Ransomware attacks globally are intensifying at an alarming rate, with attempted attacks blocked in the Zscaler cloud up 146% year-over-year. This escalation reflects a strategic shift: ransomware groups are increasingly prioritising data theft and extortion over data encryption, with sensitive data leaked online when victims fail to pay. Accordingly, the report details a 92% increase in the total volume of exfiltrated data by 10 major ransomware groups in the past year, rising from 123 TB to 238 TB. This emphasis on data theft—and the threat of exposure—allows attackers to exert greater pressure on victims, amplifying the impact of ransomware on organisations globally including reputational damage, regulatory fines and an erosion of customer trust.The long-term impact goes beyond just the immediate disruption. It puts an organisation’s reputation, day-to-day operations, and overall strategy at risk. Losing customer trust can hurt a company’s standing and value, while fines from regulators add to the damage. As ransomware attacks become more advanced, businesses must work harder to protect their sensitive data and stay safe.
“The sharp rise in ransomware attacks in Australia reinforces a critical truth that no organisation is immune and no region is off-limits,” said Heng Mok, CISO-in-Residence, Asia Pacific & Japan at Zscaler. “This escalation reflects not just a growing number of adversaries, but the increasing sophistication of their tactics, often powered by GenAI. Leveraging AI tools such as ChatGPT and other dark web variants means that threat actors, regardless of sophistication level, can create more efficient, scalable and automated attacks democratising both the effort and costs of an attack. Now is the moment for businesses and government leaders across ANZ and APAC to reassess their cyber resilience and business aligned cyber strategies. What’s required is a fundamental shift in strategy towards a modern defensible architecture, one that embraces Zero Trust as the new foundation for security.”
Industries Under Siege
In Australia, ransomware activity has surged particularly in the manufacturing, healthcare, and government sectors, closely mirroring global trends. Cybercriminals continue to focus on the high-stakes environments of the Manufacturing (1,063 attacks), Technology (922), and Healthcare (672) sectors, making them the most frequently hit by ransomware over the past year. These industries are particularly vulnerable due to the potential for operational disruption, the sensitivity of stolen data, and the associated risks of reputational damage and regulatory fallout.
The Oil & Gas sector has seen a staggering increase in ransomware attacks, spiking over 900% year-over-year. This surge is likely a result of increased automation of systems that control critical infrastructure, including drilling rigs and pipelines, expanding the sector’s attack surface, coupled with outdated security practices.
Ransomware Operators Focus on Digitally Mature, High-Value Economies
Leak site data highlights a distinct geographic disparity, with victims in the United States accounting for 50% of ransomware attacks, significantly outpacing Canada (5%) and the United Kingdom (4%). Ransomware attacks in the U.S. more than doubled to 3,671, exceeding the combined total number of attacks reported across all other countries in the top 15 most-targeted countries.
Leak site data found that Australia also saw one of the highest year-over-year increase in ransomware incidents, ranking as the 8th most impacted country globally and 2nd in the APAC region rising 110% from 73 to 153 attacks. This surge reflects how threat actors are expanding their focus beyond traditional hotspots to include countries like Australia, where digital transformation, critical infrastructure, and healthcare vulnerabilities are rising in parallel.
Ransomware Groups Driving the Surge
Several highly active groups continued to dominate the ransomware ecosystem, with RansomHub leading the pack, claiming the highest number of publicly named victims globally at 833. Akira and Clop have both moved up in the ransomware attack rankings since last year. Akira, associated with 520 victims, has steadily expanded its reach through numerous affiliates and initial access brokers. Clop, known for its focus on supply chain attacks, is close behind with 488 victims, employing an effective strategy of exploiting vulnerabilities in commonly used third-party software.
Zscaler ThreatLabz identified 34 newly active ransomware families over the past year, bringing the total number tracked to 425 since their research began, and has a public GitHub repository that now hosts 1,018 ransomware notes, with 73 added in the last year.
