Between August 2024 and July 2025, Mexico was the target of 237,000 ransomware attack attempts, according to data from Kaspersky. This figure, based on the blocks detected by its solutions in the country, places Mexico among the most affected countries by this type of threat in Latin America over the past 12 months.
To put this in perspective, the region as a whole recorded over 1.1 million attempts during the same period (around 3,000 per day, or in other words, two attacks per minute). Brazil tops the list with 549,000 attempts, followed by Mexico (237,000), Chile (43,000), Ecuador (37,000), and Colombia (35,000).
Despite how alarming these numbers sound, the report shows a slight 7% decrease compared to the previous period. However, the volume of attacks remains high, making it clear that ransomware continues to be one of the main digital threats for businesses, governments, and users in the region.
At TecnetOne, we understand how easy it is to let your guard down when everything seems to be running smoothly, but with threats like ransomware, that can be a costly mistake. Attacks are not only ongoing, but they’re becoming increasingly sophisticated, which is why we believe it's crucial to stay alert, strengthen defenses, train your team, and continuously review security strategies.
Ransomware Attacks in Mexico: Phobos Weakens, but the Threat Persists
One of the reasons behind the slight decrease in ransomware attacks in Latin America has to do with law enforcement actions that managed to partially disrupt the operations of some criminal groups. One of the most significant blows was against Phobos, one of the most active ransomware families in the region, whose members were arrested and more than 100 servers used to launch attacks were seized.
This takedown dismantled part of its infrastructure, though it wasn’t enough to eliminate the threat entirely. Phobos had affected 4.44% of organizations in Latin America, showing just how widespread its reach was.
Despite the drop in numbers, the situation remains delicate. Fabio Assolini, Director of Kaspersky’s Global Research and Analysis Team for Latin America, summed it up well: the outlook continues to be “concerning.”
And for good reason: the region still faces an average of 3,000 attack attempts per day (two per minute) and the effects of ransomware go far beyond a mere scare. This type of attack can disrupt key operations, cause millions in economic losses, and damage the reputation of companies or institutions within hours.
In Mexico’s specific case, the ransomware landscape shows a mix of known families and newer variants. The most frequent detections are related to Blocker (MSIL), accounting for 39.72% of the total, and Blocker (Win32), with 29.11%, followed by Convagent at 10.76%. Despite recent law enforcement efforts, Phobos still appears on the Mexican map, with a 2.38% presence, showing that the threat remains active, though weakened.
Phobos Ransomware Ransom Note
Read more: Cybersecurity Awareness: Why One Annual Talk Isn’t Enough
Industry in Mexico: Ransomware’s Favorite Target
When it comes to ransomware in Mexico, the industrial sector takes the hardest hit. According to recent data, the most targeted sector is process manufacturing, accounting for nearly 23% of all recorded attacks. It’s followed by government entities (13.39%), the retail and wholesale sector (6.16%), and discrete manufacturing (6.06%), among others.
This pattern isn’t unique to Mexico. In fact, Kaspersky notes that in both Brazil and Mexico, the industrial sector is the most affected. In contrast, in countries like Argentina, Chile, or Peru, attacks tend to focus more on government agencies. It’s a clear sign that attackers tailor their targets based on each country’s economic and political landscape.
But ransomware doesn’t come alone. Over the past year, Mexico also recorded more than 411,000 blocked mobile attacks and a worrying increase in fraud related to fake loan apps. This type of malicious application alone accounted for 363,000 attack attempts. In other words, the risks are everywhere: on office computers and on any user’s mobile phone.
And most alarming of all: ransomware doesn’t discriminate by size or sector. Family-owned businesses, hospitals, tech firms, public databases, and even mixed-ownership companies have been affected. Some have had to shut down permanently, while others—especially in the healthcare sector—have faced massive data breaches that compromise not just operations but also public trust.
EDR, XDR, and TecnetProtect: How to Protect Your Business from Ransomware
Given this landscape, at TecnetOne we know that prevention remains the best defense against ransomware. Beyond the numbers, what truly makes a difference is having a well-structured and continuously evolving security strategy.
Here are 7 key actions every company should implement to significantly reduce its exposure to risk:
-
Keep your systems up to date: Install security patches and updates on both endpoints and servers to close known vulnerabilities that attackers could exploit.
-
Strengthen internal security policies: Establish clear rules for handling sensitive information and ensure all employees are aware of the proper protocols in case of a potential incident.
-
Promote a culture of awareness and reporting: Train your team to spot suspicious emails, unusual behavior, or unauthorized access, and encourage the immediate reporting of any signs of risk.
-
Implement encrypted and offline backups: Make sure you have encrypted backups stored in offline environments with restricted access. This is crucial for recovering data in the event of a successful attack.
-
Adopt EDR and XDR solutions: Basic antivirus software is no longer enough. EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) solutions provide advanced threat detection, full visibility, and automated response capabilities to contain attacks in real time.
-
Protect your environment with TecnetProtect: Our solution, powered by Acronis technology, combines real-time anti-ransomware protection, automated backups, forensic analysis, and instant recovery. It’s a comprehensive tool designed to shield businesses of all sizes from today’s cyberattacks.
-
Stay informed about new threats: Looking ahead to 2026, an increase is expected in attacks involving RaaS (Ransomware-as-a-Service), data-stealing malware (stealers), and more sophisticated techniques using blockchain to conceal operations. Staying ahead of these risks will be essential.
With Mexico now established as the second most affected country by ransomware in Latin America—and with the industrial sector in the crosshairs—the challenge is considerable. But with the right tools, ongoing training, and a proactive prevention mindset, organizations can be much better prepared to face any threat.
