Sentinel Brief

Malware Attacks Surge Past 6 Billion: The Threat Breakdown

computer screen displaying malware alert or virus warning message - powered-on black laptop computer displaying home screen

Photo by Dollar Gill on Unsplash

Key Takeaways
  • As of July 1, 2026, global malware attacks totaled 6.06 billion in 2025 — the highest volume since 2019 and an 11% year-over-year climb — with 560,000 new distinct threats identified every single day (SonicWall; AV-TEST).
  • Average attacker breakout time (the window between gaining initial access and moving laterally across a network) dropped to 29 minutes in 2026, down 65% from the prior year; the fastest recorded eCrime breakout clocked at just 27 seconds (CrowdStrike 2026 Global Threat Report).
  • 82% of detections in 2025 involved malware-free techniques — credential theft and living-off-the-land tactics — meaning traditional antivirus tools are structurally mismatched against the dominant attack method.
  • Paying ransom is now effectively a donation: 93% of payers in 2025 still had data stolen despite paying, and 83% faced follow-up attacks within the same year.

The Threat: One Hour, No Human Required

In May 2026, security firm Sysdig documented the first fully autonomous AI-driven intrusion on record: an LLM (large language model) agent executed a four-pivot attack chain — from initial access all the way to database exfiltration — in under one hour, with zero human direction at any stage. Google News highlighted this event as a marker within a broader acceleration that has been building throughout 2025 and into mid-2026, drawing on data from CrowdStrike, IBM X-Force, SonicWall, and Kaspersky that collectively document a threat environment unlike anything from the prior decade.

As of July 1, 2026, according to SonicWall, global malware attacks reached 6.06 billion in 2025 — an 11% year-over-year increase and the highest total since 2019. AV-TEST’s database now catalogues 1.56 billion cumulative known malware samples, with 560,000 new and distinct threats identified daily. But raw volume is almost a distraction from the more important structural shift: CrowdStrike’s 2026 Global Threat Report found that 82% of all detections in 2025 involved malware-free techniques, up from 79% in 2024, meaning threat actors are increasingly bypassing the files and executables that endpoint protection tools are designed to catch.

What they are using instead are credentials. Credential stealer infections grew 220% year-over-year. IBM X-Force documented over 16 million devices infected by infostealer malware in its 2026 research, with the resulting stolen credentials selling for approximately $10 on dark web marketplaces. X-Force Incident Response Leader Ryan Anschutz captured the logic plainly: “Attackers simply do not need zero-days (previously unknown software vulnerabilities with no available patch), they just need valid credentials and a little bit of patience.” That patience is now measured in minutes: average breakout time collapsed to 29 minutes in 2026, down 65% year-over-year, with the fastest recorded eCrime breakout at just 27 seconds. Cheap credentials, autonomous tooling, and a sub-30-minute operational window are what make the current threat environment a different class of problem.

Three forces are compounding the pressure simultaneously. First, the professionalization of cybercrime: 55 new ransomware-as-a-service (RaaS) families emerged in 2024 alone — a 67% year-over-year increase — and 95 active ransomware gangs are now tracked as of 2026 (IBM X-Force). Barrier to entry is near zero. Second, the AI multiplier: AI-powered phishing effectiveness increased 400%, with 87% of security professionals reporting that AI-generated messages are indistinguishable from legitimate communications. Malware-laden emails increased 131% year-over-year in 2026. The LLM-using malware families PROMPTFLUX and PROMPTSTEAL, which actively query language models mid-execution to adapt their behavior, emerged in 2025–2026 and represent the early edge of a durable trend. ChatGPT credentials are among the most-traded commodities on underground forums — over 300,000 were discovered for sale in 2025, and ChatGPT is referenced in criminal forums 550% more than any other AI model. Third, an exploded IoT attack surface: IoT malware attacks surged 124% in 2026 (SonicWall), as smart manufacturing sensors, building management systems, and medical devices became entry points that most security teams have not instrumented for detection.

Blast Radius: The Sectors Absorbing the Most Damage

The credential-theft model changes who gets hit hardest and how. IBM X-Force’s Nick Bradley framed the dynamic precisely: “Attackers have figured out that they don’t need to break through your carefully guarded front door when they can walk right in through your supplier’s back door with valid credentials.” Supply chain attacks quadrupled over the past five years, with 15,000+ malicious packages deployed through open-source registries (IBM X-Force 2026). Every software dependency is a potential vector, not just every endpoint.

Manufacturing sits at ground zero. The sector accounted for 27.7% of all cybersecurity incidents and experienced a 61% year-over-year surge in ransomware attacks. Healthcare is close behind: as of July 1, 2026, 67% of healthcare organizations were struck by ransomware annually, with 120 confirmed attacks in Q1 2026 alone, and the average cost of a healthcare breach stands at $7.42 million per incident. Across all sectors, ransomware victims exceeded 7,000 organizations in 2025 — a 58% increase from 4,750 in 2024 — with Q1 2026 data projecting an annualized pace of 8,660 victims, an 18.5% further increase.

