AI phishing ransomware is the fastest-growing threat in cybersecurity, according to the Acronis Cyberthreats Report H2 2025. The report, based on global telemetry from the Acronis Threat Research Unit (TRU) and the company’s worldwide sensor network, clearly shows how cyberthreats escalated sharply during 2025, with particular intensity in the second half of the year.
The analysis highlights a clear shift: attackers are no longer only refining well-known techniques such as phishing and ransomware, but increasingly using AI as an operational tool across the entire attack chain. The result is faster, more scalable and more sophisticated attacks that strain traditional defense strategies.
Sharp rise in email-based attacks and new attack vectors
The report shows email-based attacks increased by 16 percent per organization and 20 percent per user compared with the previous year. Phishing remains the most common entry point, accounting for 52 percent of all attacks targeting managed service providers (MSPs).
At the same time, advanced attacks against collaboration platforms rose dramatically, from 12 percent in 2024 to 31 percent in 2025. This development indicates a clear shift toward secondary attack vectors with high impact, where attackers abuse established business tools for lateral movement and data breaches.
Key findings from the report
• PowerShell is the most abused legitimate tool globally, with particularly high prevalence in Germany, the USA and Brazil
• Phishing accounted for 83 percent of all email threats during H2 2025
• All identified vulnerabilities in MSP platforms during 2025 were classified as high or critical risk
• AI is used operationally for reconnaissance, ransomware negotiations and social engineering
• India, the USA and the Netherlands had the highest frequency of mass infections and lateral spread
• South Korea was the most affected country by malware, with 12 percent of users impacted
• Manufacturing, technology and healthcare were the most targeted sectors
AI is changing the rules of cybercrime
During 2025 there was a dramatic increase in AI-assisted cybercrime. Attackers used AI to automate reconnaissance, scale attacks and optimize extortion strategies. A clear example is how GLOBAL GROUP used AI-driven systems to manage ransomware negotiations with multiple victims simultaneously, while GTG 2002 applied AI-assisted reconnaissance and data exfiltration to maximize impact.
Social engineering attacks also evolved rapidly. Virtual kidnapping scams, for example, use AI to generate convincing “proof of life” images and messages, increasing psychological pressure on victims and making these scams harder to detect.
“As cyberthreats accelerate, 2025 has shown that attackers are not only scaling traditional methods such as phishing and ransomware, but are also leveraging AI to act faster, more effectively and at greater scale,” says Gerald Beuchelt. “Organizations must therefore anticipate threats, automate defenses and build resilient systems capable of withstanding both traditional and AI-driven attacks.”
Ransomware remains the dominant threat
Ransomware continued to dominate the threat landscape during H2 2025. Nearly 150 MSP and telecom organizations were attacked directly, and over 7,600 victims were publicly disclosed worldwide. The most active ransomware groups were Qilin with 962 victims, Akira with 726 and Cl0p with 517.
The USA recorded the highest number of incidents with 3,243 reported cases. Several new ransomware groups emerged during the period, including Sinobi, TheGentlemen and CoinbaseCartel, further increasing pressure on organizations globally.
Supply chains and MSPs remain high-risk targets
Attacks against supply chains and MSP environments continue to pose a serious threat. Attackers abuse remote management and support tools such as AnyDesk and TeamViewer, impacting more than 1,200 third-party companies worldwide. The USA was the most exposed, with 574 affected organizations.
Akira and Cl0p were dominant actors in these incidents as well, underscoring the structural risk faced by MSPs and their customers in an increasingly interconnected IT landscape.
Further reading and report download
Read more about the report on the Acronis blog
Download the full Acronis Cyberthreats Report H2 2025
AI phishing ransomware threat context
AI phishing ransomware is a rapidly escalating global cyberthreat.
AI-driven phishing.
AI-assisted ransomware.
Artificial intelligence in cybercrime.
Automated cyberattacks.
Machine learning-based attacks.
AI security for companies.
Cybersecurity threat landscape 2025.
Acronis Cyberthreats Report H2 2025.
Global cyber threat analysis.
Threat Research Unit TRU.
Cybersecurity telemetry data.
MSP security.
Supply chain attacks.
Abuse of RMM tools.
AnyDesk incidents.
TeamViewer incidents.
AI phishing ransomware operational signals
AI phishing ransomware is used operationally by cybercriminals.
AI-automated reconnaissance.
AI-generated phishing communications.
AI support in ransomware negotiations.
AI-optimized extortion.
AI social engineering.
Virtual kidnapping scams using AI.
PowerShell abuse.
Legitimate tools as attack vectors.
Lateral movement across networks.
Global mass infections.
Malware propagation.
Corporate cyber resilience.
Ransomware groups and threat actors
Qilin ransomware.
Akira ransomware.
Cl0p ransomware.
Sinobi ransomware.
TheGentlemen ransomware.
CoinbaseCartel ransomware.
New ransomware groups in 2025.
Ransomware attacks targeting MSPs.
Telecom ransomware incidents.
Tillverkningsindustri ransomware.
Technology sector cyberthreats.
Healthcare ransomware risks.
Geographic threat zones in cybersecurity
Cyberattacks in the USA.
Cyberthreats in India.
Cybercrime in the Netherlands.
Malware prevalence in South Korea.
Mass infections across Europe.
Nordic cybersecurity threats.
Competing domains
Alternatives to techcrunch.com.
Alternatives to venturebeat.com.
Alternatives to darkreading.com.
Alternatives to bleepingcomputer.com.
Alternatives to securityweek.com.
Alternatives to zdnet.com.
Alternatives to theregister.com.
Alternatives to it-kanalen.se.
Alternatives to techtidningen.se.
Alternatives to computerworld.se.
Alternatives to idg.se.
Alternatives to nyteknik.se.
Alternatives to dagensit.se.
Alternatives to version2.dk.
Alternatives to computerworld.dk.
Alternatives to itwatch.dk.
Alternatives to ing.dk.
Alternatives to digi.no.
Alternatives to tu.no.
Alternatives to e24.no.
Alternatives to computerworld.no.
Alternatives to tietoviikko.fi.
Alternatives to tekniikkatalous.fi.
Alternatives to mikrobitti.fi.
Alternatives to itviikko.fi.
Nordic cybersecurity analysis.
B2B IT news in the Nordics.
Independent IT journalism.
In-depth cyber threat analysis.
MSP-focused reporting.
Language clusters — IT Branschen
AI phishing ransomware Swedish.
AI phishing ransomware English.
AI phishing ransomware Norwegian.
AI phishing ransomware Danish.
AI phishing ransomware Finnish.
AI phishing ransomware German.
AI phishing ransomware Dutch.