Estimated reading time: 5 minutes
Ransomware is hitting English-speaking countries hard. Nozomi Networks Labs reports that 70% of global ransomware activity targets these regions. In late 2025, the U.S. faced 40% of attacks, while Canada and the UK made up another 30%. Attackers are now using generative AI to create convincing lures, act faster, and succeed more often. In September, a cyberattack on Collins Aerospace software disrupted check-in and baggage at major European airports. By November, Nozomi recorded nearly 300 new ransomware alerts, with Elpaco as the most active. These affected countries account for almost 30% of global GDP. Each outage poses a real economic risk.
“Critical infrastructure has never faced a more dangerous threat landscape, and the scale and severity of attacks against it will only increase,” said Chris Grove, Director of Cybersecurity Strategy at Nozomi Networks.
Ransomware Hotspots Shift Toward English-Speaking Targets
Nozomi’s data shows the concentration of attacks in the second half of 2025. “U.S.-based companies alone accounted for more than 40% of all ransomware attacks.” The UK was next at 15.48%, followed by Canada at 13.55%.
The report links this trend to language, noting that many attackers use English as a second language. This fluency helps them negotiate faster and communicate threats more clearly. Insurers should see this pattern as a sign of risk across English-speaking markets.
Alert Volume Surges In September And November
The report found a surge in ransomware alerts late in the year. Alerts increased sharply in September, with November as the busiest month. The platform reported “close to 300” new alerts in November.
This timing affects how companies staff for incident response and prepare for claims. It also impacts renewals linked to year-end audits and patch updates.
Elpaco Leads A Changing Extortion Toolset
Nozomi reported that Elpaco surpassed BlackSuit in alert volume during this period. BlackSuit’s drop was linked to a U.S. government takedown in August. Elpaco is described as a newer version of the Mimic malware family and made up about 12% of ransomware alerts in late 2025.
It uses a legitimate library called “Everything” to scan files quickly. The report also mentioned a user interface that lets attackers adjust settings, making it easier to avoid mistakes and launch attacks faster.
AI Adds Speed To Phishing And Malware Workflows
The report highlighted the growing use of AI in cyberattacks. Attackers use AI to create “better crafted phishing messages” and develop malware more quickly. There are also “emerging attempts to create AI-powered ransomware.” Nozomi uses AI to find vulnerabilities and spot new malware strains. AI also helps with asset identification and guiding response actions. This competition makes it even more important to have strong identity checks and fast detection of unusual activity.
Credential Theft Tops Observed Attack Techniques
Nozomi’s report ranked credential-based attacks as the most common threat. Adversary-in-the-Middle attacks made up 26.5% of alerts, with attackers using them to steal sensitive data like credentials.
Brute force attacks were second at 10.2%, driven by IoT botnets that automate logins. Data manipulation also increased and brings significant operational risk. These methods often lead to insurance claims that begin with stolen access and end in disruption.
NEW PODCAST – Non-Human Identity: The 45:1 Cyber Insurance Risk
Transportation Stays Most Targeted As Government Spikes
Nozomi found that transportation was the most targeted industry throughout 2025. Manufacturing was second in the second half of the year, and government was third, with a sharp increase in attacks. The report connected the rise in government attacks to geopolitical tensions and hacktivist activity.
It also noted that attackers often scan government systems before trying sabotage or extortion. The report mentioned a September attack on Collins Aerospace software that disrupted flight check-in and baggage at major European airports.
Wireless Weakness Persists Across Industrial Environments
Nozomi’s report found many security gaps in wireless networks. About 68% of networks did not use Management Frame Protection, and only 1% required it for connections. The report warned that weak MFP use allows control-plane attacks and fake access points.
Most networks relied on shared passwords, with PSK used in 97.7% of cases and enterprise 802.1X in just 0.3%. The report said shared credentials “enable long-term reuse” and make it hard to track responsibility. These weaknesses help attackers stay hidden in OT environments.
High-Severity Vulnerabilities Remain Common In OT And IoT
Nozomi found a large number of high-severity vulnerabilities in 2025, with 43% identified in December. Another 5% were rated as critical. The report said these critical issues often allow remote code execution without authentication. It also pointed out “Use After Free” as a common weakness.
This is important for insurance because patching can cause downtime in plants, and for risk modeling because attacks can spread across IT, IoT, and OT systems.
Botnets Spike, Then Hammer Default Credentials
Nozomi’s monitoring found a big spike in botnet activity on September 2, 2025, with attacks from 1,169 unique IP addresses in one day. The report linked this to an upgrade of a Mirai-clone botnet. It also tracked where attacks came from, with China accounting for 30% and Taiwan for 27%.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
The report listed common credential pairs like “admin:admin” and “root:root” as frequent targets. These brute-force attacks keep causing breaches and increase costs from outages and response work.
Recommendations Focus On Visibility, AI, And Sharing
Nozomi emphasized that visibility is the basic requirement for OT and IoT security. It wrote, “Comprehensive visibility is the foundation of effective risk management.” The report recommended using AI-driven anomaly detection to improve accuracy and security operations. It also called for risk-based vulnerability management that considers both exploitability and operational impact.
Dedicated wireless monitoring was suggested to find rogue access points and misconfigured devices. The report ended by urging organizations to “enable intelligence sharing” to strengthen overall resilience. Insurers can use these controls to guide underwriting and premium decisions.
“They must establish clear asset visibility, leverage AI-driven security systems to detect anomalies and threats, prioritize risk-based vulnerability management, and enable intelligence sharing to keep up with evolving tactics,” said Grove.
Related Cyber Liability Insurance Posts
- Non-Human Identity Sprawl Is a Cyber Liability Insurance Problem Now
- What a Difference a Day Makes: Berkley Sues as a Cyber Insurance Subrogee to Recover Claim Settlement
- Top Strategies for Identity Verification in the Age of Deepfakes, Remote Work, and AI Threats
- The Hidden Costs of Cyberattacks on Small Businesses
- The Looming Global Cyber Crisis: Are We On The Doorstep of Digital Disaster?