The ransom-payment calculus has also collapsed. Kaspersky’s 2026 ransomware evolution research documents that attackers are “leaving out the ‘ware’ in ‘ransomware’ by focusing on data theft and disclosure threats rather than encryption, shifting victim risk from backup-preventable disruption to irreversible data exposure.” With 93% of payers still having data stolen and 83% facing follow-up attacks, the recovery plan that rests on backups alone is no longer sufficient. Quantum-resistant ransomware families using ML-KEM (the Kyber1024 algorithm, providing encryption equivalent to AES-256) also emerged in 2025–2026, adding a further layer of durable encryption to an already complex recovery picture.

ransomware encrypted files on computer - A laptop computer sitting on top of a desk

Photo by Glen Carrie on Unsplash

Why Signature-Based Defense Is Losing the Arms Race

The convergence of fileless execution, polymorphic code, and AI-generated lures dismantles the assumptions behind most legacy security stacks. Fileless attacks — malware that executes entirely in memory, leaving no file on disk for scanners to inspect — account for 70% of all serious malware incidents in 2026. Polymorphic malware (code that rewrites its own detection signature to evade pattern-matching tools) comprises 90% of all detected malware. A defense stack built on signature databases and file-system scanning is architecturally outmatched against these techniques. The volume numbers from SonicWall and AV-TEST matter, but this structural mismatch is the deeper problem.

X-Force Cyber Threat Analyst Christopher Caridi identified the required pivot: “CISOs must treat vulnerability patching and identity hardening as parallel priorities.” That means moving endpoint detection toward behavioral analysis (flagging what a process does rather than what it looks like), layering in identity threat detection and response (ITDR) to catch credential misuse in real time, and implementing continuous supply chain monitoring for software dependencies — the same gap that AI Shield Daily’s coverage of AI agent security identified as critically underaddressed in agentic deployments.

Attack Vector Year-Over-Year Increases (as of July 2026) +124% IoT Malware +131% Malware Email +220% Cred. Stealers +400% AI Phishing

Chart: Year-over-year percentage increases across four key attack vectors as of July 1, 2026. Scale is proportional to the maximum value (400%). Sources: SonicWall, CrowdStrike, IBM X-Force.

The defensive posture that actually matches the threat has three layers. Technology: behavioral EDR (endpoint detection and response, which flags suspicious process behavior rather than file signatures) over legacy antivirus; ITDR to detect credential misuse before the 29-minute breakout clock expires; network microsegmentation to limit blast radius when a credential is inevitably compromised. Process: phishing-resistant MFA on every externally facing service; software bill of materials (SBOM) audits for supply chain visibility; incident response tabletop exercises designed around a 29-minute attacker dwell time, not 24 hours. People: security awareness training rebuilt around AI-generated lures specifically — the old “check for typos” heuristic is obsolete when 87% of AI-generated messages pass as legitimate. Three layers, not thirty controls.

Ship This Control Today

One control. Not a checklist.

Deploy phishing-resistant MFA — specifically FIDO2 hardware security keys or device-bound passkeys — on every account that authenticates to email, VPN, or cloud consoles. Standard TOTP (the six-digit rotating code from an authenticator app) is better than nothing but is susceptible to real-time phishing relay attacks, where an adversary intercepts the code mid-session before it expires. Phishing-resistant MFA is not. With credential stealers infecting devices at 220% higher rates year-over-year and stolen credentials available for $10 on dark web markets, the cost of leaving SMS or TOTP as your top authentication layer is asymmetric: the attacker’s cost to bypass it is approximately zero, and your cost to upgrade is a few hours of deployment time.

Once phishing-resistant MFA is live on critical accounts, the next highest-return action is enabling alerts on impossible-travel and new-device login events inside your identity provider. If a stolen credential is used from a location geographically inconsistent with the user’s prior session, that detection fires before the 29-minute breakout window closes. In my read of the combined CrowdStrike, IBM X-Force, and SonicWall data, this pairing — phishing-resistant MFA plus continuous identity monitoring — directly closes the gap that 82% of current attacks are architected to exploit. Everything else on the security roadmap is valuable. It’s just downstream of this.

Frequently Asked Questions

Why are malware attacks increasing so dramatically right now?

Three compounding forces explain the surge: the professionalization of cybercrime through ransomware-as-a-service platforms that lower attacker barrier to entry (55 new RaaS families launched in 2024 alone, a 67% year-over-year increase), the weaponization of AI to generate polymorphic malware and highly convincing phishing campaigns (AI phishing effectiveness up 400%), and a dramatically expanded IoT attack surface with IoT malware up 124% as of July 1, 2026 (SonicWall). The result: 6.06 billion attacks in 2025, with 560,000 new distinct threats identified every single day.

How much do ransomware attacks cost businesses in 2026, and is paying the ransom worth it?

Healthcare organizations face an average breach cost of $7.42 million per incident as of July 1, 2026. Ransomware victims across all sectors exceeded 7,000 organizations in 2025, a 58% increase year-over-year. As for payment: 93% of ransomware payers in 2025 still had data stolen despite paying, and 83% faced follow-up attacks. Kaspersky’s 2026 research documents that attackers now focus on data theft and disclosure threats rather than encryption, meaning backup recovery does not resolve the underlying exposure. Payment does not close the incident — it funds the next one.

What industries are most targeted by malware and ransomware attacks?

Manufacturing leads all sectors, accounting for 27.7% of all cybersecurity incidents and experiencing a 61% year-over-year surge in ransomware attacks. Healthcare is close behind, with 67% of organizations struck annually and 120 confirmed ransomware attacks in Q1 2026 alone. Both sectors combine high-value operational data, OT/IoT systems that are difficult to patch rapidly, and supply chains with broad third-party credential access — all characteristics that make them structurally attractive targets for the 95 active ransomware gangs currently tracked by IBM X-Force.

Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific organizational needs. Research based on publicly available sources current as of July 1, 2026.