CyberSecStats #47 - Ransomware speed records, LATAM threat landscape, more AI security woes and OT incidents
CyberSecStats #47: 3-hour Akira ransomware, APIs top KEV at 43%, over-privileged AI hits 76% incident rate, 72-minute breach-to-exfil, LATAM attacks doubled.
This Week’s Cybersecurity Eye-Openers
Three takeaways from this week’s data.
1. Ransomware speed record set
The fastest-ever observed ransomware case, involving Akira, took just three hours from the initial breach to full encryption.
2. APIs become the most exploited attack surface
43% of CISA KEV additions in 2025 were API-related, making APIs the single largest exploited surface in that dataset.
3. Over-privileged AI systems drive 76% incident rate
Organizations with over-privileged AI systems experience a 76% incident rate, compared with just 17% for organizations that enforce least-privilege controls on AI.
Big Picture Reports
2026 Global Incident Response Report (Palo Alto Unit 42)
Cyber attacks are now unfolding four times faster than a year ago. The gaps letting attackers in are more basic than most organizations expect.
The speed and identity crisis:
- In the fastest cases, attackers moved from initial access to data exfiltration in 72 minutes, four times faster than the previous year.
- Identity weaknesses play a material role in nearly 90% of investigated incidents.
- Misconfigurations or gaps in security coverage enable attacks in over 90% of incidents.
2026 Global Threat Analysis Report (Radware)
DDoS attacks surged to record levels in 2025, with almost twice the traffic as in 2024.
The DDoS explosion:
- Network-layer DDoS attacks (OSI layers 3 to 4) increased 168.2% year over year.
- Peak network-layer DDoS attack volumes reached almost 30 Tbps.
- Web DDoS attacks (OSI layer 7) increased by 101.4% compared with 2024.
Ransomware
The Managed XDR Global Threat Report (Barracuda)
Most ransomware victims see it come from firewalls, CVEs, and compromised accounts.
The firewall vulnerability:
- 90% of ransomware incidents exploit firewalls through a CVE or a vulnerable account.
- The fastest ransomware case observed, involving Akira, took just three hours from breach to encryption.
- 66% of incidents involve the supply chain or a third party, up from 45% in 2024.
Ransomware Index Report 2025 (Securin)
Encryption is going out of style. Data theft is in.
The ransomware hierarchy:
- Qilin claimed the most victims in 2025 (835), followed by Akira (650), Cl0p (517), Play (363), and INC (334).
- 2025 ransomware market share by group: Qilin (23%), Akira (18%), Cl0p (14%), Play (10%), INC (9%).
- Ransomware victims by industry: commercial facilities (997), manufacturing (846), IT (818), healthcare (473), and financial services (340).
API Security
API ThreatStats Report 2026 (Wallarm)
APIs emerge as the single most exploited attack surface.
The API threat picture:
- In 2025, 43% of CISA KEV additions were API-related.
- 98% of API vulnerabilities are easy or trivial to exploit.
- 99% of API vulnerabilities are remotely exploitable.
Application Security
The Great AppSec Reality Check 2026 (Rein Security)
9 out of 10 CISOs are open to buying AI-native application protection.
The visibility crisis:
- Over 75% of security professionals lack the real-time production insight needed to validate risk and understand how their code behaves in real-world environments.
- 73% of SCA users lack visibility into whether flagged vulnerabilities are exploitable in production.
- 93% of CISOs and AppSec executives are ready to replace or purchase new AI-native application protection.
Mobile Security
72% of Mobile Apps Experienced a Security Incident Last Year (Guardsquare)
Mobile apps are being uninstalled because end users know they are vulnerable.
The mobile app picture:
- 72% of organizations experienced at least one mobile app security incident in the past year.
- 81% of developers say AI-generated code has introduced new vulnerabilities.
- 65% reported customer churn or app uninstalls as a direct result of security issues.
OT and Industrial Security
2026 OT Cybersecurity Year in Review (Dragos)
The threat of cyber shutdowns is becoming very real for manufacturing and industrial organizations as attackers switch tactics.
The industrial target:
- Manufacturing accounts for more than two-thirds of all ransomware victims.
- Ransomware attacks against industrial organizations increased by 64% year over year.
- The average dwell time for ransomware in OT environments is 42 days.
OT/IoT Cybersecurity Trends and Insights 2025 H2 Review (Nozomi Networks)
Most ransomware targets English-speaking countries.
Targeting and exposure:
- 70% of global ransomware activity targets English-speaking countries.
- In the second half of 2025, 40% of all ransomware attacks targeted US-based companies.
- 68% of observed wireless networks in industrial and critical infrastructure environments operate without Management Frame Protection despite using modern encryption.
AI Security and Governance
AI Security and Exposure Benchmark 2026 (Pentera)
AI is everywhere, but very few CISOs are securing it.
The AI security gap:
- Only 11% of enterprise CISOs have security tools specifically designed to protect AI systems.
- Organizations with overprivileged AI systems have a 76% incident rate, compared with 17% for organizations that limit AI to only the privileges needed for the task.
- 78% of enterprises fund AI security through existing security budgets.
The 2026 Infrastructure Identity Survey, State of AI Adoption (Teleport)
More AI means more incidents.
The AI privilege problem:
- 70% of security leaders say AI systems have more access than a human in the same role.
- Enterprises deploying AI systems with excessive permissions experience 4.5x as many security incidents as those that enforce least-privilege controls.
- 67% of organizations rely on static credentials for AI systems.
Internal Audit and AI-Enabled Fraud (Internal Audit Foundation and AuditBoard)
Internal audit leaders see AI-powered fraud as a rapidly growing threat. Most admit their teams are not yet equipped to catch it.
The audit preparedness gap:
- Fewer than 40% of internal audit leaders believe their function is adequately prepared to detect AI-enabled fraud.
- 88% identify AI-powered phishing attacks as a top risk.
- 57% identify a lack of appropriate technology or tools as a primary barrier to improving AI-enabled fraud preparedness.
Open Source Security
2026 Open Source Landscape Report (TuxCare)
Open-source software in production is a risk people know about but are rarely able or willing to fix.
The patching problem:
- 47.8% of surveyed enterprise open source users said their organization experienced a cybersecurity incident in the past 12 months.
- Among those reporting incidents, 61.4% said the incident occurred when a patch was available but had not been applied.
- 92.6% of open-source users reported that their organization was aware it was vulnerable before the cybersecurity incident occurred.
Industry-Specific
2026 Global Automotive and Smart Mobility Cybersecurity Report (Upstream)
Many ransomware incidents in the automotive sector did not make headlines.
The automotive threat:
- 44% of attacks in the Automotive and Smart Mobility ecosystem are ransomware-related, more than double the volume in 2024.
- 67% of incidents involve telematics and cloud systems as attack vectors.
- 92% of automotive cyberattacks are conducted remotely, of which 86% require no physical proximity to vehicles or systems.
Regional Spotlight
Region Report: Latin America (Intel471)
Latin America is more digitally connected than many outside the region realize. Cyberattacks there are growing extremely fast.
The LATAM escalation:
- Cyberattacks in LATAM increased from over 250 in 2024 to over 450 in 2025.
- The number of ransomware variants in LATAM rose from 48 to 79, with the most impactful gangs being Qilin, The Gentlemen, SafePay, Akira, and INC.
- Brazil accounted for about 30% of ransomware victims in LATAM in 2025, followed by Mexico at about 14% and Argentina at about 13%.
