AI-driven phishing campaigns are dominating global cyberattacks
We’re watching a new phase in cybersecurity unfold, one powered by artificial intelligence. Phishing, once simple and predictable, has become highly adaptive and data-driven. In 2025, Acronis reported a 16% increase in email-based attacks per organization and a 20% rise per individual user. Phishing alone represented 83% of all email threats and over half of the attacks hitting managed service providers. That’s smarter, faster, and far more scalable.
Email remains the easiest way for attackers to reach people. But now, AI makes those attacks harder to spot and easier to spread. Algorithms analyze writing patterns, behavioral cues, and company structures to generate convincing messages. Attackers no longer need deep technical expertise; they can automate persuasion using machine learning tools. This efficiency has also spilled over into new targets. Collaboration platforms, tools for meetings, document sharing, and chat, are becoming the next major attack vector. As companies expand digital communication, every shared file or chat link is a potential entry point.
Executives need to view this not just as an IT issue but as an operational risk. AI gives attackers scale, and that scale will only increase. Traditional filters are becoming less reliable because AI-driven phishing adapts too quickly. The right response now is intelligent defense. That means automation, real-time monitoring, and constant employee awareness. Defensive AI will be as necessary as offensive AI is effective.
Gerald Beuchelt, Chief Information Security Officer at Acronis, put it clearly: attackers are “scaling traditional methods like phishing and ransomware” through AI. It’s no longer about keeping pace; it’s about staying ahead. For organizations to thrive in this new environment, cybersecurity must evolve as fast as the threats themselves.
Operational adoption of AI is transforming the entire cybercrime lifecycle
We’ve moved past the experimental stage of AI in cybercrime. It’s now operational, fully embedded into every major stage of an attack, from reconnaissance to execution. Acronis observed several criminal groups using AI to automate their workflows. GLOBAL GROUP ran AI-driven ransomware negotiations with multiple victims at once. GTG-2002 used AI tools for careful reconnaissance and data theft. These systems think, adapt, and act faster than any human team could.
Criminals are also applying AI to psychological manipulation. Some schemes now include virtual kidnapping scams using AI-generated “proof of life” imagery, showing how fast synthetic media can be exploited to drive extortion. These tactics, once rare and experimental, are now part of structured criminal operations. When automation and intelligence combine at this level, detecting patterns early becomes incredibly challenging.
For decision-makers, this marks a clear turning point. Traditional cybersecurity methods rely too heavily on human response time. AI-powered threats move at machine speed, and human oversight will always be slower. Companies must focus on predictive detection systems and automated defense infrastructure. That includes intelligent analytics capable of identifying anomalies, adaptive threat models, and ongoing training for security teams.
The takeaway is straightforward: automation is no longer optional. If attackers are using AI to scale crime, businesses must use AI to defend themselves. Waiting to react is a losing strategy; proactive innovation is what will keep companies secure and sustainable in this new era of digital conflict.
Ransomware remains a core cyber threat even as attack methods diversify
Ransomware continues to dominate the cyber threat landscape, proving it’s not going away anytime soon. Attackers are doubling down on industries that cannot afford downtime, manufacturing, technology, and healthcare. These sectors face operational complexity and high dependency on continuous uptime, making them ideal ransomware targets. Acronis’ report recorded nearly 150 managed service provider (MSP) and telecom organizations directly attacked in 2025, and over 7,600 publicly disclosed victims worldwide. The leading groups, Qilin, Akira, and Cl0p, collectively accounted for over 2,200 victims. The United States topped the list with 3,243 affected organizations.
Established ransomware operators are no longer acting alone. They’ve built extensive affiliate networks to accelerate distribution and impact. Meanwhile, new players such as Sinobi, TheGentlemen, and CoinbaseCartel are emerging, each refining their methods and seeking attention through data leaks and public extortion portals. This expanding ecosystem of threat actors is reshaping how digital extortion functions, more automated, more organized, and increasingly segmented by industry focus.
For leaders, ransomware should now be viewed not just as a security event but as a business continuity issue. A single compromise can disrupt core operations, damage brand reputation, and lead to prolonged downtime. Relying solely on perimeter defense is no longer practical. Executives must ensure that enterprises maintain immutable data backups, tested recovery procedures, and layered threat detection systems that can identify early signs of compromise. Cyber resilience, the ability to recover quickly after an incident, is the determining factor in minimizing impact.
The economics behind ransomware also highlight a larger strategic concern. Extortion has evolved into a competitive business for attackers, with pricing models, brand recognition, and victim management processes. For the corporate world, addressing this requires an equally organized response, investments in AI-driven threat intelligence, regular risk assessments, and leadership engagement in cybersecurity strategy. Executives cannot distance themselves from the issue; their direct involvement signals priority and shapes organizational readiness.
