AI‑Powered Ransomware To Explode In 2026 After Brief 2025 Slowdown, Say Security Experts

Security experts from Check Point and GuidePoint warn that AI‑driven ransomware is accelerating in ways that midmarket IT teams—already stretched thin—must urgently prepare for.

Two security companies drew similar conclusions about ransomware attacks: They ramped up in December 2025 with no signs of abating in 2026.

In the beginning of last year, several security researchers took notice that ransomware attack levels had somewhat normalized throughout the first quarter to the third quarter in 2025.

The number of those victimized by ransomware decreased during that period, according to an October 2025 report from GuidePoint Security.

While “global attack volumes rose more modestly,” there was a regional spike in ransomware activity at the end of December 2025, most notably in Latin America, Check Point Software Technologies researchers posted on the company’s site Tuesday. The researchers attributed the worldwide surge in ransomware attacks to enterprise adoption of GenAI.

GuidePoint’s Research and Intelligence Team Thursday released its new findings on ransomware for 2026.

[RELATED: AI Is Making Us Kind Of Weird At Work, New Report Suggests]

The researchers found that although 2025 began as a “somewhat average” year for ransomware growth, by the end of December ransomware attacks “shattered” all records and there was a 58 percent year-over-year increase in the number of observed ransomware victims.

Check Point researchers noted a 60 percent increase in ransomware attacks from December 2024 to December 2025—“a sharp rise [that] underscores the continued dominance of ransomware as a primary threat vector,” the researchers concluded in the report.

So who is behind these attacks, where are they occurring, and which industries are the biggest targets this year? Both reports had similar findings.

Most Prolific Threat Groups

Check Point and GuidePoint found that threat groups Qilin, a notorious Ransomware-as-a-Service group that recruits via the dark web, and Akira had become the most active threat groups, overtaking activity from the LockBit and Alphv groups.

“Qilin, which first appeared in 2024, rose to much greater prominence in 2025 by publicly claiming the most victims,” GuidePoint’s report stated.

[RELATED: Check Point CEO On The Midmarket's Unique Cybersecurity Needs, AI And The Newest Threats]

“Among ransomware operators, Qilin emerged as the most active group in December, responsible for 18% of published attacks. Qilin, a long-established ransomware-as-a-service (RaaS) operation that has been active since 2022, has significantly expanded its affiliate recruitment and victim disclosures since early 2025,” Check Point’s report revealed.

Check Point also noted that Akira is largely focused on attacking Windows, Linux and ESXi environments.

Rise Of AI Causes Rise In Ransomware

Both companies’ researchers pointed to the accelerated adoption of AI as a cause for ransomware spikes.

Threat actors are increasingly using AI/LLMs to carry out their nefarious activities.

“While the earliest instances of AI/LLM usage by ransomware threat actors (TA) skewed towards social engineering and translation, we’ve increasingly observed their use to overcome roadblocks and rudimentary scripting efforts,” GuidePoint’s report stated.

“More widespread adoption of AI/LLM in TA workflows will likely further reduce technical barrier to entry for less experienced operators,” the report also concluded.

Check Point’s report revealed GenAI to be a significant entry point for threat actors, with its use opening up companies to sensitive data exposure risks. From Check Point’s report:

• One in every 27 GenAI prompts submitted from enterprise networks posed a high risk of sensitive data leakage.
• Ninety-one percent of organizations using GenAI tools were affected by high-risk prompt activity.
• An additional 25 percent of prompts contained potentially sensitive information.
• Organizations used an average of 11 different GenAI tools during the month.
• The average enterprise user generated 56 GenAI prompts per month, underscoring the growing operational reliance on GenAI platforms.

The Industries Most Targeted For Cyberattacks

GuidePoint noted that the manufacturing industry had the most ransomware victims followed by the technology, retail/wholesale and health-care industries. Moreover, these sectors are more likely to suffer financial or operational losses after a ransomware attack.

Check Point’s findings differed. Check Point researchers cited the most targeted sectors as education, governments and nonprofits; however, the report put them under the umbrella of all cyberattacks, not exclusive to ransomware.

Regions Hardest Hit By Cyberattacks

Check Point’s report found a surge in ransomware attacks across Latin America.

According to Check Point: “Latin America experienced the sharpest rise in cyber attacks globally, with organizations in the region facing an average of 3,065 attacks per week, a 26% year-over-year increase that outpaced all other regions.”

The U.S. remains the most targeted country for ransomware attacks according to GuidePoint, followed by Canada, Germany and the U.K.

Why This Matters For The Midmarket

Many of the midmarket leaders MES Computing has spoken with are fully aware of and prepared for ransomware attacks. They use MSSPs for 24x7 monitoring and defense. They also have cybersecurity insurance in case critical data is hijacked.

Yet midmarket leaders say warding off ransomware attacks is a constant battle.

In a recent episode of MES’s podcast, Ready.Set.Midmarket! Christopher J. Walsh, vice president and CISO for Security Mutual Life Insurance Company of New York, touched on the challenges of dealing with ransomware.

“If you think about the way it’s evolved the last 20 years especially, actually the last 10 even, and we get information about a new ransomware actor or we get another threat, and you buy tools. That’s what we did. We bought tools to put out those fires or to protect you against those threats, but as you said, they keep evolving.

“I’ve personally seen and just noticed just through the course of the last buying of the tools you can't keep up with it. That's just Whac-A-Mole,” he said.

Cyber resilience and cyber threat intel are critical to shoring up an organization’s defenses.

[RELATED: Ready.Set.Midmarket! Podcast: Cyber Threat Intelligence, What Midmarket IT Leaders Need to Know]

Jawahar Sivasankaran, president of cybersecurity firm Cyware, advised IT leaders to “take a more threat-centric approach” to cybersecurity.

“Rather than going after all the data that’s coming in, let me look at high-fidelity threat events that are actually happening. Where am I exposed? Who are the adversaries that are coming at me? Do I see my peers in my same sector or my industry facing the same challenge? What opportunities exist for me to collaborate with that threat intelligence? And then how do I take action based on that threat intelligence that I'm seeing?” Sivasankaran said on a recent episode of Ready.Set,Midmarket!

Leveraging AI to combat AI-fueled ransomware is another sound strategy, and an investment midmarket IT leaders say they plan to make in 2026. Among the senior midmarket leaders polled at the end of 2025 for MES’ IT Leaders Spending Intent survey, 36.5 percent said 11 percent to 20 percent of their IT budget was spent on cybersecurity.

Security was the biggest reason for increased IT budgets.

Moreover, a majority said that their focus this year is on using AI to help with cybersecurity and incident response.