AI-powered ransomware attacks have seen a 389% increase in confirmed victims globally, shrinking the average time-to-exploit critical vulnerabilities from nearly five days to just 24-48 hours, effectively industrializing cybercrime operations. This rapid acceleration is a direct consequence of widely available AI tools enabling threat actors to scale and automate attack processes unprecedentedly.
What Happened
A new report from Fortinet's FortiGuard Labs, the 2026 Global Threat Landscape Report, based on 2025 telemetry, details a dramatic rise in AI-driven ransomware. The report indicates 7,831 confirmed ransomware victims in 2025, a significant leap from approximately 1,600 the previous year. This surge is directly linked to the proliferation of AI-powered cybercrime tools such as WormGPT, FraudGPT, and BruteForceAI, which lower the barrier for entry and enable less skilled actors to launch sophisticated campaigns. Crucially, the 'time-to-exploit' (TTE) for critical vulnerabilities has plummeted from an average of nearly five days to a mere 24 to 48 hours, with some vulnerabilities, like React2Shell, seeing exploitation attempts within hours of public disclosure. This shift marks a full industrialization of cybercrime, where specialized "service providers" offer tools like HexStrike AI for automated reconnaissance and BruteForceAI for intelligent credential attacks, as detailed by SecurityWeek and other sources SecurityWeek.
Why It Matters
The implications of this AI ransomware surge are profound for defenders. The manufacturing sector bore the brunt, with 1,284 ransomware victims, followed by business services (824) and retail (682), according to Fortinet's report via SecurityBrief.com.au SecurityBrief. Geographically, the United States accounted for the highest number of victims at 3,381, followed by Canada (374) and Germany (291). This concentration underscores the economic impact and digital exposure in these regions. The drastic reduction in TTE means that traditional patch management cycles are increasingly obsolete; defenders now have a shrinking window to respond to newly disclosed vulnerabilities before they're actively exploited. This isn't just about more attacks; it's about fundamentally faster, more efficient attacks at scale.
Technical Breakdown
The core mechanism driving this rapid exploitation involves AI-assisted reconnaissance, automated vulnerability scanning, and sophisticated credential theft. Threat actors leverage AI tools for initial access, identifying weak points and misconfigurations with unprecedented speed. For instance, an AI-powered reconnaissance tool can automatically crawl an organization's public-facing assets, identify services, versions, and potential vulnerabilities much faster than a human operator.
Consider a fishing net: traditional attackers might cast a wide, generic net, hoping to catch some fish. AI-powered attackers, however, use advanced sonar and predictive analytics to pinpoint where the fish are schooled, what bait they prefer, and even the optimal time to cast, making their efforts far more efficient and successful. Similarly, AI fine-tunes phishing campaigns and brute-force attacks by analyzing target profiles.
Once a vulnerability is identified, AI-driven exploit frameworks can rapidly generate and deploy proof-of-concept code or modify existing exploits. This often aligns with T1190 Exploit Public-Facing Application from MITRE ATT&CK. For credential theft, tools like BruteForceAI employ large language models (LLMs) to craft highly effective credential attacks, often using T1110 Brute Force or its sub-technique T1110.001 Password Guessing against services exposed via T1133 External Remote Services. The report also points to a preference for stolen datasets over leaked credentials, evidenced by a 79% surge in logs from infostealer malware-compromised systems in 2026 after a 500% increase in 2025. These stolen credentials often facilitate T1078 Valid Accounts for lateral movement. To combat this, robust authentication solutions like YubiKey for hardware-based MFA are becoming indispensable. Identity-related weaknesses remain central, necessitating strong adherence to NIST SP 800-53 control IA-2 Identification and Authentication (Organizational Users), ensuring proper user verification for all system access.
Historical Context
This acceleration isn't entirely new, but its scale is unprecedented. We saw glimpses of rapid exploitation during the WannaCry ransomware outbreak in May 2017, which leveraged the EternalBlue exploit (based on CVE-2017-0144) against unpatched Microsoft Windows systems. WannaCry spread globally within hours, infecting hundreds of thousands of machines. The similarity lies in the speed of propagation and the exploitation of known, albeit unpatched, vulnerabilities. However, the difference now is fundamental: WannaCry relied on a single, powerful exploit being available in the wild. Today's AI ransomware surge is driven by automated discovery and exploitation of multiple vulnerabilities, even newly disclosed ones. AI tools are creating the "EternalBlue" equivalent for new CVEs at scale, on demand, shrinking the window for remediation from days to hours, as highlighted by Security Boulevard Security Boulevard.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Ransomware Victim Increase | 389% Year-over-Year (2025) | Fortinet |
| Total Victims (2025) | 7,831 | Fortinet |
| Old Time-to-Exploit | Nearly 5 days | Fortinet |
| New Time-to-Exploit | 24-48 hours | Fortinet |
| Manufacturing Sector Victims | 1,284 | Fortinet |
| US Ransomware Victims | 3,381 | Fortinet |
| Infostealer Log Surge (2025) | 500% | Fortinet |
Our Take
We're beyond the point where incident response teams can rely solely on reactive patching. The current velocity of AI-powered exploitation demands a proactive, predictive defense posture. This means moving from traditional perimeter defense to a zero-trust model with solutions like Cloudflare Zero Trust, continuously validating every access request and connection. Furthermore, security teams must embed AI-enabled tools like SentinelOne or CrowdStrike Falcon into their stacks to match the speed and sophistication of these new threats. Simply put, if attackers are using AI to find and exploit, we must use AI to detect and prevent.
The CVEDaily Take
The industrialization of cybercrime isn't just about volume; it's about the erosion of the defenders' window of opportunity. The plummeting time-to-exploit means security teams need to prioritize automated vulnerability management and patching, coupled with continuous monitoring and rapid response capabilities. Have you assessed your average patch deployment time against a 24-hour TTE?
FAQ
Q: What specific AI tools are threat actors using for ransomware attacks?
A: Threat actors are employing tools like WormGPT for text generation, FraudGPT for various fraudulent activities including crafting spearphishing emails, and BruteForceAI for intelligent credential attacks. Tools like HexStrike AI automate reconnaissance and attack path generation.
Q: How does AI specifically reduce the time it takes to exploit vulnerabilities?
A: AI reduces TTE by automating and accelerating several key phases: reconnaissance (identifying targets and weaknesses), automated vulnerability scanning (quickly finding new CVEs in target systems), and rapid generation or modification of exploit code, as observed with vulnerabilities like React2Shell.
Q: Which sectors are most affected by this surge in AI-powered ransomware?
A: According to Fortinet's 2026 Global Threat Landscape Report, the manufacturing sector was the most targeted with 1,284 victims, followed by business services with 824 victims and retail with 682 victims. The United States also saw the highest number of overall victims.
