Fortinet’s FortiGuard Labs has released its 2026 Global Threat Landscape Report, revealing that ransomware victims globally skyrocketed to 7,831 confirmed cases, a staggering 389% year-over-year increase, as AI-powered tools, shadow agents, and dark web service kits transform cybercrime from scattered campaigns into a fully systematized, end-to-end industrial operation.
Fortinet® (NASDAQ: FTNT), a global leader in the convergence of networking and security, published the 2026 Global Threat Landscape Report from FortiGuard Labs on April 30, 2026.
Derived exclusively from FortiGuard Labs telemetry, the report provides a comprehensive analysis of active threat trends from 2025, mapped across every tactic in the MITRE ATT&CK framework.
The core finding is unambiguous: cybercrime has abandoned its episodic nature and now operates as a synchronized, AI-accelerated ecosystem in which threat actors compress the entire attack life cycle through automated “shadow agents” that handle reconnaissance, weaponization, and execution.
Derek Manky, Chief Security Strategist and Global VP of Threat Intelligence at FortiGuard Labs, stated that malicious actors are now leveraging agentic AI to execute increasingly sophisticated attacks and that cyber defenders must evolve into an industrialized defense posture, adopting AI-enabled tools that respond at the same velocity as modern threats.
Ransomware Victims Spike 389% Globally
One of the most alarming metrics in the 2026 report is the dramatic compression of time-to-exploit (TTE). FortiGuard intelligence now registers TTE at 24 to 48 hours for critical vulnerability outbreaks, a sharp acceleration from the 4.76 days recorded in previous FortiGuard reports.
AI is directly responsible for this speed increase, as it automates reconnaissance, weaponization, and initial exploitation phases with minimal human intervention.
Real-world evidence reinforces the data: active exploitation attempts were recorded within hours of the public disclosure of the React2Shell vulnerability, demonstrating that defenders have virtually no window between the patch release and active exploitation in the wild.
This trend aligns with WEF’s Global Cybersecurity Outlook 2026, which similarly noted that AI is transforming the threat landscape on both offensive and defensive fronts, making response velocity a critical strategic priority.
FortiRecon adversary intelligence identified 7,831 confirmed ransomware victims globally in 2025, up from approximately 1,600 victims documented in Fortinet’s prior annual report, representing a 389% year-over-year increase.
The availability of AI-augmented cybercrime-as-a-service kits, including WormGPT, FraudGPT, and BruteForceAI, directly fueled this explosion by lowering the skill floor for threat actors.
Sector targeting was highly concentrated. The top three industries hit by ransomware were manufacturing (1,284 victims), business services (824), and retail (682).
FortiCNAPP intelligence confirms that throughout 2025, most confirmed cloud incidents originated from stolen, exposed, or misused credentials, not from infrastructure-level exploits.
Cloud identity sprawl, federated access models, and complex integrations create enormous attack surfaces. The report identified hospitals, physician clinics, and retail establishments as the top sectors targeted by cloud-based credential attacks.
This finding aligns with Rapid7’s 2026 Global Threat Landscape Report, which independently confirmed that identity-driven incidents accounted for 43.9% of all investigated cases in 2025, with exploitation attempts rising 105%.
The convergence of both reports underscores that identity is the new perimeter, and credential hygiene has become a frontline defensive imperative.
AI-Powered Offensive Tools Flood
FortiRecon dark web monitoring captured an expanding marketplace of AI-enabled offensive tools advertised as commercial services. These include:
- HexStrike AI – An offensive AI tool offering automated reconnaissance and attack path generation
- BruteForceAI – A penetration testing framework integrating LLMs for intelligent form analysis and multi-threaded credential attacks
- Enhanced WormGPT and FraudGPT variants – Upgraded versions of already-known malware-generation services
FortiGate IPS telemetry recorded a 22% year-over-year decrease in brute-force attempts, which counterintuitively signals greater efficiency: attackers are making fewer, smarter attempts against better-profiled targets.
Globally, this still translates to approximately 67.65 billion brute force events, with 185 million daily attempts. Simultaneously, global exploitation attempts increased 25.49% year-over-year, confirming that AI optimization is shifting attacker energy from volume to precision.
FortiRecon telemetry revealed a further 79% increase in available infostealer logs in 2026, building on a 500% spike documented in the prior year’s report. Within dark web database activity, stealer logs accounted for 67.12% of all advertised datasets, far exceeding combolists (16.47%) and leaked credentials (5.96%).
The top three credential-stealer malware families driving infections were RedLine (911,968 infections / 50.80%), Lumma (499,784 / 27.84%), and Vidar (236,778 / 13.19%).
Modern threat actors prefer stealer logs because they bundle identity data with contextual browser artifacts, enabling immediate account-replay attacks without the need for additional brute-force or password spraying.
Fortinet is actively countering this threat to industrialization through public-private collaboration. A recent INTERPOL-led Operation Red Card 2.0, supported by Fortinet via the WEF Cybercrime Atlas, dismantled infrastructure behind online scams, mobile money fraud, and fraudulent loan operations across Africa.
Fortinet also co-launched the Cybercrime Bounty program with Crime Stoppers International, offering a secure, anonymous channel for citizens and ethical hackers to report cyberthreat intelligence.
These efforts signal a shift from purely reactive defense to proactive ecosystem disruption, matching the industrialized scale of modern adversaries.
FAQ
Q1: What is the biggest finding in Fortinet’s 2026 Global Threat Landscape Report?
Ransomware victims surged 389% YoY to 7,831 confirmed cases, driven by AI-powered crime-as-a-service tools like WormGPT and BruteForceAI.
Q2: How fast are attackers exploiting newly disclosed vulnerabilities in 2026?
Time-to-exploit (TTE) has collapsed to just 24–48 hours for critical vulnerabilities, down from 4.76 days in prior reports.
Q3: Which sectors are most targeted by ransomware and cloud-based attacks in 2025?
Manufacturing, business services, and retail lead ransomware targeting, while hospitals and retail top cloud credential-theft incidents.
Q4: What credential-stealer malware families are most active according to FortiGuard Labs?
RedLine leads with 50.80% of infections, followed by Lumma at 27.84% and Vidar at 13.19% of all tracked infostealer activity.
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
