Fortinet has published its annual threat landscape report and the numbers are striking. 7,831 confirmed ransomware victims in 2025. A 389% increase over the previous year. Manufacturing hit hardest, for the third consecutive year. Dwell time before encryption compressed to 18 hours. AI-enabled crime tooling now available to non-technical actors for $200 a month.
The security industry will spend the next few days engaging with this report seriously. Articles will be written. Briefings will be prepared for boards. Then a zero-day will be disclosed or a breach will be announced and the conversation will move on to something that feels more urgent.
The ransomware crisis is not a knowledge problem. We have known for years what sectors get hit, how attackers get in, and what defences work. The problem is a conversion rate problem: the proportion of organisations that translate threat intelligence into changed security architecture is too low, too slow, and too concentrated in sectors that were never the primary targets.
The Manufacturing Problem Has Not Been Solved
Manufacturing has led victim counts in ransomware reports every year since the modern RaaS ecosystem emerged in 2021. Not occasionally β consistently, persistently, year after year.
The explanations are well understood: legacy OT infrastructure, flat networks where an initial access in an IT environment can pivot to production lines, underfunded security programmes relative to revenue, and a cultural reluctance to accept operational downtime for security-related reasons. The solutions are also well understood: network segmentation, OT-specific endpoint protection, air-gapped or immutable backup systems, tested incident response plans.
What is not happening is the conversion of that understanding into action at the pace the threat demands. A security team that presents a board with the Fortinet report today should be able to point to specific architectural changes proposed last year that were approved, funded, and implemented. If those changes were deferred, the report provides the external validation to make the case again. If they were never proposed, the report should prompt the question: what would it take to change our network architecture enough to survive a ransomware event?
The answer is unlikely to be βnot much.β
The 18-Hour Problem
The compression of dwell time to 18 hours before encryption is the finding that should restructure detection and response priorities. Security programmes built for multi-day dwell times β with detection workflows designed to triage alerts during business hours, escalate through change management processes, and respond within SLAs measured in days β are structurally mismatched with an attacker who can move from initial access to encrypted domain controllers in less than a working day.
18 hours means that if an attacker gains access at 5pm on a Friday, encryption begins before 11am Monday. It means that alert triage queues that take 24 hours to process are not threat detection β they are forensic documentation after the fact.
The detection posture required to have any chance of interrupting an 18-hour kill chain looks different from what most organisations have built. It requires 24/7 alert investigation capacity, automated containment actions that execute without human approval for the highest-confidence indicators, and pre-authorised response playbooks that security teams can execute without waiting for change management approval.
Most organisations do not have any of these things at the required fidelity. The 7,831 victim figure is a direct measure of that gap.
The AI Crime Transition
The reportβs documentation of AI-enabled cybercrime tooling being used at scale is significant, but the significance is different from how it is usually framed. The story is not that AI makes individual attacks dramatically more capable. It is that AI removes the bottleneck that previously constrained the scale of fraud operations.
Writing 10,000 convincing phishing emails in 10 languages used to require a team of human operators with linguistic skills. It now requires a subscription. This is not a marginal improvement in attacker capability β it is the removal of a constraint that capped the scale at which certain attack types could be operated. The victim count increase in BEC, romance fraud, and investment fraud is a direct consequence of that constraint being removed.
The defensive implication is that user training programmes designed for the pre-AI threat environment β teaching employees to look for grammatical errors, unusual sender addresses, and implausible scenarios β are less effective than they were. The training needs to evolve to focus on process controls that survive socially engineered employees: mandatory secondary verification for financial transfers, hardware-bound MFA that cannot be proxied, and approval workflows that require out-of-band confirmation.
The Predictable Response
The industryβs predictable response to the Fortinet report β and to every equivalent report from Verizon, CrowdStrike, IBM, and others β is to treat it as an input to strategic planning cycles. Boards will be briefed. Risk registers will be updated. Budget requests will be submitted for the next fiscal year.
The problem is that the threat is not waiting for the planning cycle. The 389% increase in victim counts did not happen because the threat landscape suddenly changed in 2025. It happened because the cumulative gap between threat capability and defensive investment, measured across thousands of organisations, widened past the point where the underlying attack volume produced more confirmed victims than defensive investment prevented.
Closing that gap requires changing the speed at which threat intelligence translates into architectural change β not just the quantity of intelligence consumed. Seven thousand victims is not a knowledge problem. It is an implementation speed problem.
Share this article