its 2026 Global Threat Landscape Report, which found ransomware victims rose 389 per cent year on year.

Based on telemetry from FortiGuard Labs, the report points to a cybercrime market using artificial intelligence tools to sharpen reconnaissance, credential theft and exploitation, while reducing the time between a vulnerability becoming public and attackers attempting to use it.

Confirmed ransomware victims reached 7,831 globally, up from about 1,600 identified in the previous annual report. Manufacturing was the most targeted sector with 1,284 victims, followed by business services with 824 and retail with 682.

The United States accounted for 3,381 confirmed ransomware victims, followed by Canada with 374 and Germany with 291.

Attack speed

One of the sharpest shifts in the data is the shrinking time to exploit critical vulnerabilities. That window now stands at 24 to 48 hours, compared with 4.76 days in earlier reporting.

Active exploitation attempts were observed within hours of public disclosure of the React2Shell vulnerability, underlining how quickly attackers can move once technical details enter the public domain.

Derek Manky, chief security strategist and global VP of threat intelligence at Fortinet FortiGuard Labs, said: "Cybercrime is one of the world's most pervasive and costly threats, and Fortinet's latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks. As cybercriminals increasingly use AI to bolster their tactics, cyber defenders must evolve cybersecurity operations into an industrialised defence and adopt AI-enabled tools that respond at the same velocity as modern threats."

The report argues that cybercrime now operates less like a series of isolated incidents and more like a connected economy. It describes threat groups as relying on specialist providers, including access brokers, botnet operators and developers of offensive tools sold as services.

The tools cited include WormGPT, FraudGPT, HexStrike AI and BruteForceAI. These offerings lower the technical threshold for attackers while increasing the speed of their workflows.

Identity focus

Identity-related weaknesses remained central to cloud attacks through 2025. Most confirmed cloud incidents stemmed from stolen, exposed or misused credentials rather than direct exploitation of infrastructure.

Hospitals, physician clinics and retail establishments were identified as the top targets in this area. The report links that exposure to large identity populations, federated access models and complex cloud integrations.

Cornelius Mare, chief information security officer, Australia, at Fortinet, said: "Organisations across Australia and New Zealand are facing a step change in how cyber threats operate. Threat activity has shifted from isolated attacks to highly coordinated operations, where adversaries use automation and AI to move faster and scale their impact."

Mare added: "Identity has become a primary attack vector, particularly across cloud environments. For local organisations, this highlights the need to focus on fundamentals such as visibility, identity security, and rapid response, alongside adopting AI-enabled defence strategies that operate at the same speed as the threats. The challenge is no longer just stopping individual attacks but disrupting the broader cybercrime ecosystem. This requires a more integrated approach to cybersecurity, where threat intelligence, automation, and collaboration work together to help organisations reduce risk and respond more effectively."

Credential theft

Fortinet's data suggests attackers are becoming more selective rather than simply noisier. Brute force attempts fell 22 per cent year on year, but still totalled about 67.65 billion globally, or roughly 185 million attempts a day.

At the same time, global exploitation attempts rose 25.49 per cent year on year. Together, these trends point to a shift towards better-targeted attacks and broader use of stolen data sets that can shorten the path from intrusion to compromise.

Stealer logs accounted for 67.12 per cent of advertised and shared data sets in dark web database activity, ahead of combolists at 16.47 per cent and leaked credentials at 5.96 per cent. These logs can include browser-resident data and other context that makes stolen identities easier to use immediately.

Credential-stealing malware remained a major source of exposure. RedLine led observed infections with 911,968 cases, or 50.80 per cent of the total, followed by Lumma with 499,784 and Vidar with 236,778.

Disruption efforts

Beyond threat tracking, Fortinet pointed to its participation in broader cybercrime disruption efforts. A collaborative initiative led by INTERPOL and supported through the World Economic Forum Cybercrime Atlas contributed to Operation Red Card 2.0, which targeted infrastructure and operators behind online scams, mobile money fraud and fraudulent loan applications in Africa.

Fortinet also launched a Cybercrime Bounty programme with Crime Stoppers International to provide an anonymous reporting channel for citizens and ethical hackers with information on cyber threats.

The report's central message is that defenders are dealing with faster, more connected and increasingly automated adversaries. The challenge is no longer only detecting single attacks, but responding to an ecosystem in which stolen credentials, rented tools and AI-assisted workflows are combined at scale.