From exploits to malicious AI, the Acronis Cyberthreats Report H2 2025 paints a stark picture of how cybercrime has scaled, professionalized, and weaponized trust. Here’s what business and technology leaders need to know.
A Threat Landscape That’s Getting Louder—and Smarter
The Acronis Cyberthreats Report H2 2025 tracks attacks observed across more than one million endpoints worldwide in 2025. The message is clear: cybercrime is not just growing—it is becoming more organized, more automated, and more embedded in everyday business tools. Email attacks per organization rose sharply, and attacks per user climbed as well, showing that attackers are increasing pressure rather than simply widening the net.
Ransomware Is Still King—But the Rules Have Changed
Ransomware activity remained persistently high throughout 2025, with thousands of organizations publicly named as victims. Manufacturing and technology firms were among the most targeted sectors, reflecting how operational pressure and complex supply chains create leverage for attackers.
What’s new is the shift from encryption-first to extortion-first. Many groups now steal data first and use the threat of exposure as the primary pressure tactic. This model scales better, spreads faster, and often causes damage even when backups are in place. The ecosystem is fragmented, with dozens of active brands, making takedowns of single groups less effective.
MSPs and Supply Chains: The Force Multipliers
Managed service providers (MSPs), telecoms, and software vendors are high-value targets because they act as access hubs. A single breach can ripple across many customers. The report documents multiple cases where attackers abused remote monitoring and management (RMM) tools to move laterally and deploy ransomware across downstream environments.
This highlights a hard truth for enterprises: your security is only as strong as your weakest provider. Supply-chain compromise is no longer an edge case—it’s a repeatable attack model.
Living Off the Land: When Legitimate Tools Turn Rogue
Attackers increasingly hide in plain sight by abusing built-in tools like PowerShell and the Windows command prompt. This “living off the land” approach blends malicious activity into normal system behavior, making detection harder.
Because these tools are essential for IT operations, blocking them outright isn’t practical. The report underscores the need for behavior-based detection—monitoring how tools are used, not just whether they exist.
Email and Collaboration Apps: The Two-Stage Attack Model
Email remains the primary entry point for cyberattacks by sheer volume. Phishing dominates, as attackers focus on deception and identity theft rather than technical exploits.
Collaboration platforms—like enterprise chat and file-sharing tools—tell a different story. While they see fewer attacks overall, a much higher share are advanced, targeted intrusions, including account takeovers and session hijacking. The pattern is now two-stage: attackers use email to gain initial access, then pivot to collaboration tools to move laterally and escalate privileges within trusted environments.
AI Enters the Attack Chain
One of the most unsettling findings is the shift by cybercriminals from experimentation to operational use of AI. The report documents early examples of AI-assisted extortion, automated negotiation, and scams using AI-generated voices and content.
This doesn’t mean AI attacks are everywhere yet—but it signals a direction of travel. As AI lowers the cost of personalization and automation, expect phishing, impersonation, and fraud to become more convincing and more scalable.
Geography of Risk: No One Is Immune
The data shows concentration of ransomware detections in large, digitally mature economies—reflecting where attackers expect higher payouts. But the spread is global. Mass infection and lateral movement incidents affected multiple regions, underlining that cyber risk scales with digital dependence, not geography alone.
What This Means for Leaders
The report’s strategic takeaway is sobering: defensive investments must now assume both scale and sophistication. High-volume attacks demand automation and resilience; low-frequency, high-impact attacks demand deep visibility and response readiness.
Key priorities emerge clearly:
- Harden identity and access controls, especially for admins and service accounts.
- Treat MSPs and SaaS providers as part of your attack surface.
- Move beyond signature-based security to behavior and process monitoring.
- Prepare for AI-enabled deception with stronger verification and user awareness.
The Bottom Line
The Acronis Cyberthreats Report H2 2025 shows cybercrime evolving into a disciplined, business-like operation—one that exploits trust, shared platforms, and now AI. For enterprises, the challenge is no longer just preventing breaches, but limiting blast radius, recovering fast, and governing risk across an extended digital ecosystem.
