Dive Brief:
- Manufacturing, information technology and healthcare are top targets of cybercriminals, but ransomware attacks on the oil and gas industry increased dramatically between April 2024 and April 2025, spiking 935%, according to a new report from cybersecurity firm Zscaler.
- Oil and gas companies may be facing more attacks because their industrial control systems are increasingly automated and digitized, “expanding the sector’s attack surface,” Zscaler said.
- Half of all ransomware attacks listed on leak sites during the April-to-April survey period targeted the United States, and attacks on U.S. targets more than doubled, to 3,671, a figure that exceeds the combined number of ransomware events on the 14 other countries in the top 15 list.
Dive Insight:
Zscaler’s report, based on its own data and its analysis of leak sites, provides a window into the ransomware ecosystem, including the most active groups and the dominant strategies.
The volume of data that ransomware actors stole from victims from April 2024 to April 2025 represented a 92% increase over the amount stolen during the prior year, rising to 238 terabytes. “This emphasis on data theft — and the threat of exposure — allows attackers to exert greater pressure on victims,” Zscaler said, “amplifying the impact of ransomware on organizations globally.”
Zscaler’s report is the latest in a series of research findings to identify a significant shift by ransomware actors from traditional encryption-only attacks to data extortion. According to the report, public cases of extortion increased by 70% year over year, while the volume of data extorted in attacks using 10 major ransomware families increased by nearly 93%, to almost 250 terabytes.
The three most active groups were RansomHub (833 victims), Akira (520 victims) and Clop (488 victims). The latter two rose in the rankings from the prior year, with Akira gaining strength through its affiliate model and its relationships with initial access brokers, Zscaler said. Meanwhile, Clop has found success targeting widely used but vulnerable third-party software to conduct supply-chain attacks.
But those titans of the cybercriminal underground are far from alone, according to the report. Zscaler said that 34 new ransomware groups sprang up during the survey period, bringing the total number tracked by the company to 425.
Ransomware campaigns disproportionately exploited a handful of major software vulnerabilities, according to the report, including flaws in SonicWall and Fortinet VPNs, Veeam backup software, VMware hypervisors and SimpleHelp remote-access tools. Not only are these technologies pervasive across enterprises, Zscaler said, but they are also “internet-facing applications that can be discovered through basic scanning techniques.”
