Ransomware Attacks in Latin America: Mexico Second Most Affected
In the first half of 2025, Mexico ranked as the second-most affected country by ransomware in Latin America, accounting for 15.9% of the observed attacks in the region, trailing only Brazil (33.85%) and surpassing Colombia (11.28%), according to SCILabs’ Ransomware in LatAm – First Half of 2025 report.
The study also reports an 8.73% regional increase from the previous semester, indicating that despite significant police operations, criminal pressure remains unchanged.
Mexico’s History of Ransomware Attacks
Mexico has already been identified as one of the most affected markets on the continent. Between August 2024 and July 2025, the country experienced 237,000 ransomware attempts blocked by cybersecurity solutions, placing it second in the region after Brazil, according to Kaspersky’s telemetry data.
Ransomware is a malicious software that locks or encrypts an organization’s files and systems, demanding payment for their release. It operates through digital extortion schemes: not only does it encrypt information, but attackers also steal it and threaten to leak it if the ransom isn’t paid.
Manufacturing Sector Most Targeted
The 2025 sectoral map clearly outlines who is being targeted. Across Latin America, manufacturing (14.87%), technology (11.28%), and government (10.77%) led the list of most-attacked sectors.
In line with these findings, Mexico’s industrial ecosystem—particularly process manufacturing—has repeatedly been identified as a priority target.
Sophisticated Attacks on the Rise
SCILabs documented that variants like Akira and LockBit 4.0 led the activity in the first half, while emerging families such as SafePay with rapid encryption are on the rise. The Ransomware-as-a-Service (RaaS) model lowers the entry barrier for affiliates with limited technical knowledge and supports double and triple extortion schemes (encrypt, steal, and threaten data leaks).
The lab anticipates increased use of generative AI for automating and customizing attacks, with a growing focus on cloud, operational technologies, critical infrastructure, and supply chains for the remainder of the year.
Economic Impact of Ransomware Attacks
The impact of this surge extends beyond operational unavailability. The economic dimension remains significant. In 2025, the average cost of a data breach in Latin America was $3.81 million, below the global average of $4.44 million, according to IBM and Ponemon Institute’s 2025 Cost of a Data Breach Report.
Organizations that widely adopt AI and defensive automation reduce costs and response times; however, when detection occurs due to the attacker’s warning, the average amount skyrockets. For CFOs and risk committees, ransomware remains among the costliest incidents within the breach universe.
API Security and AI Concerns
Mexican business concerns have also shifted towards vectors growing alongside digitalization. API (Application Programming Interface) security, a set of rules enabling secure and structured data exchange between different programs or systems, and the risks associated with AI usage are among the top cybersecurity concerns in Mexico, with warnings about “shadow AI” and malicious use of AI for phishing and deepfakes.
This corporate focus on APIs and AI as emerging attack surfaces aligns with SCILabs’ reading of a criminal professionalization seeking to automate intrusions and accelerate extortions.
The expansion of APIs, rapid cloud adoption, and AI integration into business processes multiply interdependencies and attack vectors; without AI governance policies, model inventories, data controls, and adversarial testing, organizations increase their exposure.
Conversely, defensive automation and earlier internal detection correlate with lower costs and response times, according to the IBM and Ponemon report.
Mexico holds a significant position in the Latin American ransomware table (15.9% of attacks in the first half of 2025) while dealing with trends that could intensify the problem (cheaper RaaS, more offensive AI, and more exposed surfaces via APIs and cloud) if governance and operational gaps aren’t closed.
