AI-driven phishing surge as Acronis warns MSPs at risk

Acronis has published its Cyberthreats Report for the second half of 2025, citing a rise in email-borne attacks, sustained ransomware activity, and wider use of artificial intelligence in criminal operations.

The findings draw on telemetry from the Acronis Threat Research Unit and data collected by its sensors. The report covers global activity across 2025, with additional detail on patterns seen in the second half of the year.

Email remained a dominant channel for initial compromise. Acronis reported email-based attacks rose 16% per organisation and 20% per user year on year. Phishing was the leading entry point in attacks targeting managed service providers (MSPs), accounting for 52% of incidents in that segment.

Email and collaboration

The report also points to a shift in attackers' secondary channels. Advanced attacks on collaboration platforms rose to 31% in 2025 from 12% a year earlier, according to Acronis. It described this as a move towards routes that can provide broader access inside an organisation once attackers have established a foothold.

Within email, phishing represented 83% of all email threats in H2 2025, Acronis reported. The findings align with a broader industry view that email security remains a central control point, even as attackers spread techniques across endpoints and cloud services.

Abuse of legitimate administration tools featured heavily in the dataset. PowerShell was the most misused tool globally, with notable activity in Germany, the United States and Brazil, according to Acronis. Such misuse remains difficult for defenders because it can blend into normal systems management and remote support work.

MSP Exposure

MSPs and their platforms were flagged as an area of concern. Acronis said all common vulnerabilities and exposures (CVEs) disclosed for MSP platforms during 2025 were rated High or Critical, even though the overall number of disclosures was low. It attributed the risk profile to the access MSP tools can provide into multiple client environments.

Supply chain and MSP-focused attacks continued through the period covered by the report. Attackers exploited remote monitoring and management tools such as AnyDesk and TeamViewer, Acronis said, affecting more than 1,200 third-party and supply chain victims. The United States had the highest exposure, with 574 victims, according to the report.

Acronis identified Akira and Cl0p as the dominant actors using these routes. It presented the cases as evidence of continued focus on organisations that can provide a path to multiple downstream targets.

AI in attacks

A core theme of the report is the operational use of AI by criminal groups. Acronis said threat actors increasingly used AI in routine phases of attacks, including reconnaissance, negotiation and social engineering, describing a shift from experimentation to day-to-day workflows.

The report includes examples of groups Acronis said used AI-driven systems in ransomware negotiations. It also described AI-assisted reconnaissance and data exfiltration linked to another group, which it said increased the impact of intrusions. In social engineering, Acronis said virtual kidnapping scams have used AI to generate "proof of life" images, increasing pressure on victims.

"As cyber threats evolve at an accelerated pace, 2025 has shown that attackers are not only scaling traditional methods like phishing and ransomware, but are leveraging AI to act faster, more efficiently, and at greater scale," said Gerald Beuchelt, CISO, Acronis.

"Attackers are increasingly integrating AI into their operations, so the cybersecurity landscape is entering a new era. This shift requires organizations to anticipate threats, automate defenses, and build resilient systems capable of withstanding both traditional and AI-driven attacks."

Ransomware numbers

Ransomware remained prominent in the second half of 2025, according to the report. Acronis said nearly 150 MSP and telecom organisations were directly targeted and recorded more than 7,600 victims publicly disclosed globally during the period analysed.

The most active ransomware groups in the report were Qilin with 962 victims, Akira with 726, and Cl0p with 517. Acronis said the United States recorded the highest number of victims at 3,243.

The report also listed new ransomware groups emerging in H2 2025, including Sinobi, TheGentlemen and CoinbaseCartel. Such churn is a recurring feature of the ransomware ecosystem as groups rebrand, splinter, or shift infrastructure in response to law enforcement pressure and rival activity.

Hotspots and sectors

Geography and sector remained key variables. Acronis said India, the United States and the Netherlands had the highest mass infection and lateral movement rates in its dataset. South Korea was the most malware-affected country, with 12% of users impacted, according to the company's figures.

Manufacturing, technology and healthcare were described as the top ransomware targets. The report said operational urgency and complex, distributed environments increase exposure in these sectors. Organisations in these industries often run mixed technology estates and rely on continuous availability, which can raise pressure during extortion attempts.

Overall, Acronis said the H2 2025 pattern combined familiar entry methods such as phishing with increased use of collaboration tools and AI-driven techniques, while MSPs and their software remained a key point of leverage for attackers.