Ransomware Attacks Surge Across Critical Sectors, Fueled by AI and Automation
A new report from Zscaler’s ThreatLabz reveals a sharp escalation in ransomware attacks, with manufacturing, technology, and healthcare remaining the most targeted industries sectors where disruption yields maximum leverage for cybercriminals. The oil and gas industry saw an alarming 935.3% year-over-year increase in attacks, driven by growing automation in infrastructure and outdated security practices that expose critical systems.
Healthcare, a long-standing favorite for ransomware operators, experienced a 115.4% rise in attacks, with research from Michigan State, Yale, and Johns Hopkins universities identifying ransomware as a leading cause of data breaches in the sector. The Interlock ransomware gang was linked to recent high-profile attacks on major healthcare organizations, underscoring the sector’s vulnerability.
Public extortion tactics surged, with leak site postings increasing by 70.1% as attackers prioritize reputational and regulatory damage over encryption alone. The top 10 ransomware families exfiltrated 238.5 terabytes of data in the past year a 92.7% increase highlighting data theft as a core extortion strategy.
Geographically, the U.S. bore the brunt of attacks, accounting for 50.8% of global incidents, with 3,671 recorded attacks more than the combined total of the next 14 most-targeted countries. Canada saw a 194.5% spike, reflecting threat actors’ expanding focus on North America’s vulnerable sectors. The Canadian Centre for Cyber Security’s latest assessment names ransomware as the top cybercrime threat to the nation’s critical infrastructure.
RansomHub emerged as the most prolific group, claiming 833 victims before abruptly ceasing operations in April 2025. Akira (520 victims) and Clop (488 victims) also ranked among the most active, with Clop leveraging supply chain attacks to maximize impact. The ransomware ecosystem remains volatile, with 34 new families identified in the past year, bringing the total tracked to 425. Many groups rebrand or resurface under new names to evade sanctions or fill gaps left by disbanded operations.
Despite the surge in attacks, law enforcement has made progress in disrupting ransomware infrastructure. Operation Endgame, a global initiative supported by Zscaler, recently dismantled DanaBot, a modular malware-as-a-service platform linked to multiple ransomware groups. Previous operations in 2024 targeted malware families like SmokeLoader, IcedID, and Pikabot, demonstrating the impact of coordinated public-private efforts.
Generative AI is amplifying ransomware threats, enabling attackers to automate phishing lures, malware development, and data extraction. Vishing (voice-based phishing) is increasingly integrated into attacks, with AI-generated audio making scams more convincing. Zscaler predicts that in 2026, AI will further refine multi-phase extortion campaigns, while precision social engineering using platforms like LinkedIn to target privileged users will intensify.
Data theft will remain the primary extortion tactic, with groups like Clop and BianLian shifting away from encryption as organizations improve recovery defenses. Leaked ransomware tools and source code are also fueling a wave of low-effort, high-impact attacks, enabling new groups to quickly adapt and evade detection. Meanwhile, the ransomware-as-a-service model continues to drive instability, with affiliates frequently rebranding or switching groups in response to law enforcement pressure.
