Acronis Cyberthreats Report H2 2025: Cybercriminals are now scaling attacks with AI

Cybercriminals are spending less time using AI to develop new kinds of cyberattacks. Unfortunately, that’s not good news. According to the Acronis Cyberthreats Report H2 2025, cybercriminals are focusing on using AI to scale and refine the attacks they’ve already developed. As a result, they’re working more efficiently.

The Acronis Cyberthreats Report H2 2025 delves into many more cybersecurity trends and goes into much deeper detail on the evolving impact of AI on cyberthreats.

Report

Acronis Cyberthreats Report H2 2025

According to the report, 80% of ransomware‑as‑a‑service (RaaS) vendors advertise AI or automation features. Attackers are operationalizing AI for scaling existing attacks as opposed to spending time creating new ones. They’re using AI-based capabilities to amplify proven techniques and tactics, including data extortion reconnaissance, fraud and ransomware negotiations.

And, like many office workers, cyberattackers are using AI to save time by taking advantage of autonomous and semi‑autonomous task execution. With AI, attackers can reduce workloads and carry out more attacks in less time. They benefit from the same advantages of AI as managed service providers (MSPs) and other businesses do.

• The GLOBAL GROUP ransomware organization introduced an AI‑driven chatbot to negotiate with victims and extract as large a ransom as possible.
• Ransomware gang GTG‑2002 used AI tools to generate scripts, harvest credentials and analyze stolen data.
• A Chinese state‑aligned intrusion demonstrated agentic AI behavior by connecting reconnaissance and credential use with minimal human input.
• Virtual kidnapping scams increased success rates by using AI‑altered photos and videos as fake “proof of life.”

The second half of 2025 delivered clear cyberattack surges across email, collaboration platforms and ransomware. Email remained the dominant attack vector, while cyberattacks on collaboration apps remained the favored place for precision social engineering and privilege abuse.

• Email-based attacks per organization increased 16% year over year and per user by 20%.
• Email attacks surged 36% in H2 2025 vs H1 2025, confirming email as the primary initial access point.
• Phishing dominated email threats in H2, accounting for 83% of all email threats, while advanced attacks made up only 1%.

• Advanced attacks in collaboration applications rose sharply from 12% of all attacks in 2024 to 31% in 2025, a rate more than 30x higher than in email.
• Malware represented 54% of attacks and phishing 15%.

• Manufacturing and technology were the most attacked sectors, reflecting operational pressure in complex IT / OT environments.
• Supply chain and third‑party compromise affected at least 1,200 victims between January and November 2025.

• Acronis detected nearly 100 active RaaS providers, with 34 new groups observed in H2 2025 alone.
• Ransomware attacks rose 50% year over year through October, driven by ransomware groups Qilin, Sinobi and Akira.

For service providers, vulnerabilities remained a significant issue, and some providers failed to patch systems effectively. The report notes that almost 150 MSPs and telcos fell victim to ransomware in 2025, including 69 MSPs.

Phishing: At 52%, still the top vector.

Unpatched vulnerabilities: Dominant in MSP and supply chain incidents, this type of attack was the initial access vector in 27% of attacks on MSPs.

Credential abuse: 13%.

Trusted relationships: 5%.

Remote Desktop Protocol: 3%.

Nearly 3,000 critical vulnerabilities were disclosed in 2025, highlighting the importance and urgency of patch management. Additionally, 100% of vulnerabilities disclosed in MSP platforms, such as RMMs and PSAs, were High or Critical, underscoring severe operational risk.

AI has altered the threat landscape. To keep pace with cybercriminals who are armed with AI, service providers should continue to follow foundational practices and key controls while adopting new technologies and defensive tactics:

• Strengthen backup and recovery through immutable backups integrated with detection telemetry to prevent tampering and enable rapid restoration

• Fight AI with AI by deploying AI-powered extended detection and response (XDR) to deflect threats before they can do damage and to correlate behavior across endpoints, identities, email and cloud services.

• Enforce strong identity controls by adopting a zero trust policy, enforcing multifactor authentication (MFA) universally and monitoring access anomalies across both human and nonhuman accounts.

• Accelerate patch management by deploying AI-enabled, automated risk‑based patching.

• Extend controls to Teams and other collaboration apps and train users on real‑time impersonation and approval scams to defend against collaboration platform abuse.

• Manage AI risks by implementing AI governance, restricting sensitive data in prompts, and logging and auditing AI‑initiated changes

What to expect in 2026

As 2026 unfolds, a few trends are likely to emerge:

• AI will become a target and risk surface, with attackers using prompt injection and agent workflow manipulation; MSPs need to audit and put guardrails on their own AI tools.

• Ransomware will evolve to extortion‑first, with data theft and regulatory pressure outweighing encryption as the primary method of monetization.

• Supply chain and shared components will remain frequent targets, with attackers targeting MSP‑adjacent ecosystems and trusted integrations like OAuth grants and SaaS connectors.

• Scams and phishing will become multi‑channel and AI‑scaled due to industrialized impersonation across SMS, chat apps and collaboration platforms.

For comprehensive and in-depth statistics, observations and tips on cybersecurity in the second half of 2025 as well as what’s to come, read the Acronis Cyberthreats Report H2 2025.