Supply chain and MSP attacks are intensifying via exploitation of remote access tools
The attack focus is expanding from individual organizations to interconnected ecosystems. Cyber adversaries now exploit managed service providers and their partners to multiply the effect of a single breach. These attackers are leveraging widely used remote monitoring and management (RMM) applications, including AnyDesk and TeamViewer, to establish persistence within client networks. Acronis reported over 1,200 third-party and supply chain victims in 2025, including 574 based in the United States. Akira and Cl0p were consistently involved in these campaigns, operating across multiple client networks serviced by affected MSPs.
This high dependency on MSPs introduces systemic risk. Because MSPs control remote access, configurations, and monitoring tools for several clients, a single compromised credential can open hundreds of interconnected systems to attack. Acronis noted that every MSP-related vulnerability disclosed in 2025 was rated High or Critical. Even with fewer reported vulnerabilities, each represented significant potential for chain-wide disruption.
For decision-makers, this reality demands attention at the governance level. Cybersecurity cannot stop at internal controls; it must extend through every vendor and partner that connects to operational infrastructure. Executives should ensure that third-party providers comply with continuous vulnerability scanning and multi-factor authentication across all management tools. Enforcing strict security baselines within contracts and conducting periodic security audits are crucial steps to reduce exposure.
The growing scale of supply chain targeting also reinforces the importance of visibility. Enterprises must be able to trace the impact of a compromised vendor through their digital ecosystem in real time. This requires integrated monitoring systems, clear incident response frameworks, and aligned communication protocols between internal and external teams. For global operations, transparency and collaboration across partners can significantly reduce the blast radius of these attacks. The focus is shifting from prevention alone to systemic resilience, ensuring that even if part of the chain is compromised, the organization remains operational and secure.
Geographic disparities and platform-specific trends reveal shifting attacker priorities
Cybercriminals are becoming more selective in how and where they operate. The latest data from Acronis shows that attack intensity and methodology vary significantly by geography. India, the United States, and the Netherlands are experiencing the highest rates of mass infection and lateral movement, while South Korea has seen the highest malware infection levels, affecting 12% of users. These regional patterns highlight how attackers tailor their efforts to exploit local conditions, from digital infrastructure maturity to industry concentration and regulatory enforcement.
At the same time, collaboration platforms are becoming high-value targets. Acronis reported a sharp rise in advanced attacks on these tools, from 12% in 2024 to 31% in 2025. Attackers are now using social engineering tactics that fit seamlessly into the workflows of chat, document-sharing, and meeting applications. As more enterprises integrate these tools into daily operations, the security perimeter continues to extend, increasing exposure to manipulation, credential theft, and data leakage. The result is a broader and more dynamic threat environment.
For executives, these findings provide actionable insight. Cybersecurity planning must factor in regional exposure levels, regulatory differences, and sector-specific vulnerabilities. Multinational organizations should invest in security operations centers capable of regional threat tracking. This allows detection and response teams to monitor local trends and adjust defenses based on the threat activity unique to each geography. Leadership should also ensure compliance frameworks align with these regional variations to reduce both security and legal risks.
The surge in attacks through collaboration platforms signals a deeper structural change. Digital communication is no longer an auxiliary tool; it is core to business continuity. Security protocols must evolve accordingly, with stronger identity verification, segmented permissions, and adaptive monitoring systems across every platform employees use to collaborate. For C-suite leaders, this means treating digital collaboration environments as part of the organization’s primary infrastructure. Building centralized oversight and security governance into every connected platform will be key to resisting the next generation of AI-enabled, cross-platform attacks.
Key takeaways for decision-makers
- AI-driven phishing escalation: Phishing now leads global cyberattacks, with AI making campaigns faster, more adaptive, and harder to detect. Leaders should invest in automated threat detection and continuous staff awareness to counter evolving social engineering tactics.
- AI operationalization in cybercrime: Criminals are embedding AI across reconnaissance, negotiation, and data theft, enabling precision and scale. Executives should accelerate adoption of AI-driven defense and predictive analytics to match this pace of automation.
- Ransomware persistence and diversification: Ransomware remains a critical threat, increasingly targeting uptime-dependent industries. Decision-makers must strengthen data recovery systems, ensure resilient backups, and implement response plans that minimize downtime and financial impact.
- Supply chain and MSP vulnerabilities: Cybercriminals are exploiting remote management tools to compromise entire supply chains through a single breach. Leaders should enforce strict third-party security protocols, continuous vulnerability assessments, and stronger governance across partner networks.
- Shifting global attack patterns: Regional variations and rising attacks on collaboration tools signal changing attacker priorities. Executives should align cybersecurity investments to local threat trends, enhance identity protections, and treat digital collaboration systems as core business infrastructure.
