Cybercrime is rapidly evolving into a post-human era, with AI agents enabling attacks that operate at machine speed and scale, according to ThreatDown's 2026 State of Malware report. The research details a shift where AI compresses exploit timelines to minutes, remote encryption dominates, and attackers design stealthy, high-speed intrusions that bypass traditional defenses by blending into normal network activity.
AI is shifting cybercrime from human-driven to machine-scale operations.
Ransomware attacks increased by 8% in 2025, impacting 135 countries.
AI agents can autonomously run multiple intrusions and create exploits from patches in minutes.
Remote encryption attacks accounted for 86% of ransomware activity, launched from unmanaged systems.
Attackers prioritize stealth, using legitimate tools and striking during off-hours.
The U.S. was the top target, with attacks focused on wealthier, low-risk jurisdictions.
The report identifies 2026 as the year AI will dominate the attacker landscape. AI agents are removing traditional limits, enabling small crews to execute reconnaissance, lateral movement, and extortion at a speed and scale previously only possible for large, experienced teams. This automation compresses the patch-to-exploit window to minutes, drastically reducing the time organizations have to respond to emerging vulnerabilities.
A defining and highly disruptive trend of 2025 was the prevalence of remote encryption attacks, which made up 86% of ransomware activity. This technique allows adversaries to encrypt data across a network from a single, often unmanaged or shadow IT system. This approach leaves security teams with no local malicious process to quarantine and severely limited visibility into the attack's true origin, undermining traditional detection and recovery controls.
Modern ransomware operators are prioritizing speed and invisibility. Intrusions are designed to be invisible until encryption begins, often executed at night or during holidays using legitimate IT administration tools. Attackers systematically disable security and backup solutions before launching encryption, meaning the first sign of an incident for many teams is the ransom note itself, leaving minimal time for defensive action.
The geographic focus of attacks reveals a strategic calculus by threat actors, heavily concentrating on English-speaking economies and Western Europe—particularly the United States—while largely avoiding regions with potential for significant law enforcement or geopolitical retaliation.
The report underscores a critical defensive shift. "Defenses today have to assume that intrusions won’t always look like malware," said Kendra Krause, General Manager of ThreatDown. Effective response now hinges on closing security blind spots, protecting recovery paths, and maintaining continuous expert monitoring, as the speed of AI-driven attacks makes every minute critical.
About ThreatDown
ThreatDown, the corporate business unit of Malwarebytes, is a leader in endpoint security simplicity. Fueled by world-class threat research, proprietary AI engines, and a legacy of eliminating threats others miss, ThreatDown is recognized by MRG Effitas, AVLab Cybersecurity Foundation, and G2 as a leader in threat detection and response. Our powerful, efficient, and easy-to-use solutions protect people, devices, and data – within minutes. The company is headquartered in California with offices in Europe and Asia.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.