Yarix Y-Report 2026: Critical Security Events Surge 62% as Italy Falls to 6th in Global Ransomware Rankings

On May 12, Yarix unveiled its Y-Report 2026, an annual threat landscape analysis based on 522,486 security events monitored by its SOC throughout 2025. The consolidated data reveals a 62% surge in critical events and a 51% increase in global ransomware activity. As noted by Mirko Gatto, Head of Cybersecurity at Var Group: "Attacks have become faster, more fragmented, and highly adaptable, fueled by a structured criminal ecosystem and widespread access to advanced tools, including those powered by artificial intelligence."

The standout geopolitical shift is Italy’s descent to sixth place globally for ransomware attacks. For DeafNews, this is less a victory than a strategic optical illusion: Italy hasn't necessarily become more secure; it has simply become a less lucrative target compared to U.S. giants. While criminal syndicates have shifted their focus to markets with higher ransom potential, Italy’s economic fabric remains under siege, with attack timelines now measured in minutes rather than days.

SOC Under Pressure: A 62% Spike in Critical Threats and 176 Major Incidents

In 2025, operational pressure on defense centers reached unprecedented levels. Of the 522,486 events analyzed by the Yarix SOC, 158,316 evolved into actual incidents. This qualitative leap is confirmed by the 62% year-over-year growth in critical threats. The Incident Response (YIR) team managed 176 major incidents, a 20.55% increase from 2024. This data confirms that the threat is no longer just a matter of volume, but of the effectiveness of intrusions hitting the operational core of organizations.

The manufacturing sector led the incident rankings at 17.9%, followed by IT at 8.3%. Regarding data theft, Yarix mapped 1.2 billion credentials compromised by infostealers (+35.3%), including 58,800 Italian credit cards found on underground markets. This data feeds a criminal supply chain where identity theft serves as the precursor to massive ransomware attacks or complex financial fraud, exploiting the saturation of traditional monitoring systems.

"2025 represents a turning point in cyber maturity: we are no longer just seeing a growth in numbers, but a profound change in the ways threats manifest themselves." — Mirko Gatto, Head of Cybersecurity at Var Group

Approximately 30% of monitored events converted into actual incidents, suggesting a significant portion of attacks successfully bypass initial defensive barriers. Marco Iavernaro, Global SOC Manager at Yarix, explained that critical events are those likely to lead to total compromise, often culminating in Business Email Compromise (BEC). Without automation, managing these volumes would be impossible for any human analyst team.

Exposed Services and AiTM Phishing: Primary Ransomware Entry Vectors

Analysis of 176 major incidents highlights specific points of failure. The primary vector remains the exploitation of exposed public services (32 cases), followed by SSL VPN access (22 cases) and Adversary-in-the-Middle (AiTM) phishing (20 cases). Particularly concerning are the 17 cases where the entry point remained undetermined—a clear sign of severe deficiencies in corporate logging systems that prevent forensic analysis and full remediation.

Diego Marson, Cyber Security Officer at Yarix, describes ransomware as an industrial supply chain. In 2025, 124 active gangs were identified, but the "Top 10" are responsible for 56% of global attacks. The Akira group was the most frequent offender in Yarix-managed cases (9 incidents), followed by RansomHub (5) and LockBit Black (2). Many of these attacks utilize malicious code written or obfuscated by AI to evade sandboxes and signature-based detection systems.

The Y-Report also notes an exceptional case involving a USB HID hardware attack within the maritime sector. The incident, attributed to actors with potential ties to terrorist organizations and currently under investigation by authorities, proves that threats are not confined to the digital perimeter. Protecting physical infrastructure and industrial systems now requires specific attention to peripheral devices, which can serve as Trojan horses to bypass entire network security suites.

The Italian Paradox: Why a 6th Place Ranking is a Warning for SMEs

Italy’s exit from the global top 5 is not a certificate of security. According to Yarix, the shift to sixth place indicates that structured gangs are prioritizing targets with higher financial liquidity. However, within the enterprise and mid-market sample (companies with over 1,000 employees or €50 million in revenue), 67% of Italian ransomware victims were small businesses. This confirms that SMEs remain the soft underbelly of the system, targeted by "minor" criminal groups or via mass automation.

Geographically, Lombardy accounts for 36% of national ransomware attacks, followed by Emilia-Romagna (13%) and Lazio (10%). Alongside economic profit, geopolitical hacktivism is on the rise: spikes in June and July (27% of campaigns) correlated with the NATO summit, while those in September and October (23%) mirrored Middle Eastern tensions. Corporate security is now a variable dependent on international chessboards, making Italian firms collateral targets in global conflicts.

