Fortinet’s 2026 Global Threat Landscape Report confirmed that ransomware victims doubled from 1,600 to 7,831 in just one year, an explosive jump of 389%. AI crime tools like WormGPT, FraudGPT and BruteForceAI have made cybercriminals so powerful that even a new hacker can now cause as much damage as an experienced attacker. Manufacturing, hospitals and retail are the most targeted
There’s one number that has shaken the entire cybersecurity world 7,831. This is not a random figure its the number of confirmed ransomware victims worldwide in 2025. A year ago this number was just 1,600. That means a jump of 389% in a single year and this is not a coincidence but the result of a calculated and AI-powered revolution underway in the world of cybercrime.
Fortinet’s FortiRecon adversary intelligence identified 7,831 confirmed ransomware victims globally, and this dramatic surge is directly aided by AI crime service kits like WormGPT, FraudGPT and BruteForceAI which give attackers both intelligence and speed.
The report was released on April 30, 2026 and from that day on the cybersecurity community felt a new and deep sense of helplessness because these numbers are not just statistics behind every breach is the story of the devastation of a real company, a real hospital and a real family.
The truly scary thing about this escalation is not just the magnitude of the numbers it is the speed with which it is occurring. FortiGuard Labs confirmed that the time-to-exploit window the time it takes an attacker to initiate exploitation of a publicly disclosed vulnerability was previously 4.76 days now just 24 to 48 hours.
A real-world case of the React2Shell vulnerability perfectly illustrates this trend active exploitation attempts began within hours of disclosure. Previously this gave security teams a realistic window to deploy a patch now that window is practically gone. Attackers monitor CVE databases in real time and generate exploitation paths with AI tools and by the time defenders prepare a patch hundreds of systems have already been compromised.
AI-enabled offensive tooling is sold like an open marketplace on the dark web enhanced versions of WormGPT and FraudGPT, HexStrike AI that performs automated reconnaissance and attack path generation, and BruteForceAI that integrates large language models to perform intelligent form analysis and execute sophisticated multi-threaded attacks all advertised as products like legitimate SaaS tools.
These tools also turn people who previously had no technical knowledge into attackers a junior cybercriminal who might previously have only performed simple phishing can now with the help of AI infiltrate an enterprise network and deploy ransomware. FortiGate IPS telemetry revealed an interesting stat—brute force attempts decreased by 22% but this isn’t great news.
This means that attackers no longer attack random targets but rather choose targets better selected by AI and the per-attempt success probability has increased dramatically. Globally this translates to 67.65 billion brute force events185 million attempts daily, 1.3 billion per week.
Top Targeted Sectors Manufacturing Healthcare & Retail
The manufacturing sector suffered the most losses in 2025 with 1284 confirmed ransomware victims business services came in second with 824 victims and retail came in third with 682 victims. In terms of geographic distribution, the United States was the most affected with 3,381 confirmed victims Canada followed closely behind with 374 and Germany with 291.
Why is manufacturing so heavily targeted? The answer lies in operational technology. Factory floors production lines and supply chains are highly vulnerable to ransomware because a single compromised system can shut down an entire production line a leverage point for attackers. The manufacturer cannot afford a week-long production loss, so paying ransom seems more practical.
2025 was also a concerning year for cloud security FortiCNAPP intelligence confirmed that the vast majority of confirmed cloud incidents stemmed not from infrastructure exploitation but from stolen exposed or misused credentials.
Large identity populations federated access models and complex cloud integrations make hospitals and retail establishments prime targets the sectors most dependent on the cloud and with the greatest credential management complexity.
The case for hospitals is particularly heartbreaking when a hospitals system is encrypted not just data is lost and patients lives are at risk. Emergency rooms are diverted surgeries are canceled and ICU systems are taken offline for ransomware attackers its all leverage and nothing more.
Fortinet CISO Cornelius Mare precisely described this landscape Organizations are now facing a step change in which threat activity has shifted from isolated attacks to highly coordinated operations. Adversaries are using automation and AI to move faster and scale their impact. This is no longer just a cybersecurity issue it has become a matter of business continuity national security and public safety.
In response to this scenario Fortinet launched the Cybercrime Bounty Program which empowers ethical hackers and individuals to provide leads about cybercriminal networks and the criminal infrastructure physically disrupted through collaboration with law enforcement in Operation Red Card 2.0.
The most important task for organizations now is patch management. Bringing security to AI speed simply with scheduled patches wonot work when an attacker can deploy an exploit within 24 hours. Multi-factor authentication zero-trust architecture and credential monitoring are no longer optional they are essential for survival. This story of 7831 victims could grow even bigger next year if defenders don’t learn to respond to the speed of AI.
