Fortinet 2026 Threat Report: 389% Ransomware Surge, 1.7B Stolen Credentials, and What It Means for Saudi Finance

FortiGuard Labs has released the Fortinet 2026 Global Threat Landscape Report, and the numbers demand attention: 7,831 confirmed ransomware victims in 2025 — a 389% year-over-year increase — driven by AI-assisted attack tooling, compressed exploitation windows, and a dark web economy trading 1.7 billion stolen credential records. For CISOs managing SAMA-regulated financial institutions, every data point in this report maps directly to compliance gaps that adversaries are already exploiting.

Ransomware Industrializes: From Campaigns to Supply Chains

The report's central finding is structural, not statistical. Ransomware operations no longer resemble isolated campaigns launched by single groups. They function as integrated supply chains. Access brokers harvest credentials and sell footholds. Shadow agents — semi-autonomous operators using AI-assisted platforms such as WormGPT, FraudGPT, and BruteForceAI — automate reconnaissance, lateral movement, and payload delivery. Botnet operators provide infrastructure on demand. The result is a cybercrime ecosystem that operates at industrial scale, where each actor specializes in a single phase of the attack lifecycle.

Manufacturing bore the heaviest impact with 1,284 confirmed victims, followed by business services (824) and retail (682). Financial services, while not the top sector globally, remain a high-value target due to the sensitivity of the data involved and the regulatory penalties that follow a breach. The geographic distribution — 3,381 victims in the United States, 374 in Canada, 291 in Germany — confirms that no region with significant economic infrastructure is exempt.

1.7 Billion Stolen Credentials: The Dark Web's Currency

FortiRecon's adversary intelligence tracked a 500% increase in stolen credential records shared across underground forums, reaching 1.7 billion records. Stealer logs dominated dark web database activity at 67.12%, surpassing combolists (16.47%) and leaked credential dumps (5.96%). This signals a fundamental shift: identity exposure is now the upstream fuel that powers industrialized intrusion. Attackers no longer need zero-days when they can purchase valid VPN credentials, RDP sessions, or cloud console tokens from an access broker for a few hundred dollars.

For Saudi financial institutions, the implications are direct. Employee credentials harvested by infostealers like Raccoon, Vidar, or RedLine often include credentials for banking portals, internal ERP systems, and email accounts. A single compromised credential set, combined with weak MFA enforcement, gives an attacker the initial foothold that SAMA CSCC Domain 3 (Identity and Access Management) is specifically designed to prevent.

Exploitation Windows Collapse to 24–48 Hours

The report documents a dramatic compression in time-to-exploit (TTE). For critical vulnerabilities, adversaries now weaponize public disclosures within 24 to 48 hours — down from an average of 4.76 days reported in the previous edition. In some cases involving high-profile targets like Fortra GoAnywhere MFT and Apache Tomcat, exploitation activity appeared on the same day as the CVE disclosure.

This acceleration directly challenges the traditional patch management cycle. Monthly patching windows — still common across many Saudi enterprises — leave a gap measured in weeks while adversaries operate in hours. SAMA CSCC Domain 5 (Technology Operations and Resilience) mandates timely patching, but "timely" now means same-day triage and 48-hour deployment for critical, internet-facing assets. Institutions relying on quarterly vulnerability scans are effectively blind to the current threat velocity.

AI-Enabled Cybercrime Matures Beyond Experimentation

FortiGuard Labs confirms that AI is no longer experimental in the attacker's toolkit — it is operational. Shadow agents reduce the skill requirements for operators while increasing workflow speed across the kill chain. AI-assisted reconnaissance tools automate target profiling, identifying exposed services, weak configurations, and harvested credentials at machine speed. AI-powered social engineering kits generate contextually accurate phishing emails in Arabic and English, bypassing traditional keyword-based email filters.

Google's Threat Intelligence Group separately confirmed in May 2026 that an unknown threat actor used AI to discover a zero-day vulnerability and build a working exploit — the first documented case of AI-assisted zero-day development in the wild. Combined with the Fortinet data, the trend line is clear: defenders who have not integrated AI into their detection and response capabilities are falling behind adversaries who already have.

What This Means for SAMA-Regulated Financial Institutions

The Fortinet 2026 report is not theoretical — it describes the operational reality that Saudi banks, insurance companies, and fintech firms face today. SAMA's Cyber Security Compliance Checklist (CSCC) was designed to address exactly these threat categories, but the report exposes specific areas where compliance effort must intensify:

SAMA CSCC Domain 3 (Identity and Access Management) requires robust credential lifecycle management. With 1.7 billion stolen credentials circulating, phishing-resistant MFA — FIDO2 hardware keys or certificate-based authentication — is no longer optional. Password-only or SMS-based MFA configurations are demonstrably insufficient against stealer log attacks.

NCA ECC Subdomain 2-6 (Vulnerability Management) and SAMA CSCC Domain 5 both mandate vulnerability remediation within defined SLAs. The collapse of exploitation windows to 24–48 hours means these SLAs must be revisited. Continuous vulnerability monitoring and automated patching for critical internet-facing systems should replace scheduled scan-and-patch cycles.

PDPL Article 19 (Data Breach Notification) requires organizations to report breaches involving personal data. With ransomware groups routinely exfiltrating data before encryption, a ransomware incident is almost always a data breach under PDPL — triggering notification obligations that many incident response plans still fail to account for.

Actionable Recommendations

1. Deploy dark web monitoring for institutional credential exposure. Use threat intelligence feeds to detect when employee or customer credentials appear in stealer log marketplaces. FortiRecon, Recorded Future, and Flare are purpose-built for this use case. Rotate compromised credentials within hours, not days.
2. Enforce phishing-resistant MFA across all externally accessible systems. Eliminate SMS OTP and app-based push notifications for privileged accounts. Deploy FIDO2 or PKI-based authentication aligned with SAMA CSCC Domain 3 requirements.
3. Compress patch deployment SLAs to 48 hours for critical CVEs on internet-facing assets. Implement automated patch orchestration for endpoints and edge devices. Maintain a tested emergency patching procedure that can execute outside standard change windows.
4. Integrate AI-driven detection into SOC operations. Deploy behavioral analytics (UEBA) and AI-powered NDR to detect credential abuse, lateral movement, and data staging that signature-based tools miss. Review detection logic quarterly against the MITRE ATT&CK framework coverage mapped in the Fortinet report.
5. Test ransomware resilience with tabletop exercises mapped to PDPL notification timelines. Simulate a dual extortion scenario where data exfiltration triggers PDPL Article 19 obligations. Validate that your IR plan includes legal counsel, regulator communication, and evidence preservation procedures.
6. Review access broker exposure by auditing VPN, RDP, and cloud management console configurations. Disable legacy VPN concentrators that lack MFA. Implement conditional access policies that restrict management plane access to hardened jump hosts.

Conclusion

The Fortinet 2026 Global Threat Landscape Report confirms what frontline defenders have observed throughout the past year: cybercrime now operates as a mature, AI-accelerated industry with its own supply chain, labor market, and quality assurance mechanisms. The 389% ransomware surge and 1.7 billion stolen credentials are not projections — they are the measured output of this system. Saudi financial institutions that treat cybersecurity as a compliance checkbox rather than an operational discipline will find themselves on the wrong side of these statistics.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment to evaluate your credential exposure, patch velocity, and ransomware resilience against the threats documented in this report.