New data from Zscaler shows that manufacturing, technology, and healthcare remain the most frequently targeted sectors, representing high-stakes environments that are ripe for extortion and leverage, where disruption can yield maximum leverage for attackers. Meanwhile, ransomware attacks on the oil and gas industry surged 935.3% year-over-year, likely fueled by a growing reliance on automation across rigs, pipelines, and infrastructure, inflating the attack surface and outdated security practices that leave critical systems exposed.
“Ransomware has long been a constant in the threat landscape—but how it operates is constantly changing,” Zscaler said in its report titled ‘ThreatLabz 2025 Ransomware Report.’ “Today’s campaigns are more targeted, automated, and efficient, driven in part by the growing use of generative AI, enhancing and accelerating everything from phishing lures to malware development. This evolution has translated into a significant surge in ransomware activity and impact.”
Zscaler mentioned that Healthcare remains one of the most frequently and consistently targeted, with attacks rising steadily by 115.4% year-over-year. According to The HIPAA Journal, researchers at Michigan State University, Yale University, and Johns Hopkins University have found that ransomware is now one of the leading causes of healthcare data breaches. This risk became painfully real for several major healthcare organizations hit by ransomware attacks attributed to the Interlock ransomware gang.
Public extortion cases, where stolen data is posted to leak sites, increased by 70.1%, underscoring that reputational fallout or regulatory blowback now often outweighs the threat of encryption alone. Meanwhile, data theft continues to escalate as a core extortion strategy, as the top 10 ransomware families exfiltrated 238.5 terabytes of data over the past year, a 92.7% year-over-year increase.
Leak site data reveals a clear geographic concentration, with a dominant share of attacks targeting organizations in the U.S. (50.8%), far ahead of countries like Canada (5.2%) and the U.K. (4.6%). Thus, reflecting how threat actors continue to prioritize digitally concentrated, high-value economies.
Data identified that ransomware attacks surged worldwide, with the top 15 countries by number of ransomware attacks experiencing double- and triple-digit percentage increases. Attacks in the U.S. more than doubled to 3,671 attacks, exceeding the combined total of the remaining top 15 most-targeted countries. Canada’s 194.5% increase reinforces how threat actors are expanding across North America, with a growing focus on vulnerable sectors.
The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2025-2026 names ransomware the top cybercrime threat to the nation’s critical infrastructure, citing escalating attacks on healthcare, industrial, and public sector organizations.
Several highly active groups continued to dominate the ransomware ecosystem, with RansomHub is leading the pack, claiming the highest number of publicly named victims at 833. This positioned the group as the most prolific ransomware operation based on reported activity over the last year. Interestingly, the group decided to cease operations and disappeared in April 2025.
Additionally, Akira and Clop have both moved up in the ransomware attack rankings since last year. Akira, associated with 520 victims, has steadily expanded its reach through numerous affiliates and initial access brokers. Clop, known for its focus on supply chain attacks, is close behind with 488 victims, highlighting its strategy of targeting the third-party software applications that many companies use to maximize impact.
ThreatLabz identified 34 newly active ransomware families during the analysis period, bringing the total tracked to 425. The ransomware ecosystem remains fluid, with older groups vanishing and new ones emerging, often through strategic rebranding to evade sanctions or fill gaps left by disbanded operations. Affiliates from defunct groups frequently resurface under new banners, carrying over established attack techniques.
Despite rising ransomware activity, coordinated law enforcement efforts, supported by industry experts like Zscaler ThreatLabz, have made meaningful strides in disrupting major ransomware infrastructure, as demonstrated by Operation Endgame, a global effort to dismantle cybercriminal networks and the malware infrastructure that enables ransomware attacks. Its latest success was the takedown of DanaBot, a sophisticated modular malware-as-a-service platform linked to multiple ransomware groups. This follows a series of 2024 operations that disrupted major malware families, including SmokeLoader, IcedID, SystemBC, Pikabot, and Bumblebee.
Zscaler’s ThreatLabz has supported Operation Endgame for the past two years, contributing intelligence, tools, and technical expertise to help identify campaigns, take down infrastructure, and unmask threat actors. ThreatLabz has also released free detection and remediation tools on GitHub, highlighting how coordinated public-private action remains critical in the fight against ransomware.
Generative AI is becoming a force multiplier for ransomware threat actors, helping to rapidly create phishing lures, write malicious code, automate data extraction, and more. Vishing (voice-based phishing) is increasingly integrated into ransomware attacks as voice scams become more convincing and more effective at gaining initial access.
The Zscaler report provided 2026 ransomware predictions from Zscaler ThreatLabz. It expects ransomware operations in 2026 will become more sophisticated, with generative AI playing a central role. Threat actors are expected to use AI tools to automate and scale multi-phase extortion campaigns, from crafting phishing lures to analyzing stolen data. As companies hoard sensitive datasets for AI training, these will become high-value targets.
Attackers will intensify precision social engineering tactics, using platforms like LinkedIn and ZoomInfo to identify privileged users, then combining phishing with impersonation, often posing as IT staff in voice-based attacks. Vishing campaigns will be further powered by AI-generated audio, including multilingual voice cloning and scripted calls.
Data theft will remain the primary driver of extortion, as ransomware groups shift away from encryption. Operations led by groups like Clop and BianLian are already focused on exfiltrating vast amounts of data to maximize pressure, especially as more organizations strengthen their recovery defenses.
Furthermore, leaked ransomware source code and builder tools will drive a new wave of low-effort, high-impact attacks. These leaks are already spawning rebranded variants and copycat campaigns, enabling emerging groups to quickly adapt and evade detection.
Law enforcement will widen its focus, not just targeting ransomware operators but also the infrastructure and services that support them. Operations like Endgame show that takedowns of malware distribution platforms are possible at scale.
Meanwhile, the ransomware-as-a-service model will continue to create instability. Affiliates will keep jumping between groups, reusing tools and infrastructure, and rebranding operations in response to law enforcement pressure or better payouts, sustaining a constantly shifting threat landscape.
