Ransomware stays one of the persistent threats going through enterprises and public sector organizations. The most recent analysis from ThreatLabz confirms that assaults usually are not solely rising in quantity, but in addition shifting towards extra focused, data-driven extortion techniques.
The newly launched Zscaler ThreatLabz 2025 Ransomware Report examines year-over-year spikes in ransomware exercise blocked by the Zscaler cloud and a big rise in public extortion instances. Collectively, these findings level to a vital actuality: immediately’s ransomware risk panorama calls for a brand new stage of operational vigilance and a basically completely different safety structure than conventional safety fashions present.
This weblog put up highlights choose insights from the report. For the complete evaluation—together with assault developments, risk actor profiles, and safety steering—obtain the ThreatLabz 2025 Ransomware Report.
5 key ransomware findings
ThreatLabz researchers analyzed ransomware exercise from April 2024 to April 2025, taking a look at public information leak websites, Zscaler’s proprietary risk intelligence, ransomware samples, assault information, and telemetry from the Zscaler Zero Belief Alternate. Listed below are 5 essential takeaways from this 12 months’s report:
1. Ransomware assaults skyrocketed 145.9% year-over-year: This dramatic development makes it clear that attackers are scaling campaigns quicker than ever, with Zscaler blocking an unprecedented variety of ransomware assaults over the previous 12 months.
2. Public extortion instances elevated 70.1%: Way more organizations have been listed on ransomware leak websites year-over-year as attackers escalate strain techniques.
3. Knowledge exfiltration volumes surged 92.7%: ThreatLabz analyzed 10 main ransomware households, uncovering a complete of 238.5 TB of information exfiltrated—proof that information theft is fueling extortion campaigns.
4. Important industries proceed to be prime targets: Manufacturing, Know-how, and Healthcare skilled the very best variety of ransomware assaults, whereas sectors like Oil & Fuel (+935%) and Authorities (+235%) noticed notable year-over-year spikes.
Zscaler
5. Ransomware teams are evolving quick: Established households like RansomHub, Clop, and Akira remained dominant, whereas 34 new teams emerged as recognized by ThreatLabz—together with rebrands or offshoots of defunct teams and new teams trying to fill the void left by takedowns or different disruptions. Collectively, they mirror a dynamic, fast-moving ransomware ecosystem the place risk actors frequently adapt.
Now trending: extortion over encryption, GenAI utilization, and strategic targets
The ThreatLabz 2025 Ransomware Report covers a number of defining developments in how ransomware assaults are executed immediately:
- In lots of instances, information extortion is the precedence. Some attackers are skipping file encryption altogether, opting to steal delicate information and use the specter of public publicity through leak websites. These campaigns hook onto the specter of reputational injury, regulatory violations, and lack of mental property to strain victims to pay even when their information isn’t encrypted.
- Generative AI is accelerating ransomware operations. ThreatLabz uncovered proof of how one infamous risk group used ChatGPT to assist the execution of its assaults. GenAI allows attackers to automate key duties and write code to streamline operations and enhance their assaults’ effectiveness.
- Concentrating on is extra personalised. Ransomware risk actors have largely shifted away from conventional large-scale spam campaigns which are opportunistic in favor of extra tailor-made assaults that impersonate IT employees to focus on staff with privileged entry.
Read the full report for deeper insights into these developments.
Ransomware teams behind the surge
The report additionally affords an in depth take a look at risk teams driving the current escalation in assaults. Among the many most prolific over the previous 12 months have been RansomHub, Clop, and Akira, liable for a big share of leak web site victims.
ThreatLabz researchers additionally recognized the highest 5 ransomware teams to observe over the subsequent 12 months—households that exemplify how ransomware is changing into extra scalable and targeted on extortion outcomes.
Ways fluctuate broadly throughout teams. ThreatLabz noticed methods akin to:
- Stealthy information theft that avoids disrupting enterprise continuity
- Affiliate-driven Ransomware-as-a-Service campaigns utilizing shared infrastructure, instruments, and providers
- Ransom calls for that exploit regulatory violations to accentuate strain on victims
Vulnerabilities stay the straightforward manner in
A continuing and defining theme in ransomware assaults is the position of vulnerabilities as direct pathways to preliminary compromise. Extensively-used enterprise applied sciences—together with VPNs, file switch functions, distant entry instruments, virtualization software program, and backup platforms—proceed to be weaponized by ransomware operators.
The report particulars examples of a number of main vulnerabilities exploited in ransomware campaigns over the previous 12 months. Typically, attackers gained preliminary entry by means of easy scanning and automatic exploitation of internet-connected programs. This reinforces a tough reality: conventional defenses like firewalls and VPNs go away an excessive amount of uncovered, creating ideally suited situations for lateral motion, information theft, and ransomware deployment.
Zero belief: the usual for stopping ransomware
As ransomware teams proceed to evolve their playbooks—focusing on delicate information and exploiting reputational and regulatory strain to strengthen their extortion leverage—defending towards these assaults requires a complete, proactive method. That is precisely what a zero belief structure delivers, eliminating the very situations ransomware risk actors depend on: discoverable infrastructure, overly permissive entry, and uninspected information flows.
The Zscaler Zero Trust Exchange delivers safety at each stage of the ransomware assault chain, together with:
- Decrease publicity: The Zero Belief Alternate makes customers, units, and functions invisible from the web—no public IPs, no uncovered networks. This eliminates the assault floor through the earliest reconnaissance section and dramatically reduces danger.
- Stop preliminary compromise: Inline inspection of all visitors, together with encrypted TLS/SSL visitors, at scale stops threats earlier than they’ll trigger injury. AI-driven browser isolation and cloud sandboxing add a number of layers of protection to neutralize zero-days and superior threats—powered by superior risk intelligence from ThreatLabz.
- Get rid of lateral motion: App-to-app and user-to-app segmentation enforces least-privilege entry and eliminates the community from the equation, eradicating the paths ransomware operators depend on to unfold. Built-in deception know-how additional disrupts assaults with decoys and false consumer paths.
- Block information exfiltration: Since immediately’s ransomware teams are simply as (if no more) targeted on stealing delicate information as encrypting it, Zscaler’s unmatched inspection, AI-powered information classification, inline information loss prevention (DLP), and browser isolation are important to stop unauthorized information transfers and guarantee delicate information by no means leaves the group.
With a zero belief structure in place, organizations can management what customers entry, how information strikes, and the way assets are protected—successfully shutting down the pathways ransomware relies on and lowering danger at each stage of an assault.
Obtain the report—keep knowledgeable and ready
The ThreatLabz 2025 Ransomware Report offers you the most recent, data-backed view into the evolving ransomware panorama. Past the findings coated on this weblog put up, the complete report explores essentially the most focused nations, gives front-line intelligence on different notable risk actor developments, and explains how ThreatLabz is supporting broader efforts to show the tide towards ransomware. It additionally outlines extra detailed steering to assist strengthen defenses and construct resilience towards immediately’s ransomware threats.
Join our webinar this Tuesday, August 5 (EMEA, APAC) for a deeper dive and first-hand insights: ThreatLabz 2025 Ransomware Report: What’s Behind the Latest Surge in Attacks.
Get your copy of the complete report immediately to remain knowledgeable and ready with the most recent ransomware risk analysis.
