Cyber extortion tops 2025 attacks as AI risks escalate

CyberCX reports a shift in the cyber incidents it handled in 2025, with cyber extortion now the most common incident type it responded to. Financial services also overtook healthcare as the most impacted sector.

The findings are detailed in the 2026 Threat Report, which draws on more than 100 serious cases handled by its Digital Forensics and Incident Response team. The report also points to wider use of artificial intelligence by threat actors and growing concern about employees entering sensitive information into public AI tools.

Cyber extortion moved ahead of business email compromise as the leading incident category in the cases analysed. The report defines cyber extortion as incidents where attackers lock systems or steal data and demand payment. Stolen credentials remained a key driver.

Sector shift

Financial and Insurance Services accounted for almost one in five incidents CyberCX responded to in 2025, making it the most impacted sector in the sample. Healthcare fell to second place after leading in prior reporting periods.

The data points to ongoing pressure on organisations that hold high-value personal and financial information and underscores the financial motivation driving cybercrime. Almost six in 10 incidents were attributed to financially motivated criminals, a proportion consistent with previous years.

The report also highlights longer detection times for financially motivated attacks. The time for an organisation to detect such attacks more than doubled to 68 days in 2025, from 24 days in 2024. CyberCX attributed the longer dwell time to threat actors spending more time inside environments after gaining initial access.

AI and data spills

Generative AI featured in incident response work in a new way during 2025, with CyberCX observing threat actors using it to create bespoke commands and malware. This reduced the time between initial access and achieving malicious objectives.

The report also flags internal use of public AI services as a near-term risk for some organisations. CyberCX began responding to "data spill" incidents linked to staff uploading sensitive material into public-facing AI tools, reinforcing the importance of AI governance and workplace policies.

Changing extortion playbooks

The report notes changes in how ransomware groups apply pressure during double extortion attacks, where data theft accompanies encryption or other disruption. In more than a third of double extortion attacks by known ransomware groups, the threat actor did not advertise the stolen data on its dedicated leak site, compared with less than 10% in the prior year's findings.

Even when victims were listed on a leak site, publication did not always follow. CyberCX found about half of victims that did not pay after being advertised did not subsequently have their data published, up from 24% the year before. The report describes this as a potential sign of "data breach fatigue".

MFA bypass

CyberCX highlighted an increase in adversary-in-the-middle session hijacking, a method of bypassing multi-factor authentication by stealing a user's session. It linked the rise to broader access to low-cost phishing-as-a-service kits, which can lower the skill threshold for running phishing campaigns at scale.

The report concludes that multi-factor authentication alone no longer prevents criminal access in many cases. It also found that valid accounts and external remote services were the most common initial access techniques in cyber extortion incidents, with attackers using compromised credentials obtained via information stealers and social engineering.

Hamish Krebs, Executive Director of Digital Forensics and Incident Response at CyberCX, described the findings as a deterioration in risk.

"If there is a cyber security professional or policymaker who feels more optimistic about the global cyber threat landscape now than they did 12 months ago, I haven't met them," Krebs said.

He also described the dual aspect of AI risk that organisations now face.

"We have seen malicious use of automation and AI lowering barriers to entry and unlocking new capabilities of speed and scale. AI is now part of the real cyber threat that organisations in our region and around the world are confronting every day. But there are two sides to this coin, as organisations increasingly face data spills resulting from staff members uploading sensitive and commercial material to public AI tools, reinforcing the importance of AI governance and policies in the workplace."

Krebs also said the firm encountered a case involving remote-worker fraud linked to North Korea.

"Whether it's financially motivated criminal groups or stealthy state-based actors, disgruntled soon-to-be ex-employees or attention seeking hacktivists, the threat landscape is always evolving. Last year we even supported one organisation who had inadvertently hired three North Korean IT workers who, by all accounts, were model employees and only detected when a third company laptop was issued to the same address," he said.

Krebs concluded, "The theme of this year's Threat Report is essentially this: the threats are bigger and better resourced, and the risks are worse than they have ever been. At a time where the global threat landscape is deteriorating and the nature of the threat worsening, we hope that you will read this report and come away better equipped and prepared to weather this storm."

CyberCX is part of Accenture and operates across Australia and New Zealand. It has a workforce of 1,400 cyber security professionals, including close to 200 in New Zealand.