Sign in Subscribe
8 min read cybersecurity

RANSOMWARE TRENDS AND THREAT ACTORS: INTELLIGENCE INSIGHTS FROM THE 2025 ZSCALER THREATLABZ REPORT

RANSOMWARE TRENDS AND THREAT ACTORS: INTELLIGENCE INSIGHTS FROM THE 2025 ZSCALER THREATLABZ REPORT

July 30, 2025

Between April 2024 and April 2025, ransomware activity escalated dramatically, reaching record levels in both frequency and impact. Zscaler’s cloud infrastructure intercepted over 10.8 million ransomware attempts—an unprecedented 145.9% increase year-over-year—marking the sharpest spike observed since tracking began. Simultaneously, public ransomware extortion cases surged by 70.1%, reflecting a decisive pivot toward data theft as the preferred mechanism of coercion.

This operational shift has seen ransomware actors increasingly abandon encryption in favor of data exfiltration, exploiting the reputational, regulatory, and operational risks faced by victim organizations. Data theft volumes rose 92.7% across key ransomware families, with several groups—most notably Hunters International—committing entirely to non-encryption, extortion-only campaigns.

Despite large-scale law enforcement actions, including Operation Endgame, the ransomware ecosystem remained resilient and adaptive. Thirty-four new ransomware groups emerged during the analysis period, while established operations like Clop, Akira, and DragonForce expanded in both scale and sophistication. Generative AI is now playing a tactical role in this evolution, enabling attackers to accelerate phishing, malware development, and automated data processing.

Target selection continues to prioritize high-leverage sectors. Manufacturing, technology, and healthcare remained top targets, while the oil and gas sector experienced an extraordinary 935% increase in attacks. Geographically, the United States accounted for over half of all incidents, though notable growth was observed in India, Israel, and across the Asia-Pacific region.

This report provides in-depth analysis of these developments, profiles dominant and emerging ransomware families, explores the operational methodologies in use, and highlights strategic recommendations for defenders—especially in leveraging AI and Zero Trust architectures to preempt and contain ransomware threats.

This post is for paying subscribers only


Published by:

DANY FARES

You might also like...

12
Dec
Ransomware Escalation in the United States: Insider Threats, Expanding Actor Ecosystem, and Critical Infrastructure Exposure

Ransomware Escalation in the United States: Insider Threats, Expanding Actor Ecosystem, and Critical Infrastructure Exposure

November 18, 2025 The current ransomware landscape in the United States is undergoing a rapid and disruptive shift. Attack volumes
4 min read
12
Dec
Kraken Ransomware: The Calculated Successor to HelloKitty

Kraken Ransomware: The Calculated Successor to HelloKitty

November 13, 2025 The emergence of Kraken ransomware marks a pivotal moment in the evolution of cyber extortion. Rising from
4 min read
06
Dec
Qilin Ransomware: Escalating Attacks on Critical Infrastructure and Finance

Qilin Ransomware: Escalating Attacks on Critical Infrastructure and Finance

November 27, 2025 Ransomware has evolved into one of the most disruptive forms of cybercrime, no longer confined to isolated
5 min read
04
Dec
Geopolitics and Cyber Risks: Allianz Commercial’s Perspective

Geopolitics and Cyber Risks: Allianz Commercial’s Perspective

December 2, 2025 In a rapidly evolving landscape shaped by geopolitical tensions and the complexities of macroeconomic instability, the responsibilities
4 min read
04
Dec
EUROPOL Disrupt 'Cryptomixer,' Seize Millions in Crypto

EUROPOL Disrupt 'Cryptomixer,' Seize Millions in Crypto

December 1, 2025 Multiple European law enforcement agencies disrupted Cryptomixer in Operation Olympia, a service allegedly used by cybercriminals to
2 min read