Fortinet has published its 2026 Global Threat Landscape Report, drawing on telemetry from 3.4 million sensors across 180 countries during 2025. The headline figure — 7,831 confirmed ransomware victims disclosed on extortion sites during 2025, compared with approximately 1,600 in 2024 — represents the largest annual increase in ransomware victim disclosure volume since the modern ransomware-as-a-service ecosystem emerged. The report attributes the surge to three concurrent shifts: improved RaaS industrialisation, AI-enabled attacker capability, and sustained exploitation of perimeter device vulnerabilities as initial access vectors.
The Ransomware Acceleration
The 389% year-over-year increase in confirmed victims is notable but requires contextualisation. Victim counts on extortion sites are not a direct measure of total ransomware incidents — they represent organisations that did not pay the ransom (or paid and were still published), and victim site visibility has improved as threat intelligence tooling has matured. Even accounting for improved visibility, Fortinet’s analysis concludes that the underlying attack volume has increased materially, not merely our ability to observe it.
Sector distribution: Manufacturing accounted for 22% of confirmed victims — a figure consistent with multiple other annual reports and reflecting the sector’s combination of high-value production data, legacy OT systems, and lower security maturity than financial services. Business services (consulting, legal, accounting) was second at 17%, reflecting the value of client data and the sector’s function as a supply chain entry point to primary targets. Retail and e-commerce was third at 12%, driven by seasonal targeting around peak trading periods.
Geographic distribution: The United States accounted for 38% of confirmed victims, followed by Canada (8%), Germany (7%), the United Kingdom (6%), and France (5%). The US figure has been consistent across multiple years and reflects both the concentration of high-value targets and the English-language coverage that makes US victim disclosures more visible to Western intelligence collection.
Dwell time: The median dwell time before ransomware deployment fell to 18 hours in 2025, down from 28 hours in 2024. This compression reflects increased RaaS automation and pre-packaged playbooks that reduce the time between initial access and encryption to a sub-day window — leaving organisations with progressively less time to detect and respond before damage occurs.
AI-Enabled Cybercrime Tooling
The report provides the first large-scale empirical evidence that AI-enabled offensive tooling has moved from research-stage curiosity to operational deployment at scale:
WormGPT and successors: Fortinet’s dark web monitoring identified 38 distinct AI-powered phishing kit offerings in 2025, up from 3 in 2023. These tools generate localised, contextually appropriate phishing content without the grammatical errors that characterised earlier mass phishing — significantly increasing the challenge of user-based detection.
BruteForceAI: A tool identified in multiple underground forums that uses machine learning to prioritise credential stuffing attempts based on breach data analysis — improving first-attempt hit rates on credential stuffing attacks by an estimated 4.3×.
FraudGPT and variants: Enables non-technical actors to generate convincing business email compromise lures, invoice fraud templates, and vishing scripts in multiple languages. The tool’s subscription model mirrors legitimate SaaS pricing — barrier to entry for fraud at scale is now approximately $200/month.
Edge Device Exploitation Dominates Initial Access
The report identifies internet-facing edge devices — VPN gateways, firewalls, and network access controllers — as the dominant initial access vector for 2025, accounting for 43% of observed intrusions. This continues a multi-year trend in which the collapse of the perimeter model has made the devices formerly protecting the perimeter into the primary attack surface.
Specific to the priority environment: exploited devices identified in the dataset include PAN-OS GlobalProtect (most frequently exploited network device category), Citrix ADC/Gateway, and multiple VPN concentrator platforms. The report notes that the average time from CVE publication to weaponised exploit availability has dropped to 4.1 days — meaning organisations now have less than one week to patch perimeter devices before exploits are widely available.
Implications for Security Programme Design
The report’s findings have several direct implications for enterprise security investment priorities:
The compression of dwell time to sub-24-hour windows means that detection-focused security programmes designed around multi-day breach discovery windows are structurally misaligned with the current threat environment. The combination of AI-enabled social engineering at the entry point and compressed dwell time at the exploitation phase leaves organisations with fewer opportunities to interrupt an attack at any stage.
The manufacturing sector’s continued top position in ransomware victim counts — despite years of sector-specific advisories — suggests that the standard security investment model for industrial companies is not keeping pace with threat development. OT security, segmentation, and backup integrity remain the most cited deficiencies in post-incident reviews of manufacturing sector ransomware events.
Share this article