A sharp rise in ransomware attacks has been recorded across the oil and gas industry, with a staggering 935% increase in incidents between April 2024 and April 2025, according to a new report by cybersecurity firm Zscaler. The surge is attributed to expanding automation in industrial control systems and an evolving threat landscape where attackers are prioritising data theft over traditional encryption.
Critical infrastructure exposed by digital expansion
As oil and gas companies digitise operations and embrace smart technologies, they’re also expanding their attack surface. This shift has not gone unnoticed by cybercriminals. Zscaler’s data shows that attackers are increasingly targeting vulnerabilities in widely used software like Fortinet VPNs, SonicWall, Veeam backup systems, and VMware hypervisors—technologies that remain essential but are often poorly protected.
The United States bore the brunt of the attacks, accounting for 50% of ransomware incidents tracked during the survey period. With 3,671 cases, the U.S. alone saw more attacks than the combined total of the next 14 countries on the list.
Data theft overtakes encryption as preferred strategy
Ransomware groups are evolving beyond traditional methods. Public incidents of data extortion increased 70% year-over-year, and the volume of stolen data jumped by nearly 93% to 238 terabytes. Rather than locking files, attackers now threaten public exposure, increasing pressure on victim organisations to pay ransoms.
The most active groups were RansomHub (833 victims), Akira (520), and Clop (488). Akira’s rise has been linked to its affiliate model and partnerships with initial access brokers, while Clop has focused on exploiting third-party software in supply-chain attacks.
Ransomware ecosystem rapidly diversifying
Zscaler also noted the emergence of 34 new ransomware groups, bringing the total to 425 active groups globally. The increasing diversity of ransomware actors, combined with their use of “internet-facing” applications for discovery, indicates a maturing and persistent threat.
As the oil and gas sector grows more digital, companies must not only protect operational networks but also close visibility gaps that allow AI tools and automation to be exploited without adequate oversight.
