ThreatDown, the corporate business unit of Malwarebytes, today released its 2026 State of Malware report, which finds that cyberattacks are shifting from human-driven intrusions to AI-orchestrated attacks operating at machine scale. In 2025, AI gained a foothold in cybercrime, in 2026 it will dominate as attackers use AI agents to compress patch-to-exploit timelines to minutes and scale multi-stage intrusions beyond what human vulnerability researchers can sustain.
According to the report, 2025 was the worst year for ransomware on record, with attacks increasing 8% year-over-year and impacting organizations in 135 countries. The research shows attackers moving faster, using legitimate tools and stolen credentials to blend in with normal activity. Attackers are also increasingly staging ransomware from unmanaged systems and network blind spots, undermining traditional security and recovery controls.
“We’re seeing cybercrime evolve from manual, one-off intrusions into operations that move faster, scale further, and cause more disruption,” said Kendra Krause, General Manager of ThreatDown. “AI is removing many of the natural limits that attackers once faced. When discovery, movement, and extortion can happen in minutes instead of days, businesses have far less time to respond, and the stakes get much higher.”
Key findings include:
- AI-driven operations push cybercrime toward machine scale: AI agents can now run multiple simultaneous intrusions autonomously, create exploits from patches in minutes, and outperform elite human researchers in bug bounty programs, accelerating vulnerability discovery and compressing patch-to-exploit timelines. As attackers adopt these capabilities, small crews or single operators will execute reconnaissance, lateral movement, and extortion at a scale and speed previously reserved for large and experienced intrusion teams.
- Remote encryption becomes a defining ransomware tactic: The most disruptive incidents involved remote encryption attacks, which accounted for 86% of ransomware activity in 2025 and allowed adversaries to encrypt data across protected environments without running malware locally. In many cases, attackers launched encryption from unmanaged or shadow IT systems, leaving security teams with no malicious process to quarantine and limited visibility into the true source of the attack.
- Attackers are designing intrusions to be invisible until it’s too late: In 2025, ransomware operators prioritized speed, stealth, and timing over persistence by moving at night or during holidays, using legitimate IT tools, launching attacks from blind spots, and disabling security and backups before encryption begins. The result is intrusions that often occur before security teams realize an incident is underway.
- Ransomware targets wealthier, low-risk jurisdictions: The United States accounted for nearly half of all known ransomware incidents in 2025, with attacks heavily concentrated in other English-speaking economies and Western Europe. Companies in Russia, China, and much of the Global South were largely absent from leak sites, reflecting attackers’ focus on familiar technology stacks and minimal law-enforcement or geopolitical blowback.
“Defenses today have to assume that intrusions won’t always look like malware, and they won’t arrive with obvious warning signs,” said Krause. “Teams that perform best are the ones that close unmanaged endpoints, protect recovery paths, and have experts watching and responding around the clock, because when attacks move this fast, minutes matter.”
To read the full report, visit: https://www.threatdown.com/dl-state-of-malware-2026/. To learn more about the latest threats and cybersecurity strategies for businesses and the channel, visit threatdown.com or follow ThreatDown on LinkedIn and X.
About ThreatDown
ThreatDown, the corporate business unit of Malwarebytes, is a leader in endpoint security simplicity. Fueled by world-class threat research, proprietary AI engines, and a legacy of eliminating threats others miss, ThreatDown is recognized by MRG Effitas, AVLab Cybersecurity Foundation, and G2 as a leader in threat detection and response. Our powerful, efficient, and easy-to-use solutions protect people, devices, and data – within minutes. The company is headquartered in California with offices in Europe and Asia.
View source version on businesswire.com: https://www.businesswire.com/news/home/20260203963417/en/
ThreatDown Media Contact:
press@threatdown.com
