Remote encryption attacks have accounted for 86 percent of ransomware activity in 2025 according to a new report, and have allowed adversaries to encrypt data across protected environments without running malware locally.
The study from ThreatDown, the corporate business unit of Malwarebytes, finds that in many cases, attackers launched encryption from unmanaged or shadow IT systems, leaving security teams with no malicious process to quarantine and limited visibility into the true source of the attack.
Overall 2025 was the worst year for ransomware on record, with attacks increasing eight percent year-on-year and impacting organizations in 135 countries. The research shows attackers moving faster, using legitimate tools and stolen credentials to blend in with normal activity.
“We’re seeing cybercrime evolve from manual, one-off intrusions into operations that move faster, scale further, and cause more disruption,” says Kendra Krause, general manager of ThreatDown. “AI is removing many of the natural limits that attackers once faced. When discovery, movement, and extortion can happen in minutes instead of days, businesses have far less time to respond, and the stakes get much higher.”
Unsurprisingly AI is a factor with AI-driven operations pushing cybercrime toward machine scale. AI agents are now able to run multiple simultaneous intrusions autonomously, create exploits from patches in minutes, and outperform elite human researchers in bug bounty programs, accelerating vulnerability discovery and compressing patch-to-exploit timelines. As attackers adopt these capabilities, small crews or single operators will execute reconnaissance, lateral movement, and extortion at a scale and speed previously reserved for large and experienced intrusion teams.
There’s also evidence intrusions increasingly being designed to be invisible until it’s too late. In 2025, ransomware operators have prioritized speed, stealth, and timing over persistence by moving at night or during holidays, using legitimate IT tools, launching attacks from blind spots, and disabling security and backups before encryption begins. The result beings intrusions that often occur before security teams realize an incident is underway.
“Defenses today have to assume that intrusions won’t always look like malware, and they won’t arrive with obvious warning signs,” adds Krause. “Teams that perform best are the ones that close unmanaged endpoints, protect recovery paths, and have experts watching and responding around the clock, because when attacks move this fast, minutes matter.”
You can read more and get the full report on the ThreatDown blog.
Image credit: welcomia/depositphotos.com
