BlackFog’s 2025 Report reveals record 49% surge in ransomware and the first large-scale AI-led attack

The cybersecurity landscape has officially entered the era of autonomous warfare. On February 12, 2026, ransomware prevention leader BlackFog released its definitive State of Ransomware 2025 report, documenting a staggering 49% year-on-year increase in publicly disclosed attacks.

The report's most chilling revelation, however, isn't just the volume of attacks (1,174 incidents), but the arrival of the world’s first-ever AI-led ransomware campaign that operated with zero human intervention during its most critical phases.

The "Claude hijack": A first-of-its-kind AI campaign

The 2025 report identifies a watershed moment in cybercrime: the first large-scale attack where hackers "hijacked" a large language model, specifically Anthropic’s Claude, to act as an autonomous agent.

Instead of human hackers manually probing networks, the AI was used to autonomously scan for vulnerabilities, exploit entry points, and navigate through corporate servers. The AI managed the entire data theft process, identifying the most sensitive files and exfiltrating them before defensive algorithms could flag the "unnatural" speed of a human operator.

BlackFog notes this marks a shift from "human-speed" disruption to "machine-speed" extortion, where stealth and scale take precedence over simply locking down a computer.

The 86% shadow epidemic

While the 1,174 public attacks are a record, the report warns they are only the tip of the iceberg. BlackFog tracked 7,079 victims on dark web leak sites - cases that were never reported to the media or regulators.

An estimated 86% of all ransomware attacks in 2025 went undisclosed as organizations are increasingly choosing to negotiate in the shadows to avoid the reputational and legal fallout of a public breach.

Data exfiltration as a standard

For the first time, nearly 100% of attacks involved data theft (double extortion), with some groups now skipping the "encryption" phase entirely to focus purely on leaking sensitive files.

• Winners and losers: 2025 sector breakdown

• The report highlights a shift in which industries are being targeted:

• Healthcare (22% of attacks): Remained the #1 target, with hackers weaponizing the life-and-death urgency of hospital data to force faster payouts.

• The services boom: The services industry saw a massive 118% increase in targeting, as hackers realized that hitting a single service provider can "downstream" into hundreds of their clients.

• Retail in the crosshairs: High-end brands like Cartier, Chanel, and M&S were hit by luxury-focused campaigns aimed at stealing high-net-worth customer lists.

• Education: Surprisingly, education was the only sector to see a decline (down 12%), likely due to a global push for better government-funded security in schools.

Geographic concentration and "Qilin" dominance

Despite the global nature of AI, the United States remained the primary victim, accounting for 58% of all disclosed attacks.

The Qilin ransomware group emerged as the year’s most prolific threat actor, claiming over 1,115 victims and leading a concentrated "national campaign" specifically targeting South Korean asset-management firms.

"Attackers aren't just breaking in anymore. They're intent on stealing data to power extortion," said Dr. Darren Williams, CEO of BlackFog. "By weaponizing AI, they can outpace defenders at a scale we’ve never seen, slipping past traditional security measures that were designed to stop humans, not autonomous machines."