Cyber threats evolve as technologies and criminal opportunities advance, reshaping the way attackers operate. Nothing stays static. Recently, we have seen changes in the way ransomware cybercriminals operate that demand a reevaluation of defenses to reduce the risk of a damaging attack.
Ransomware has undergone a decades-long transformation, starting with distribution via floppy disks and demands for payment via the mail, but only became a widespread threat once cryptocurrencies allowed for anonymous online payments. Since that time, it has matured, hitting corporate networks and government systems, where encryption and extortion demands soared in scope and sophistication.
The new wave: Escalating volume and shifting tactics
The findings from Zscaler’s latest ransomware research report shine a spotlight on the sheer acceleration of attacks and the shift in how operators are coercing victims. Between April 2024 and April 2025, Zscaler’s cloud services blocked nearly 11 million ransomware attempts—a staggering 146% increase year-over-year and seven times the volume recorded in 2021.
While many attacks are successfully prevented, ransomware operators remain devastatingly effective. Over 7,000 victims globally were identified from dark web-hosted ransomware leak sites last year, with more than half of the victims based in the United States. The 3,671 U.S. incidents mark a twofold increase from the year prior.
This surge in ransomware activity isn’t limited to North America. Each of the top 15 targeted countries saw significant increases, from a 30% rise in Mexico to a 436% increase in Israel, most likely geopolitical targeting.
| Country | Ransomware Attacks (2024 Report) | Ransomware Attacks (2025 Report) | Percentage Increase |
| United States | 1,821 | 3,671 | 101.60% |
| Canada | 128 | 377 | 194.50% |
| United Kingdom | 216 | 333 | 54.20% |
| Germany | 149 | 260 | 74.50% |
| India | 60 | 199 | 231.70% |
| Italy | 118 | 181 | 53.4% |
| France | 119 | 159 | 33.6% |
| Australia | 73 | 152 | 108.2% |
| Brazil | 57 | 149 | 161.4% |
| Spain | 62 | 134 | 116.1% |
Top 10 Countries by Number of Victims and Growth 2024 – 2025.
One of the most striking trends in these attacks is the pivot away from conventional file encryption tactics. Instead, ransomware groups are now focusing on stealing sensitive information—financial records, intellectual property, customer data—and threatening public exposure as leverage to secure hefty payments.
In some cases, criminal groups are no longer encrypting data at all. Now, the real disruption caused by ransomware lies not in the loss of operational functionality, but in the erosion of trust, reputation, and compliance in victim organizations.
The rise of autonomous ransomware operations
Cybersecurity experts have long predicted that AI would significantly aid attackers in their attempts to breach networks. It can assist in reconnaissance of targets, finding vulnerable devices on a network, creating exploit code, and help deliver attacks via tailored phishing emails.
However, a recent discovery by Anthropic, the company behind the Claude AI chatbot, highlights just how far some attackers have come: the use of fully automated, agentic AI tools to carry out large-scale extortion operations with minimal human intervention.
In a blog post, Anthropic reported a cybercriminal leveraged Claude Code, an AI model designed for coding, to orchestrate ransomware attacks that were entirely autonomous. Like other widely available generative AI platforms, Claude Code provides both legitimate benefits and a significant opportunity for misuse.
Seventeen victims across healthcare, emergency services, government offices, and religious institutions were targeted simultaneously. AI handled every stage of the operation, from reconnaissance and credential harvesting to network penetration and determining ransom amounts. This fully automated system even crafted ransom notes with demands for payments up to $500,000 that displayed on victim machines.
The accounts misusing the service were banned following discovery of the attack, but the implications are sobering. Autonomous ransomware allows cybercriminals with limited technical skills to achieve high-impact results, reshaping the landscape of cybercrime. What once required resources, teamwork, and expertise can now be conducted simply with access to generative AI tools. The ability to scale attacks and target multiple organizations concurrently raises the potential for exponential growth in ransomware activity. The hacker abusing Claude Code is unlikely to have stopped their activities, but rather will have simply moved to other tools.
Volume, speed, and impact: The scale of the problem
Let’s break it down: AI has lowered the barriers to entry for ransomware campaigns, enabling attackers to scale operations far beyond what human-driven efforts could manage. Where conventional ransomware operations might require weeks or months of planning and execution for each attack, AI’s capabilities allow operators to target multiple victims simultaneously, with autonomous systems performing both tactical and strategic decision-making. And as technical expertise becomes less critical, the pool of cybercriminals capable of mounting these attacks will grow, including actors who previously lacked the skillsets to conduct them manually.
Organizations of all shapes and sizes are going to have to quickly adapt to this new reality or face repeated compromises.
What it means for cybersecurity leaders
Ransomware defense strategies that worked even a few years ago are insufficient against these new methods of extortion and the scalability made possible by generative AI. Enterprises cannot rely on past experiences to address future threats.
For CIOs, CISOs, and IT leaders, combating ransomware must become a core component of corporate risk management and enterprise resilience. Proactive thinking and a willingness to challenge conventional strategies are imperative to keep pace with attackers.
To defend against the next evolution of ransomware, organizations must reprioritize and refine their security measures:
- Minimize external attack surface: Move to a Zero Trust architecture to better secure digital assets. Identify and mitigate vulnerabilities. Strengthen controls to prevent attackers’ ability to spread deeper within networks.
- Prevent compromise: Combining Zero Trust with AI makes it possible to detect and stop ransomware or malware, including attacks driven by AI, before systems are compromised.
- Eliminate lateral threat movement: Use AI-generated adaptive segmentation to give full visibility into user activity and application traffic and prevent attackers from moving from a compromised endpoint to sensitive assets.
- Prevent data loss: Deploy Zscaler Data Loss Prevention technology to detect and block attempts at data exfiltration. This is especially critical for organizations operating in high-value target sectors.
Emerging stronger from a shifting landscape
The ransomware challenges of 2025 are shaping business risks across industries in ways that can’t be ignored. Enterprises that elevate their defenses, embrace cutting-edge AI-driven solutions, and position cybersecurity as a board-level priority will emerge resilient—not just safeguarding their organizations, but proving their ability to protect operations, safeguard customer trust, and maintain leadership in an increasingly volatile cyber landscape.
To learn more about the latest research into evolving ransomware tactics, download Zscaler’s 2025 Ransomware Report now.
Read More from This Article: Ransomware ain’t what it used to be
Source: News