ThreatDown Study Highlights AI-Driven Ransomware Surge

Cybercriminals are rapidly shifting from human-led intrusions to AI-orchestrated operations that move at machine speed, according to ThreatDown’s newly released 2026 State of Malware report. 

The research warns that artificial intelligence is now removing many of the constraints that once limited cybercrime, allowing small attacker groups—or even single operators—to execute large-scale, multi-stage intrusions in minutes rather than days.

AI-driven tactics redefine cybercrime operations

ThreatDown, the corporate business unit of Malwarebytes, says 2025 marked a turning point, with AI gaining a foothold across cybercrime operations. 

In 2026, the company expects those capabilities to dominate, compressing patch-to-exploit timelines to near real-time and overwhelming traditional security defenses.

“We’re seeing cybercrime evolve from manual, one-off intrusions into operations that move faster, scale further, and cause more disruption,” said Kendra Krause, general manager of ThreatDown. “AI is removing many of the natural limits that attackers once faced.”

Ransomware reaches record levels

The report characterizes 2025 as the worst year for ransomware on record. 

Ransomware attacks increased eight percent year over year and affected organizations in 135 countries, with attackers increasingly relying on stolen credentials and legitimate IT tools to blend into normal enterprise activity.

Rather than deploying custom malware, threat actors are staging attacks from unmanaged systems and network blind spots, a tactic that undermines endpoint security controls and complicates incident response. 

According to ThreatDown, this shift has made many ransomware incidents harder to detect until damage is already underway.

Attackers also prioritized speed and timing, frequently launching intrusions overnight, on weekends, or during holidays. In many cases, security teams did not realize they were under attack until encryption had already begun.

Remote encryption dominates ransomware tactics

One of the most significant shifts highlighted in the report is the rise of remote encryption as a primary ransomware technique. 

ThreatDown found that 86% of ransomware activity in 2025 involved remote encryption attacks, which allow adversaries to encrypt data across protected environments without deploying malware locally.

These attacks are often launched from unmanaged endpoints or shadow IT systems, leaving defenders with no malicious process to isolate and limited visibility into the true source of the breach. 

As a result, traditional detection methods that rely on identifying malware behavior are increasingly ineffective.

“The most disruptive incidents didn’t look like classic ransomware,” the report notes, emphasizing how attackers are exploiting gaps in visibility rather than weaknesses in endpoint protection alone.

AI accelerates discovery and exploitation

ThreatDown’s research also points to AI-driven vulnerability discovery as a major force reshaping the threat landscape. 

AI agents can now generate working exploits from software patches within minutes and run multiple intrusions simultaneously without human oversight.

In some cases, the report claims AI-powered systems are outperforming elite human researchers in bug bounty programs, accelerating the pace at which new vulnerabilities are discovered and weaponized. 

This shift allows attackers to conduct reconnaissance, lateral movement, and extortion at a scale previously reserved for well-resourced intrusion teams.

“When discovery, movement, and extortion can happen in minutes instead of days, businesses have far less time to respond,” Krause said.

Additionally, deepfake technology is rewriting the rules of “trust,” as people begin to fall for manipulated video and audio content-based attacks. 

According to the report, AI played a role in 16% of breaches, with deepfake voice or video manipulation accounting for 35% of those incidents.

Attacks concentrate in familiar jurisdictions

Geographically, ransomware activity remains heavily concentrated in wealthier, low-risk regions. 

The United States accounted for nearly half of all known ransomware incidents in 2025 (48% of incidents worldwide), with additional clustering in other English-speaking economies and Western Europe.

By contrast, organizations in Russia, China, and much of the Global South were largely absent from ransomware leak sites. ThreatDown attributes this pattern to attackers’ preference for familiar technology stacks and environments where law enforcement and geopolitical retaliation are less likely.

Defenses must adapt to speed and stealth: what channel partners should know

ThreatDown warns that security teams can no longer assume attacks will arrive with obvious warning signs or recognizable malware. Instead, the report urges organizations to close gaps created by unmanaged endpoints, harden backup and recovery paths, and maintain continuous monitoring.

For channel partners tasked with managing their clients’ security postures, this news is yet another sign of the evolving landscape’s impact on that work.

Vendors like ThreatDown continue to build programs and launch solutions that enable MSPs and others to operate more efficiently and bring security offerings to market at scale.

“We heard from partners that they loved our technology but wanted more support from us, so we came to the table to determine how we could provide more incentives, specific protections, margins, and the resources they need to be competitive,” Krause told us in November when we spoke to her about ThreatDown’s new partner program.

As AI continues to reshape the attack surface and MSPs and customers struggle to keep up, tech companies see opportunities to solve business challenges and enable their channel ecosystems in 2026 and beyond.