According to one cybersecurity firm’s user base data, surges in regional business email compromise and social engineering attacks were likely AI-driven.

Based on analyzing endpoint signals from over 1,000,000 Windows machines globally collected between January and June 2025, a cybersecurity vendor for the monitored devices has shared some 2024/2025 findings on cyber threat patterns in the ASEAN/APAC region, with the media.

First, the number of publicly known ransomware victims had increased by nearly 70% compared to the firm’s metrics for the same period in 2023 and 2024, with 3,642 claimed victims, and Cl0p, Akira, and Qilin emerging as the most active ransomware groups.

Second, phishing accounted for 25% of all attacks globally (in the H1 2025 data) and constituted 52% of attacks targeting managed service providers, marking a rise from 30% in H1 2024 data. Remote Desktop Protocol attacks had decreased sharply, from 24% to 3%.

Other findings
Third, social engineering and business email compromise attacks in the firm’s H1 2025 data had increased from 20% to 25.6% in January through May 2025, compared to the same period in 2024, with nearly 25% of phishing attacks in collaboration platforms involving AI-generated deepfakes or automated exploits. Also:

  • Manufacturing was the most targeted industry in the firm’s data, representing 15% of ransomware incidents in Q1 2025, followed by retail, food and drink at 12%, and telecommunications and media at 10%.
  • Vulnerabilities in third-party software such as the Cleo file transfer tool and SimpleHelp remote monitoring and management software continued to be exploited in the firm’s user base in H1 2025, with TeamViewer identified as having the highest proportion of unpatched vulnerabilities (4.56% of customers affected).
  • Monthly malware detections varied by region, with India recording 12.4% affected endpoints in May 2025, Brazil 11%, and Spain 10.2%.
  • Attackers had increasingly used process injection (MITRE technique T1055.001) and PowerShell (T1059.001) techniques to evade detection in the firm’s Q1 2025 customer incidents.
  • New ransomware actors such as Devman and Nightspire employed Ransomware-as-a-Service models with double extortion tactics in the H1 2025 user base data.
  • AI-powered threats were observed in several cases, including North Korean operatives using AI-driven deepfake avatars to gain employment at technology companies and vulnerabilities in AI models, allowing prompt injection attacks.
  • Collaboration app attacks had risen sharply compared to previous years’ data sets, with phishing attacks in these platforms increasing from 9% to 30.5%, and advanced email attacks from 9% to 24.5%.

According to Gerald Beuchelt, CISO, Acronis, the firm sharing its H1 2025 user ecosystem incident data analysis: “Even the least sophisticated attackers today have access to advanced AI capabilities, generating social engineering attacks and automating their activities with minimal effort. To survive in this threat landscape … a holistic cyber protection strategy that incorporates advanced detection, response and recovery capabilities is essential.”