The numbers are stark. Confirmed ransomware victims globally jumped from approximately 1,600 in 2024 to 7,831 in 2025 — a 389% increase in a single year. Fortinet's 2026 Global Threat Landscape Report, released this week, documents how AI has fundamentally changed the economics and velocity of cybercrime.

The report, derived from FortiGuard Labs telemetry, identifies a clear cause: AI-enabled attack tooling has lowered the skill floor for cybercriminals while dramatically increasing their operational speed. WormGPT, FraudGPT, and a new entrant called HexStrike AI are being sold as services on dark web marketplaces, giving even low-skilled attackers access to automated reconnaissance, exploit generation, and phishing campaigns.

Speed Is the New Threat Vector

The time-to-exploit (TTE) — the window between a vulnerability being disclosed and attackers actively exploiting it — has collapsed to 24–48 hours for critical outbreaks. That's down from 4.76 days in the previous report. The React2Shell vulnerability saw active exploitation attempts within hours of public disclosure.

Dark web marketplaces now openly advertise AI-powered attack tools including WormGPT and FraudGPT, with trust scores, customer reviews, and escrow-protected transactions.
Dark web marketplaces now openly advertise AI-powered attack tools including WormGPT and FraudGPT, with trust scores, customer reviews, and escrow-protected transactions.

"Cybercrime no longer functions as a series of isolated campaigns — it operates as a system," said Derek Manky, Chief Security Strategist at FortiGuard Labs. "Malicious hackers are operating across an end-to-end life cycle and compressing the attack life cycle with shadow agents."

Smarter, Not Harder

One counterintuitive finding: brute force attempts actually decreased 22% year-on-year. The reason is efficiency. With AI-optimised targeting, attackers are making fewer attempts against better-selected targets — increasing the success rate per credential tested. The global total still amounts to approximately 67.65 billion brute force events, but the signal-to-noise ratio has improved dramatically for the attackers.

Meanwhile, exploitation attempts increased 25.49% globally. Attackers are shifting from volume-based credential stuffing to precision exploitation of known vulnerabilities.

"With AI, criminals work smarter, not harder. Fewer attempts, better-selected targets, higher success probability per credential tested."

— Fortinet 2026 Global Threat Landscape Report

The Stealer Log Economy

Credential theft has evolved. Stealer logs — comprehensive data bundles that include browser-resident data, saved passwords, session cookies, and contextual artifacts — now dominate dark web activity at 67.12% of advertised datasets. They've overtaken traditional combolists (16.47%) and leaked credentials (5.96%). The top three credential stealers in 2025 were RedLine (50.80% of infections), Lumma (27.84%), and Vidar (13.19%).

The shift matters because stealer logs enable immediate account takeover without the need for additional cracking. An attacker with a fresh stealer log can replay a victim's authenticated session within minutes.

What Defenders Must Do

The report's prescription is blunt: defenders must adopt AI-enabled tools that respond at the same velocity as modern threats. The asymmetry is currently working against defenders — attackers can iterate in hours, while enterprise security teams often operate on patch cycles measured in weeks.

The manufacturing sector was the hardest hit, with 1,284 confirmed ransomware victims. Business services (824) and retail (682) followed. Geographically, the US accounted for 3,381 victims — more than four times the next-highest country, Canada (374).