Cyber Daily Report

News

Home News

Ransomware Victims up 389%, TTE in Less Than Two Days: How Can Defenders Stay Ahead?

  • Teri Robinson--securityboulevard.com
  • published date: 2026-04-30 00:00:00 UTC

None

<p><span data-contrast="none">If you think of cyberthreats as simply a series of one-offs or single-domain trends, then you’re missing the bigger point that adversaries, just like software engineers, take an end-to-end life-cycle approach to campaigns.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">That lifecycle starts before any intrusion occurs, including exposure discovery, access brokerage and industrial preparation, then extends through the familiar steps of exploitation and persistence, finally wrapping with monetization and operational impact. Much like a business. That, according to the FortiGuard Labs 2026 Global Threat Landscape Report, which found that cybercrime is operating as a system.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">“Criminals have established a scalable business model, and we expect to see ransomware attack volume to continue growing,” says Trey Ford, chief strategy and trust officer at Bugcrowd. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">The numbers might even be greater than revealed. “We also need to keep in mind that there will be a gap in reported incidents versus total ransomware incidents,” he says, explaining that “larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern — it is still an unsolved space.” </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">Even more troubling, the attack life cycle is being shortened with the use of shadow agents.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">In fact, time-to-exploit (TTE) has been shortened significantly from nearly five days to 24-48 hours, the researchers found, hastened along by AI’s use in pretty much all phases of a campaign—from reconnaissance and weaponization to execution.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">Noting the dramatic shift in TTE, Douglas Santos, director, advanced threat intelligence with Fortinet’s FortiGuard Labs, points to a clear trajectory: “As AI accelerates reconnaissance, weaponization, and execution, it’s only a matter of time before hours or even minutes, not days,” becomes the norm across the board. The reality is, we’re not approaching that point; we’re already seeing early signs of it.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">And adversaries are plying their trade on a larger population. The number of ransomware victims has soared. FortiRecon intel shows 7,831 confirmed ransomware victims around the world, up from around 1,600 identified in last year’s report. Service kits were collectively responsible for the 389% boost in a year’s time. And among the most popular crime kits were WormGPT, FraudGPT and BruteForceAI. Not surprisingly, manufacturing, business services and retail were the top target with the bulk of the victims (3,381) found in the U.S., and Canada, with 374 victims, and Germany with 291 came in second and third.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">Agentic AI is certainly making it easier for just about anyone to be a successful hacker—by using shadow agents, hackers no longer need to be part of some elite force to snare their victims. Shadow agents lower the skill requirements tremendously while also ramping up the speed with which attacks can be executed. Fortinet researchers said their dark web signals found AI-enabled offensive tooling being hawked as products and services—from the familiar like WormGPT to the new like HexStrike AI. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">That doesn’t mean elite hackers are going away, says Santos, but rather “AI is lowering the barrier for less-skilled actors to operate with the speed and scale that we used to only have to worry about with elite hackers or nation-states with nearly limitless resources.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">The modern hacker, he says, “increasingly looks less like a lone expert and more like part of an industrialized ecosystem.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">AI has also made the hacker’s job easier and more efficient. Dwindling are brute force attempts, which dropped 22% from last year. Now they’re optimized so that adversaries can execute fewer brute force attempts against more attractive targets, upping the success rates. And they’ve taken their exploitation talents global—FortiGuard notes a 25.49% increase in attempts worldwide.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">“AI risks have rapidly moved from a watch list item to a front-line security concern, especially when it comes to data security and misuse,” says Diana Kelley, CISO at Noma Security. </span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">“We’re seeing AI rapidly evolve from simple automation to deeply personalized, context-aware assistance—and it’s heading toward an Agentic AI future where tasks are arranged across domains with minimal human input,” adds Randolph Barr, CISO at Cequence Security.</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">Identity continues to be a thorn in the side of defenders and threat actors are there to take advantage. According to the report, most cloud incidents stemmed not from infrastructure exploitation but from credentials that had been stolen, misused or otherwise exposed.</span></p><p><span data-contrast="none">“Identity is no longer about perimeter-based defense,” says Mark McClain, CEO at SailPoint, who explains that “the rise in AI-based agents, and the tremendously accelerating threat landscape, has rendered that approach insufficient, and prompted a shift towards identity as the vital element to enterprise security.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">The report also revealed a preference for stolen datasets rather than leaked credentials with logs available from systems that had been compromised by infostealer malware, surging 500% in the 2025 report and another 79% increase in 2026. That’s due in part to agentic AI making it easier for bad actors to steal more fulsome datasets. