Ransomware attacks have entered a new phase in 2025—one defined by more target campaigns, extortion, and leverage. Recent research from Zscaler ThreatLabz revealed that ransomware operators are increasingly skipping file encryption and going straight for the data. With sensitive information in hand, they apply extortion pressure on their targets, especially those sectors where trust, compliance, and continuity are critical.It follows that government agencies, healthcare providers, and educational institutions were among the sectors that experienced the highest volumes of ransomware worldwide over the past year.This blog post summarizes those findings and why ransomware threats continue to manifest across government, healthcare, and education. For the full analysis, download the Zscaler ThreatLabz 2025 Ransomware Report.Why public sector organizations are prime ransomware targetsThreat actors are prioritizing industries where the pressure to pay is high—and the public sector checks all the boxes:Regulatory leverage: Many public sector entities fall under strict privacy and compliance mandates (HIPAA, GDPR, etc.). Threat actors exploit the risk of regulatory penalties to increase ransom pressure.Public trust and scrutiny: Government agencies, healthcare providers, and schools rely on public confidence. A breach can lead to reputational damage, political fallout, and community backlash.Operational urgency: From health services to election infrastructure, public sector organizations often provide essential services that, if disrupted, can create national headlines and quick payouts.Resource constraints: Many public agencies and institutions operate with limited IT staff and outdated infrastructure, making them more vulnerable to sophisticated attacks.These dynamics make public sector organizations ideal targets for ransomware campaigns driven by extortion, not just disruption.Government faced triple-digit surge in attacksIn the past year, ransomware attacks against government entities more than tripled—from 95 incidents from April 2023–April 2024 to 322 from April 2024–April 2025, establishing government as the ninth-most targeted sector and marking a 235.4% year-over-year spike.Key factors fueling this surge include:Government networks often store vast volumes of sensitive personal, financial, and operational data.Agencies oversee essential services, from elections to utilities, making them appealing targets for attackers aiming to gain leverage or cause disruption.Nation-state-backed groups and cybercriminal affiliates are increasingly focusing on political institutions amid rising global tensions or election years.Governments aren’t just under siege; they’re also being forced into action. In the United States, New York State now mandates that local governments report cyber incidents within 72 hours and disclose ransom payments within 24 hours. Internationally, the United Kingdom is moving toward banning public sector ransom payments entirely, signaling a global policy shift toward proactive and transparent cybersecurity governance.Healthcare ranked third in ransomware incidentsHealthcare remains one of the most consistently and aggressively targeted industries, with ransomware attacks jumping 115.4% year-over-year, up to 672 victims listed on data leak sites between April 2024–April 2025.Public, private and defense healthcare organizations are uniquely vulnerable for several reasons:Patient data is incredibly sensitive—and incredibly valuable.Regulatory frameworks like HIPAA carry steep penalties for data breaches—a pressure point that ransomware operators actively exploit to increase extortion leverage.Operational downtime can have immediate, real-world consequences, including delayed treatments and compromised patient safety.ThreatLabz found that ransomware groups increasingly use a new playbook with a “steal first” modus operandi. One group, Interlock, exemplifies this shift and has been linked to several healthcare breaches. Known for stealing massive volumes of data—often in the terabyte range—and explicitly referencing regulatory frameworks in ransom demands to push victims into paying, in just nine months, Interlock:Stole 73.5 TB of data across sectorsExfiltrated 5+ terabytes from one healthcare victim that ultimately paid over $2.5 million in ransomWith regulatory exposure, patient safety, and public trust all on the line, healthcare continues to face some of the highest stakes in the ransomware landscape.Education saw steady ransomware activityWhile the education sector experienced a more modest increase in attacks—up 25.8% year-over-year, with 273 victims listed on data leak sites between April 2024–April 2025—it remains a top 10 target and a focal point for ransomware groups.The education sector is tied to longstanding risk factors that include:Schools and universities manage extensive databases of student records, PII, and research data, which are attractive to data-focused ransomware groups.Ongoing digital transformation and use of cloud platforms and connected devices has expanded the attack surface significantly.Resource and staffing limitations leave many schools without the defenses needed to detect, prevent, and respond to advanced threats.As ransomware tactics evolve, educational environments may be increasingly susceptible to targeted phishing and social engineering campaigns—particularly those aimed at faculty or administrators with privileged access. GenAI further amplifies this risk by enabling attackers to craft more convincing lures.How the public sector can strengthen ransomware defensesThe scale and sophistication of ransomware threats in 2025 demand immediate and strategic action:Implement a zero trust architecture: Eliminate implicit trust and enforce least privileged access across users, devices, and workloads.Inspect all traffic, including encrypted: Real-time TLS/SSL inspection is essential, as many ransomware payloads and C2 channels are hidden in encrypted traffic.Prioritize data protection: Implement strong preventive controls such as data loss prevention (DLP) policies but also assume that data exfiltration may occur and establish response playbooks accordingly.Leverage Generative AI for defense: Use GenAI-powered tools to detect patterns, analyze behavior anomalies, and respond to threats with greater speed and precision, staying ahead of attackers who are also using GenAI to craft more sophisticated campaigns.Get our full ransomware prevention guidance and best practices checklist in the report.The public sector is among many facing an inflection point in the fight against ransomware: attacks are no longer just about locking files—in many cases, they’re focused solely on stealing data and maximizing leverage through public extortion. With generative AI fueling faster, more convincing campaigns and leak sites amplifying the pressure, public sector organizations must be prepared.The ThreatLabz 2025 Ransomware Report offers deeper insights into attacker tactics, victim data, and how a zero trust architecture mitigates ransomware risk. Download the full report here. 1 https://www.govtech.com/security/new-york-states-local-cybersecurity-reporting-rules-kick-in2 https://www.weforum.org/stories/2025/08/ransom-payment-and-other-cybersecurity-news/
