Ransomware Attacks Surge Across Critical Sectors, Fueled by AI and Automation A new report from Zscaler’s ThreatLabz reveals a sharp escalation in ransomware attacks, with manufacturing, technology, and healthcare remaining the most targeted industries sectors where disruption yields maximum leverage for cybercriminals. The oil and gas industry saw an alarming 935.3% year-over-year increase in attacks, driven by growing automation in infrastructure and outdated security practices that expose critical systems. Healthcare, a long-standing favorite for ransomware operators, experienced a 115.4% rise in attacks, with research from Michigan State, Yale, and Johns Hopkins universities identifying ransomware as a leading cause of data breaches in the sector. The Interlock ransomware gang was linked to recent high-profile attacks on major healthcare organizations, underscoring the sector’s vulnerability. Public extortion tactics surged, with leak site postings increasing by 70.1% as attackers prioritize reputational and regulatory damage over encryption alone. The top 10 ransomware families exfiltrated 238.5 terabytes of data in the past year a 92.7% increase highlighting data theft as a core extortion strategy. Geographically, the U.S. bore the brunt of attacks, accounting for 50.8% of global incidents, with 3,671 recorded attacks more than the combined total of the next 14 most-targeted countries. Canada saw a 194.5% spike, reflecting threat actors’ expanding focus on North America’s vulnerable sectors. The Canadian Centre for Cyber Security’s latest assessment names ransomware as the top cybercrime threat to the nation’s critical infrastructure. RansomHub emerged as the most prolific group, claiming 833 victims before abruptly ceasing operations in April 2025. Akira (520 victims) and Clop (488 victims) also ranked among the most active, with Clop leveraging supply chain attacks to maximize impact. The ransomware ecosystem remains volatile, with 34 new families identified in the past year, bringing the total tracked to 425. Many groups rebrand or resurface under new names to evade sanctions or fill gaps left by disbanded operations. Despite the surge in attacks, law enforcement has made progress in disrupting ransomware infrastructure. Operation Endgame, a global initiative supported by Zscaler, recently dismantled DanaBot, a modular malware-as-a-service platform linked to multiple ransomware groups. Previous operations in 2024 targeted malware families like SmokeLoader, IcedID, and Pikabot, demonstrating the impact of coordinated public-private efforts. Generative AI is amplifying ransomware threats, enabling attackers to automate phishing lures, malware development, and data extraction. Vishing (voice-based phishing) is increasingly integrated into attacks, with AI-generated audio making scams more convincing. Zscaler predicts that in 2026, AI will further refine multi-phase extortion campaigns, while precision social engineering using platforms like LinkedIn to target privileged users will intensify. Data theft will remain the primary extortion tactic, with groups like Clop and BianLian shifting away from encryption as organizations improve recovery defenses. Leaked ransomware tools and source code are also fueling a wave of low-effort, high-impact attacks, enabling new groups to quickly adapt and evade detection. Meanwhile, the ransomware-as-a-service model continues to drive instability, with affiliates frequently rebranding or switching groups in response to law enforcement pressure.

Michigan State University fell victim to the Netwalker ransomware group and the group also gave them a deadline to pay ransomware attackers under the threat that they will leak the files stolen from the institution’s network to the public. The group also posted images with directories, a passport scan, and two financial documents allegedly stolen from the university’s network as proof. The researchers also discovered individual samples of the Zeppelin Windows ransomware and the Smaug Linux ransomware as well in the systems.

The Michigan State University was breached by cybercriminals who attempted to blackmail the institution by attempting to profit from the hacking of a database that held 400,000 records of students and employees. An unauthorised entity gained access to one of the organization's servers, according to Michigan State University, which reported a data breach. There were names, social security numbers, and MSU identifying numbers of some current and past students and staff members in the database, which held over 400,000 information. Passwords, financial, educational, contact, or health information were not included. Upon finding the intrusion, the institution stated it immediately pulled the impacted database down and ascertained that the hackers had only seen 449 documents out of the total.

The youthful cybercriminal Mys7erioN declared that he had breached the database of Michigan State University, a US organisation. The exposed information includes names, logins, phone numbers, published emails, and encrypted passwords, was made public on Pastebin by Mys7erioN as evidence of the hack. There appears to be an updated user list in one of the tables, gelstaff_mp2016. Additionally, the hacker posted the data—roughly 500 login credentials and 222 personal details—on Pastebin. The hacker found a SQL injection vulnerability in Michigan State University's systems while browsing many websites.