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">“Modern identity tools need to be able to discern between regular user activity and abnormal activity, and grant— or deny— access accordingly. Every access decision is driven by who or what the identity is, the context of the data they touch, and the security signals surrounding them. By unifying identity, security, and data contexts, businesses can make real-time decisions to mitigate risk without disrupting operations,” McClain says. </span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">To combat this new era of threats, driven by the force multiplier of AI, he says, “we need to embrace a new approach of adaptive identity.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">The shortened TTE makes it difficult for defenders to pull ahead. But not impossible. To do so they must break from traditional, reactive security models. “Defenders need to shift from waiting for alerts to continuously managing exposure, prioritizing vulnerabilities based on exploitability and active abuse, hardening identity controls, and using automation and AI-enabled operations to detect, contain, and revoke access at the same speed attackers are moving,” says Santos. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">“The goal is to reduce the time to detect, contain, and remediate before automated exploitation turns exposure into compromise,” he says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">To manage the emerging AI-infused “threat landscape, security teams need a mature, continuous security approach, which includes blue team programs, starting with a full inventory of all AI systems, including agentic components as a baseline for governance and risk management,” says Kelley.</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">“For practitioners, securing AI is not just about protecting models,” she says, but rather “requires addressing stack sprawl and moving toward a platform-driven approach that delivers defense in depth through unified, AI-aware identity, configuration, and data visibility.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">Organizations that simplify their cloud and AI security stack, and enable effective automation, she says, “will be far better positioned to safely scale AI as threats continue to evolve.”</span><span data-ccp-props='{"134233117":false,"134233118":false,"201341983":0,"335557856":16777215,"335559738":0,"335559739":0,"335559740":360}'> </span></p><p><span data-contrast="none">Organizations can’t go it alone. “Collaboration is essential because cybercrime operates across borders, infrastructure, and jurisdictions. No single company or country can disrupt that alone,” says Santos. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">“The strongest results come when private-sector threat intelligence is combined with law enforcement authority and international coordination,” he says, pointing to “efforts like the World Economic Forum Cybercrime Atlas, INTERPOL-led operations such as Red Card 2.0 and Serengeti 2.0, the Cyber Threat Alliance, and Fortinet’s Cybercrime Bounty program.” Those initiatives “show collaboration is active and effective when it is operationalized around shared intelligence and disruption,” he says.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">And James Maude, field CTO at BeyondTrust. urges investments in shifting left and thinking “more about securing identities and access to reduce our attack surface and blast radius in the event of compromise, rather than just thinking post breach.” </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><p><span data-contrast="none">He contends that “ransomware and other threats are only as effective as the privileges and access they manage to acquire so if we can implement better hygiene and focus on least privilege, then the threat actors are far less likely to ransom us in the first place.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559740":360}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/ransomware-victims-up-389-tte-in-less-than-two-days-how-can-defenders-stay-ahead/" data-a2a-title="Ransomware Victims up 389%, TTE in Less Than Two Days: How Can Defenders Stay Ahead?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-victims-up-389-tte-in-less-than-two-days-how-can-defenders-stay-ahead%2F&amp;linkname=Ransomware%20Victims%20up%20389%25%2C%20TTE%20in%20Less%20Than%20Two%20Days%3A%20How%20Can%20Defenders%20Stay%20Ahead%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-victims-up-389-tte-in-less-than-two-days-how-can-defenders-stay-ahead%2F&amp;linkname=Ransomware%20Victims%20up%20389%25%2C%20TTE%20in%20Less%20Than%20Two%20Days%3A%20How%20Can%20Defenders%20Stay%20Ahead%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-victims-up-389-tte-in-less-than-two-days-how-can-defenders-stay-ahead%2F&amp;linkname=Ransomware%20Victims%20up%20389%25%2C%20TTE%20in%20Less%20Than%20Two%20Days%3A%20How%20Can%20Defenders%20Stay%20Ahead%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-victims-up-389-tte-in-less-than-two-days-how-can-defenders-stay-ahead%2F&amp;linkname=Ransomware%20Victims%20up%20389%25%2C%20TTE%20in%20Less%20Than%20Two%20Days%3A%20How%20Can%20Defenders%20Stay%20Ahead%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-victims-up-389-tte-in-less-than-two-days-how-can-defenders-stay-ahead%2F&amp;linkname=Ransomware%20Victims%20up%20389%25%2C%20TTE%20in%20Less%20Than%20Two%20Days%3A%20How%20Can%20Defenders%20Stay%20Ahead%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Most Popular

Ransomware Victims up 389%, TTE in Less Than Two Days: How Can Defenders Stay Ahead?

  • Teri Robinson -- securityboulevard.com
  • Published date: 2026-04-30 00:00:00 UTC

AI Agent Testing Before Deployment: Strategies to Prevent Failures and Maximize ROI

  • None -- securityboulevard.com
  • Published date: 2026-04-30 00:00:00 UTC

Miggo Security Leverages AI to Apply Virtual Patches in Near Real Time

  • Michael Vizard -- securityboulevard.com
  • Published date: 2026-04-29 00:00:00 UTC

Sevii Adds Ability to Dynamically Deploy AI Agents to Combat Cyberattacks

  • Michael Vizard -- securityboulevard.com
  • Published date: 2026-04-29 00:00:00 UTC

Betting on Cybercrime – Prediction Markets and Hacking

  • Mark Rasch -- securityboulevard.com
  • Published date: 2026-04-29 00:00:00 UTC