Fortinet Sees 389% Rise in Ransomware Victims as Exploit Windows Shrink to Two Days

Context Fortinet’s Global Threat Landscape Report, based on telemetry from millions of sensors, tracks ransomware activity and exploit trends for the most recent 12‑month period. The report notes a shift from broad scanning to focused, automated attacks that reuse exploit code and stolen credentials.

Key Facts - The firm counted 7,831 confirmed ransomware victims in 2025, up from roughly 1,600 the prior year. - Manufacturing suffered the highest impact with 1,284 victims, followed by business services (824) and retail (682). - Of 635 vulnerabilities observed under active exploitation, 53.9% had public proof‑of‑concept code and 31.2% featured fully working exploit code. - Specific flaws such as Fortra GoAnywhere, Oracle E‑Business Suite and Apache Tomcat were exploited the same day; Cisco ASA/FTD and React2Shell were exploited within one day. - Identity exposure remains a precursor, with 4.62 billion stealer logs traded on darknet markets, a 79% rise from 2024.

What It Means The compressed exploit window forces defenders to prioritize rapid patching and credential hygiene. Organizations should: - Apply patches for CVEs listed in CISA’s Known Exploited Vulnerabilities catalog within the agency‑prescribed timelines (two weeks for newer CVEs, six months for pre‑2021). - Enforce multi‑factor authentication on all privileged and service accounts, and rotate long‑lived access keys. - Monitor for anomalous API calls and identity‑related alerts using detection rules tied to MITRE ATT&CK techniques T1078 (Valid Accounts) and T1190 (Exploit Public‑Facing Application). - Conduct regular credential‑revocation drills and limit inbound traffic to only required ports and protocols. Looking ahead, the convergence of automated exploit kits and credential markets will likely keep response windows tight, making continuous threat‑intelligence feeds and automated remediation essential.