Instead of encryption, ransomware deployment is increasingly relying on extortion, according to a new report from Zscaler ThreatLabz. Ten prominent groups stole twice as much data in the past year as they did previously, threatening victims with publishing the information or selling it on. The number of attack attempts also increased by a staggering 146 percent.
The cyber attackers’ new modus operandi appears to be more effective than the method it replaced. Organizations fear the publication of sensitive information far more than the temporary loss of access to systems. It’s easy to see why: with a good backup (which ransomware attackers cannot delete), data can be recovered, but once data has been leaked, it’s out of the bottle.
Most affected sectors
The Zscaler Threatlabz Ransomware Report for 2025 also breaks down the attacks by sector. The manufacturing industry was hardest hit with 1,063 attacks, followed by the technology sector (922) and healthcare (672). Noteworthy is the explosive growth in the oil and gas industry, where 900 percent more attacks were measured in the year under review than in the previous twelve months. Zscaler explains that critical infrastructure such as this is increasingly automation-based, leaving more systems vulnerable to compromise. The target is often large in this sector, as the report mentions an abundance of outdated security practices.
Half of all ransomware attacks worldwide take place in the United States. We have previously reported on large-scale campaigns against certain industries, with US companies being the main targets.
New players dominate the landscape
RansomHub tops the Zscaler Threatlabz ranking with 833 publicly disclosed victims. Akira and Clop were big climbers, with 520 and 488 victims respectively. Clop stands out for its focus on supply chain attacks via vulnerabilities in widely used third-party software.
According to the Zscaler study, 34 new ransomware families appeared last year. The total number of families tracked has now reached 425. So there is no shortage of cybercrime biodiversity.
Zero Trust as the answer
“Ransomware tactics continue to evolve, with the growing shift toward extortion over encryption being a clear example,” said Deepen Desai, EVP Cybersecurity at Zscaler. “GenAI is also increasingly becoming part of the playbook of ransomware attackers.”
Zscaler emphasizes that ransomware thrives in environments with fragmented security and limited visibility. Its Zero Trust Exchange platform aims to protect organizations by minimizing the attack surface, eliminating lateral movement, and blocking data filtration.