The vulnerability of Italian SMEs is exacerbated by a chronic lack of adequate logging and strong authentication. Many organizations still operate with remote access lacking MFA or backup systems that fail to guarantee data immutability. This "cyber hygiene gap" makes attacks extremely effective and rapid, leaving little room for maneuver once an attacker gains initial access through stolen credentials or unpatched vulnerabilities.

Offensive vs. Defensive AI: The Path Toward an Automated SOC

Artificial intelligence has broken the symmetry of cyber conflict. While attackers use it to generate polymorphic malware, defenders must adopt it to avoid being overwhelmed. Mirko Gatto emphasized that the volume of events has reached a point where AI is indispensable for filtering background noise. Yarix's strategy involves transitioning from human-led defense to "AI-managed cybersecurity with human supervision," where machines handle speed and humans handle decision-making complexity.

To meet this challenge, Yarix is developing a completely AI-driven Tier 1 SOC, with a shadow phase expected to be operational by July. This system aims to process data from endpoints, networks, and identities in real-time, reducing Mean Time to Detection (MTTD). The goal is to allow human analysts to focus exclusively on the 176 major incidents or highly sophisticated threats, eliminating bottlenecks caused by the false positives that currently saturate security centers.

Integrating defensive AI is the only viable response to the velocity of modern attacks. The modular malware observed in 2025 no longer just encrypts files; it performs silent network analysis to identify the most valuable data for exfiltration. In this context, AI-based Endpoint Detection and Response (EDR) solutions are critical for identifying behavioral anomalies that traditional virus signatures would never intercept.

Defensive Priorities

• Strengthen Centralized Logging: Resolving the issue of "undetermined origin" cases is vital. Without full log visibility, it is impossible to reconstruct the kill chain and prevent persistent reinfections.
• Reduce the Attack Surface: The 32 cases of exploited public services suggest a need to drastically limit internet-accessible interfaces. Every public service must be protected by security gateways and monitored in real-time.
• Implement Phishing-Resistant MFA: The 20 cases of AiTM phishing prove that SMS-based OTP is obsolete. Companies must migrate toward MFA solutions based on FIDO2 standards or hardware keys to neutralize token interception.
• Industrial Network Segmentation: With Manufacturing hit in 17.9% of cases, separating IT from OT networks is urgent. This prevents ransomware from propagating from office environments to production lines, limiting economic damage.
• Audit SSL VPN Access: Given the frequency of incidents (22 cases) related to VPNs, these systems require continuous auditing and immediate patching, alongside the elimination of unnecessary privileged accounts.

The Y-Report 2026 delivers a clear verdict: the "victory" of sixth place is a statistical illusion hiding a faster, more dangerous threat. The announcement of Yarix's new AI-driven SOC by July marks the boundary of a new era. For Italian companies, accelerating defensive measures is no longer optional—it is a vital necessity before the technological asymmetry between man and machine becomes irreparable.

Frequently Asked Questions

Does Italy ranking 6th globally for ransomware mean the country is safer?

No. The drop reflects a redistribution of targets toward more lucrative markets. For Italian businesses, particularly within the mid-market segment, the threat remains critical, with 67% of victims identified as small businesses.

What were the most critical entry vectors in 2025?

The primary vectors documented by Yarix were exploits of exposed public services (32 cases), vulnerabilities in SSL VPNs (22 cases), and AiTM (Adversary-in-the-Middle) phishing (20 cases), often facilitated by stolen digital identities.

Why does the report focus on "AI-managed cybersecurity"?

Due to the high volume of events (over 522,000), AI has become essential for data filtering and response acceleration. Yarix will activate an AI-driven SOC by July to autonomously manage Tier 1 analysis.

Information has been verified against cited sources and is current at the time of publication.

Sources

• https://www.wired.it/article/report-yarix-2026-intelligenza-artificiale-ai-cyberattacchi-soc/
• https://www.01net.it/yarix-y-report-2026-ai-offensiva-ransomware-attacchi-ibridi/
• https://techfromthenet.it/2026/05/12/cybersecurity-ecco-come-lai-ha-cambiato-gli-equilibri/
• https://www.cybertrends.it/y-report-2026/
• https://inno3.it/2026/05/14/yarix-evoluzione-della-minaccia-cyber-in-italia/