Johns Hopkins Applied Physics Laboratory cybersecurity rating report: https://www.rankiteo.com/company/johns-hopkins-university-applied-physics-laboratory
Michigan State University cybersecurity rating report: https://www.rankiteo.com/company/michigan-state-university
Yale School of Medicine cybersecurity rating report: https://www.rankiteo.com/company/yale-university-school-of-medicine
"id": "JOHMICYAL1770890509",
"linkid": "johns-hopkins-university-applied-physics-laboratory, michigan-state-university, yale-university-school-of-medicine",
"type": "Ransomware",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Manufacturing',
'Technology',
'Healthcare',
'Oil and Gas'],
'location': ['United States', 'Canada', 'Global'],
'type': 'Industry Sectors'}],
'attack_vector': ['Phishing',
'Supply Chain Attacks',
'Vishing (AI-generated audio)',
'Exploitation of Outdated Security Practices'],
'data_breach': {'data_encryption': 'Yes (ransomware strains like Clop, Akira)',
'data_exfiltration': 'Yes (238.5 terabytes exfiltrated)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (healthcare records, critical '
'infrastructure data)',
'type_of_data_compromised': ['Sensitive Data',
'Personally Identifiable '
'Information (PII)']},
'description': 'A new report from Zscaler’s ThreatLabz reveals a sharp '
'escalation in ransomware attacks, with manufacturing, '
'technology, and healthcare remaining the most targeted '
'industries. The oil and gas industry saw a 935.3% '
'year-over-year increase in attacks, driven by growing '
'automation in infrastructure and outdated security practices. '
'Healthcare experienced a 115.4% rise in attacks, with '
'ransomware identified as a leading cause of data breaches. '
'Public extortion tactics surged, with leak site postings '
'increasing by 70.1%. The U.S. accounted for 50.8% of global '
'incidents, with 3,671 recorded attacks. RansomHub, Akira, and '
'Clop were among the most active ransomware groups, with 34 '
'new families identified in the past year. Generative AI is '
'amplifying threats, enabling automated phishing, malware '
'development, and data extraction.',
'impact': {'brand_reputation_impact': 'High (public extortion tactics, leak '
'site postings)',
'data_compromised': '238.5 terabytes of data exfiltrated (92.7% '
'increase)',
'operational_impact': 'Disruption in critical sectors '
'(manufacturing, healthcare, oil and gas)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (leaked ransomware '
'tools, source code)'},
'lessons_learned': 'Ransomware attacks are increasingly fueled by AI and '
'automation, with data theft becoming the primary '
'extortion tactic. Outdated security practices and supply '
'chain vulnerabilities remain critical weaknesses. Law '
'enforcement disruptions (e.g., Operation Endgame) are '
'effective but require sustained public-private '
'collaboration.',
'motivation': ['Financial Gain',
'Data Theft',
'Reputational Damage',
'Regulatory Extortion'],
'post_incident_analysis': {'corrective_actions': ['Operation Endgame (law '
'enforcement disruption of '
'malware platforms like '
'DanaBot)',
'Public-private '
'collaboration to dismantle '
'ransomware infrastructure',
'Enhanced monitoring for '
'AI-driven threats '
'(vishing, automated '
'phishing)'],
'root_causes': ['Outdated security practices in '
'critical infrastructure',
'Supply chain vulnerabilities',
'AI-driven automation of phishing '
'and malware development',
'Lack of zero-trust architecture',
'Insufficient monitoring of dark '
'web for threat intelligence']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (primary extortion tactic)',
'ransomware_strain': ['RansomHub',
'Akira',
'Clop',
'Interlock',
'BianLian']},
'recommendations': ['Enhance security practices in critical sectors (e.g., '
'oil and gas, healthcare).',
'Improve supply chain security to mitigate Clop-like '
'attacks.',
'Leverage AI-driven threat detection to counter automated '
'phishing and vishing.',
'Strengthen incident response plans for ransomware and '
'data exfiltration.',
'Monitor dark web for leaked ransomware tools and '
'rebranded threat actors.',
'Adopt zero-trust architecture and network segmentation '
'to limit lateral movement.'],
'references': [{'source': 'Zscaler ThreatLabz Report'},
{'source': 'Michigan State, Yale, and Johns Hopkins '
'Universities Research'},
{'source': 'Canadian Centre for Cyber Security Assessment'}],
'response': {'law_enforcement_notified': 'Yes (Operation Endgame, global '
'initiative)',
'third_party_assistance': 'Zscaler (ThreatLabz)'},
'threat_actor': ['RansomHub', 'Akira', 'Clop', 'Interlock', 'BianLian'],
'title': 'Ransomware Attacks Surge Across Critical Sectors, Fueled by AI and '
'Automation',
'type': 'Ransomware'}