Mexico Rises to 11th Globally in Ransomware Attacks: IQSEC

Mexico ranked 11th globally in ransomware attacks in 2025, signaling heightened cyber risk across public and private sectors, according to IQSEC. Government, education, manufacturing, and IT face elevated exposure as attackers exploit identity and multi-cloud security gaps. Findings highlight weak visibility over human and non-human identities, accelerating zero-trust adoption and driving higher cybersecurity investment.

By the end of 2025, Mexico became the 11th nation globally in ransomware attempts, according to IQSEC, establishing the country as the second most targeted market in Latin America.

The "Cyber Trends in Mexico 2026: Ransomware, Active Threats, and Measurement" report by IQSEC states that Mexico moved from 16th place in 2024 to 11th in 2025. This progression confirms a growing interest from threat actors in the country as they identify high-value targets within the national digital infrastructure.

The global cybersecurity landscape in 2025 reveals a heavy concentration of incidents in North America. The United States and Canada led the rankings with 3,703 and 389 documented victims, respectively. The United States alone accounted for more than 50% of the cases within the global Top 10 during 2025, a phenomenon attributed to its market size and extensive digital attack surface. Within the Latin American region, Brazil remained the country with the highest number of incidents, followed by Mexico in the second position.

Ransomware operates through a technical extortion model where unauthorized agents access organizational systems to encrypt critical data. These actors then demand payment to release the information or to prevent its public disclosure. During this time, the focus of cybercriminals shifted toward sectors with high operational dependencies. Globally, the construction and legal services sectors experienced the highest impact, followed by real estate.

In the Mexican market, the government sector showed the highest level of exposure, followed by educational institutions. Other affected sectors included information technology and manufacturing. This targeting suggests that attackers prioritize entities where service disruption causes maximum pressure for payment. Groups such as Qilin, Kazu, CL0P, and LockBit led the attacks in Mexico during 2025.

The rise of Mexico in global threat rankings is closely linked to structural deficiencies in identity management and multi-cloud security. Research conducted by Permiso Security indicates that 76% of cybersecurity professionals report that more than 54% of security incidents in the last 12 months involved issues relating to identity management. This data suggests that while ransomware is the method of execution, the compromise of human and non-human identities is the primary vector of entry.

Ian Ahl, CTO, Permiso Security, says that the overall confidence of cybersecurity teams in their ability to manage and secure identities is waning. Although 95% of professionals express confidence in tracking non-human identities, only 46% possess comprehensive visibility across all human and non-human identities accessing IT resources. This visibility gap creates an environment where attackers can move laterally through a network undetected for extended periods.

The operational efficiency of criminal groups in Mexico is further enhanced by the slow detection times within corporate environments. Only 18% of security teams can detect and confirm an identity-based threat in less than one hour. Furthermore, 61% of organizations require between one and 24 hours to detect the blast radius of a breach. This delay is often due to the fragmentation of security tools, as most teams use between three and 10 separate tools to achieve identity visibility, requiring 10–40 hours per week to manually correlate data from different sources.

Modern organizations manage an average of two to three cloud service providers and a similar number of identity providers. Most manage between 1,000 and 5,000 human identities and a similar number of non-human identities. The latter now represents 44% of all identity types. This surge is exacerbated by the integration of artificial intelligence agents. Ahl says that most AI agents are already grossly over-permissioned, making it a question of when major incidents will occur rather than if they will occur.

Approximately 62% of industry experts expect AI-generated identities to increase by 1–50% in the next 12 months. While 98% of AI agents have access to sensitive data, only 52% of organizations can consistently detect when AI systems or automation tools create or modify permissions. Only 50% of organizations claim to continuously discover and track new non-human identities, while 40% rely on scheduled audits and scans that may miss real-time threats.

Sophisticated identity-based attacks, such as those launched by the ShinyHunters group, demonstrate that identity has replaced the traditional network perimeter. Organizations are increasingly adopting zero-trust policies to address this shift. However, only 43% of teams can detect identity-based risks before an incident occurs. To mitigate these risks, nearly nine out of 10 organizations plan to increase investments in identity security in 2026. Specifically, 38% of companies are planning significant increases of more than 30% in their cybersecurity budgets.

The increasing exposure of the Mexican government and manufacturing sectors requires a transition toward unified identity security platforms. The reliance on manual data correlation and fragmented tools limits the ability of Mexican corporations to respond to agile groups like LockBit. As non-human identities continue to represent a larger portion of the attack surface, the focus must shift from perimeter defense to the continuous monitoring of permissions and activities across all platforms.

IQSEC notes that companies must prioritize the integration of their identity providers and cloud services to eliminate the blind spots that groups like Qilin and CL0P currently exploit. The shift to a zero-trust architecture is a technical necessity to protect the integrity of the Mexican digital ecosystem in an era of AI-driven threats.