SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Office worker ai phishing notifications shadowy hands illustration
#
Malware
#
Ransomware
#
Digital Transformation

AI-driven phishing surge dominates 2025 cyberattacks

Wed, 18th Feb 2026
Author image
By Sofiah Nichole Salivio, News Editor

Acronis reported a rise in cyberattacks in the second half of 2025, with phishing dominating email-borne threats and attackers making greater operational use of artificial intelligence across their workflows.

Its Cyberthreats Report for H2 2025 found email-based attacks rose 16% per organisation and 20% per user year on year. Phishing made up 83% of all email threats and accounted for 52% of attacks targeting managed service providers.

The analysis is based on telemetry from Acronis' Threat Research Unit and its network of sensors. The report reviews activity across 2025, with a focus on the second half.

Email and chat

The findings show email remains a primary entry route for attackers, while targeting of collaboration platforms is increasing. Advanced attacks on those platforms rose to 31% in 2025 from 12% in 2024.

Security teams have increased their focus on collaboration tools as businesses extend identity and access across email, messaging, document sharing, and meetings. Attackers have adapted social engineering techniques to fit these environments. The report describes collaboration platforms as "secondary attack channels" with growing impact.

The report also highlights continued abuse of legitimate administration tools, naming PowerShell as the most abused globally. This activity was particularly prevalent in Germany, the US, and Brazil.

AI in workflows

The report describes a shift from experimenting with AI to using it operationally across multiple stages of attacks, including reconnaissance, social engineering, and ransomware negotiations. Acronis said this increased the speed and scale of campaigns and made detection and response more difficult.

It cited criminal groups incorporating AI into extortion processes. A group it identified as GLOBAL GROUP allegedly used AI-driven systems to manage ransomware negotiations across multiple victims, while GTG-2002 used AI-assisted reconnaissance and data exfiltration.

The report also points to AI-enabled scams designed to intensify psychological pressure, including virtual kidnapping schemes that used AI to generate convincing "proof of life" images.

"As cyber threats evolve at an accelerated pace, 2025 has shown that attackers are not only scaling traditional methods like phishing and ransomware, but are leveraging AI to act faster, more efficiently, and at greater scale," said Gerald Beuchelt, Chief Information Security Officer at Acronis.

"Attackers are increasingly integrating AI into their operations, so the cybersecurity landscape is entering a new era. This shift requires organisations to anticipate threats, automate defences, and build resilient systems capable of withstanding both traditional and AI-driven attacks," Beuchelt said.

Ransomware levels

Ransomware remained a central feature of the threat landscape. The report said nearly 150 MSP and telecom organisations were directly targeted, and counted more than 7,600 publicly disclosed victims globally.

It listed Qilin as the most active ransomware group with 962 victims, followed by Akira with 726 and Cl0p with 517. The US recorded 3,243 victims, the highest total by country in the dataset.

Manufacturing, technology, and healthcare were the top ransomware targets, which the report linked to pressure around uptime and the operational complexity of distributed environments.

The report also flagged the emergence of new ransomware groups in the second half of the year, naming Sinobi, TheGentlemen, and CoinbaseCartel.

MSP and supply chain

Supply chain and MSP-focused attacks remained prominent. The report said attackers exploited remote monitoring and management tools including AnyDesk and TeamViewer, affecting more than 1,200 third-party and supply chain victims.

The US accounted for 574 of those victims. The report named Akira and Cl0p as leading actors in supply chain and third-party incidents affecting MSPs and their clients.

It also pointed to the vulnerability exposure created by the central role MSP platforms play in customer environments. All MSP-platform CVEs disclosed in 2025 were rated High or Critical, despite low overall numbers.

Geographic patterns

The report highlights geographic differences by attack type. India, the US, and the Netherlands saw the highest rates of mass infection and lateral movement, while South Korea was the most malware-affected country, with 12% of users impacted.

Acronis framed these patterns as an indicator of where defenders could expect sustained pressure, reflecting differences in attacker focus and opportunity across regions.

The report describes a threat environment in which phishing remains widespread and attackers increasingly combine familiar techniques with more automated, scalable methods. It expects operational use of AI in cybercrime to continue as groups refine their tooling and processes.

Related stories
OpenLegacy unveils AWS hub for safer mainframe shift
Hitachi Vantara debuts AI-ready storage in Singapore
KnowBe4 debuts AI agent for tailored cyber training
Gallagher unveils AccessNow cloud at ISC West 2026
Conquer the KYB challenge: How smarter data quality fuels fintech integrators

Top stories

UiPath secures landmark AIUC-1 certification for AI agents
NAKIVO adds vSphere 9, Proxmox 9.1 in backup update
ActiveState names Abby Kearns as new chief executive
Malaysia chases AI hub status but workplace use lags
Fake Claude AI ads spread malware to target developers