Dive Brief:
- Cybercrime “began its shift toward an AI-driven future” in 2025, the security firm Malwarebytes said in a report published Tuesday that charted AI’s influence on the rapidly growing hacking ecosystem.
- AI is making cyberattacks faster and more effective through deepfakes, vulnerability discovery, autonomous ransomware attacks and growing connectivity between AI models and penetration testing tools, according to the report.
- Malwarebytes urged businesses to “shrink their attack surfaces, harden identity systems, close blind spots, accelerate remediation, and adopt continuous monitoring.”
Dive Insight:
Security experts have predicted for years that AI would make it easier for hackers to design, prepare and launch cyberattacks, and the past year has vindicated those predictions, with high-profile reports of AI automating key aspects of the cyberattack life cycle.
“Hands-on-keyboard intrusions still dominated” the landscape in 2025, Malwarebytes said in its report, “but the year delivered the first confirmed cases of AI-orchestrated attacks—alongside deepfake-enabled social engineering and AI agents that outperformed humans at discovering vulnerabilities.”
Malwarebytes predicted that in 2026, AI’s “emerging capabilities will mature into fully autonomous ransomware pipelines that allow individual operators and small crews to attack multiple targets simultaneously at a scale that exceeds anything seen in the ransomware ecosystem to date.”
The report cited several concerning findings, including an IBM report that 16% of breaches involved AI, with a third of those incidents involving deepfake media; the fact that the autonomous vulnerability-reporting agent XBOX topped HackerOne’s leaderboard, becoming the first AI model to do so; and Anthropic’s discovery of how cybercriminals were abusing its Claude tool for attacks.
Beyond those incidents, Malwarebytes said, defenders should focus on hackers’ use of the Model Context Protocol to connect agents to other tools, including security research software often used for criminal attacks. Malwarebytes cited a 2025 MIT study in which an AI model using MCP “achieved domain dominance on a corporate network in under an hour with no human intervention, evading endpoint detection and response (EDR) measures through on-the-fly tactic adaptation.”
Just as AI, MCP and penetration testing tools can help defenders red team their systems more efficiently, Malwarebytes said, they also create “a path for cyberattacks that are faster, more adaptive, and far more scalable than anything achievable through hands-on-keyboard intrusions.”
Malwarebytes predicted that “in 2026, MCP-based attack frameworks will become a defining capability of cybercriminals targeting businesses.”
The report also discussed the state of the ransomware ecosystem, which it said increasingly relied on an alarming technique. While the traditional ransomware model involves the delivery of a malicious payload to a target system, Malwarebytes found that 86% of attacks in 2025 constituted “remote encryption” operations, in which hackers locked up files across an entire network from a staging point on a single unprotected machine.
“In many cases, attackers launched encryption from unmanaged or shadow IT systems, leaving security teams with no malicious process to quarantine and limited visibility into the true source of the attack,” the report said.
Ransomware attacks increased 8% year over year in 2025, making it the worst year on record, according to Malwarebytes. The Akira malware strain accounted for the plurality of ransomware detections (37%), with Qilin accounting for 15% and Play and Makop each accounting for 6%.
The U.S. experienced 48% of all ransomware attacks that Malwarebytes detected in 2025, with Canada and Germany each accounting for 5% and the U.K. accounting for 4%. In total, ransomware attacks struck 135 countries.
“Companies from Russia, China, and much of the Global South were largely absent from leak sites,” Malwarebytes noted. “This pattern reflects long-standing geopolitical and economic dynamics in the ransomware ecosystem: Cybercriminals focus on wealthier economies with familiar technology stacks and languages, and where political or law-enforcement blowback is minimal.”
