Cybercrime in 2026: AI, ransomware, and new rules collide

Cybercrime in 2026: AI-fueled threats, ransomware’s reset, and new rules reshape the risk

Cybercrime is accelerating into 2026 with fresh records in losses, faster operations driven by artificial intelligence, and a policy landscape that is tightening reporting and debating ransom payments. In the United States alone, Americans reported $20.8–$20.9 billion in losses to internet crime in 2025, the highest on record, with more than one million complaints filed to the FBI’s Internet Crime Complaint Center (IC3). Notably, the Bureau broke out artificial intelligence–related scams for the first time: 22,364 AI-linked complaints costing an estimated $893 million. (fbi.gov )

By the numbers: where the money went

• Total reported losses (2025): ≈$20.8–$20.9 billion; complaints surpassed one million for the first time. (fbi.gov )
• AI-related crimes (2025): 22,364 complaints, ≈$893 million in losses. (fbi.gov )
• Investment fraud and cryptocurrency schemes remained the biggest money drains, while business email compromise (BEC) and tech support fraud continued to exact multibillion-dollar tolls. (theregister.com )

The headline: cyber-enabled fraud has become the most pervasive day-to-day threat to consumers and boards, pushing phishing and impersonation ahead of even ransomware in executive risk rankings this year. (weforum.org )

Ransomware 2026: consolidation, speed—and AI at scale

Law enforcement disruptions in 2024 scattered some gangs, but 2026 is bringing consolidation and a rebound in volume and visibility. Fortinet’s 2026 Global Threat Landscape Report counted 7,831 confirmed ransomware victims in 2025 (up sharply from roughly 1,600 the year prior), and warns of AI-enabled operations accelerating execution, discovery of targets, and extortion. (fortinet.com )

Fresh Q1 2026 data shows LockBit’s attempted resurgence: Check Point Research tracked 163 LockBit victims in the quarter (fourth among groups), suggesting affiliates are retooling with cross-platform payloads and anti-forensics after past takedowns. (research.checkpoint.com )

Across regions, analysts and police agree: the ransomware economy has industrialized. Europol’s IOCTA 2026 flags persistent, profit-driven operations increasingly powered by automation and data theft; multiple security firms separately report a shift toward identity-driven access and insider-enabled extortion. (home-affairs.ec.europa.eu )

Two snapshots: education pays, healthcare pays—and still bleeds

• Instructure, maker of the widely used Canvas learning platform, paid a ransom after a ShinyHunters breach that reportedly touched institutions in the U.S., U.K., Canada, and Australia—reigniting debate over whether payment meaningfully reduces harm. (itpro.com )
• In healthcare, the 2024 Change Healthcare catastrophe remains a cautionary tale: UnitedHealth’s CEO confirmed a $22 million ransom payment to ALPHV/BlackCat, yet a second group (RansomHub) claimed to retain 4 TB of stolen data and re-extorted the company—evidence that paying offers no guarantee of data deletion or lasting relief. (cnbc.com )

Nation-state activity: pre‑positioning and living off the land

U.S. and allied agencies continue to warn about Chinese state-sponsored activity dubbed Volt Typhoon. Joint advisories in 2024 described “living off the land” techniques and long-term persistence across U.S. critical infrastructure IT networks, including communications, energy, transport, and water, assessed as pre‑positioning for potential disruption during crises. The campaign’s tradecraft blurs with criminal methods by abusing legitimate admin tools and avoiding malware that would trigger alerts. (cisa.gov )

The Five Eyes partners have since cautioned about China‑nexus groups building botnets from compromised routers and IoT devices at scale—a reminder that inexpensive edge devices now underpin both espionage and cybercrime infrastructure. (techradar.com )

The new frontier: cybercrime crosses the curb with cargo theft

The FBI recently warned of a surge in cyber‑enabled “strategic cargo theft,” where actors impersonate legitimate brokers and carriers via spoofed domains, hijacked accounts, or falsified logistics records to reroute high‑value shipments. Losses across the U.S. and Canada were estimated near $725 million in 2025, reflecting the fusion of online fraud with physical theft across supply chains. (hstoday.us )

Policy and enforcement: disclosure clocks, incident reporting—and the ransom debate

• SEC cyber disclosure. Public companies must disclose material cybersecurity incidents on Form 8‑K within four business days of determining materiality, and describe cyber risk management and governance in annual filings. The Division of Corporation Finance reiterated in May 2024 that Item 1.05 is reserved for material incidents—not all incidents. (sec.gov )
• Critical infrastructure reporting. CISA’s rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is ongoing. In February 2026, CISA announced town halls to refine the proposed 6 CFR Part 226 before finalization—signaling that 72‑hour incident and 24‑hour ransom‑payment reporting clocks are coming into sharper focus. (regulations.justia.com )
• Ransom payments. The U.S. has no federal ban on paying ransoms, but several states restrict public entities. North Carolina prohibits state and local agencies from paying or even negotiating; Florida bars state and local entities from paying ransomware demands. In the U.K., the government has floated a ban on payments by public bodies and critical infrastructure. (ncleg.gov )

AI: the attacker’s force multiplier—and the defender’s, too

Security teams say 2026 is the year AI moved from pilot to production on both sides of the ball. The World Economic Forum’s Global Cybersecurity Outlook 2026 finds 77% of organizations now use AI in cyber operations—most commonly for phishing detection, intrusion/anomaly response, and user‑behavior analytics. At the same time, cybercriminals are leaning on agentic AI frameworks for reconnaissance, phishing generation, credential testing, and infrastructure rotation at machine speed. (weforum.org )

ThreatDown’s 2026 State of Malware report similarly describes a shift to machine‑scale attacks designed to remain invisible until extortion, aligning with field observations that many 2025–2026 intrusions prioritized speed, stealth, and timed execution over persistence. (threatdown.com )

What security leaders should do now

• Treat identity as the new perimeter. Harden MFA with phishing‑resistant authenticators, rotate and monitor high‑privilege credentials, and minimize standing access. (techradar.com )
• Build for extortion resilience, not just encryption recovery. Assume data theft; pressure‑test legal, communications, and customer‑notification playbooks alongside backup and re‑imaging plans. Lessons from Change Healthcare show why “pay and move on” can fail. (cnbc.com )
• Prepare for reporting clocks. Map which operations qualify as “critical infrastructure,” align breach‑triage workflows to SEC and forthcoming CIRCIA timelines, and rehearse materiality determinations to avoid disclosure missteps. (sec.gov )
• Close supplier and logistics gaps. Verify brokers and carriers out‑of‑band, lock down portals and load boards with least privilege and monitored SSO, and train ops teams to spot spoofed documents and domains. (hstoday.us )
• Use AI defensively, with governance. Scale detection and response, but pair tools with model‑risk management and guardrails to prevent data leakage and automation surprises. (weforum.org )

Outlook

As of May 17, 2026, the picture is clear: cybercrime is a high‑velocity, AI‑accelerated economy that blends fraud, extortion, and strategic disruption. Ransomware crews are recalibrating, state actors are pre‑positioning, and crime is bleeding into the physical world—from pharmacy counters in 2024 to freight yards today. With disclosure rules biting and incident‑reporting mandates nearing the finish line, organizations that operationalize resilience—identity‑first controls, extortion‑aware playbooks, and AI‑enabled defense—will be best positioned to absorb shocks while regulators, insurers, and law enforcement keep closing the gaps. (research.checkpoint.com )