Ransomware has rapidly escalated from being a financial nuisance to a significant, multi-dimensional threat that jeopardizes the core of our most essential services. Sectors like healthcare, education, and government are particularly vulnerable, where a single attack can cripple critical operations, expose sensitive information, and, in the most severe cases, put lives at risk.

This post summarizes ransomware trends for these critical and essential sectors based on findings from new ransomware research by ThreatLabz: Healthcare, Education & Public Sector Insights: Zscaler ThreatLabz 2024 Ransomware Report.

The alarming rise of ransomware attacksOver the past year, ransomware attacks have surged in frequency and boldness fueled by generative AI advancements. According to ThreatLabz research, global ransomware incidents have seen a significant 17.8% increase, as evidenced by ransomware activity blocked by the Zscaler cloud. Even more concerning is the 57.8% surge in ransomware attacks identified through analysis of malicious data leak sites. This rise in activity includes some of the most audacious ransom demands—and payouts—ever seen. ThreatLabz uncovered a record-setting $75 million ransom payment in 2024, underscoring the escalating financial stakes and evolving tactics behind ransomware attacks.

The healthcare and education industries were among the hardest hit sectors overall between April 2023 and April 2024, with government agencies also experiencing a substantial year-over-year increase in ransomware attacks. Here are five key takeaways and related findings from the ThreatLabz 2024 Ransomware Report.

1. The healthcare sector emerges as the second-most targeted industry by ransomware attacks Healthcare organizations have become a major focus for ransomware threat actors in recent years. Between April 2023 and April 2024, the sector experienced 312 ransomware attacks, making it the second-most heavily targeted industry. The sensitive and critical nature of healthcare data, combined with the sector’s reliance on medical devices and timely access to patient records, render it especially attractive to ransomware threat actors.

Throughout 2023 and 2024, the healthcare sector witnessed severe disruptions due to ransomware, leading to significant operational challenges across the industry. One notable incident involved a healthcare technology provider that paid a staggering $22 million ransom to the BlackCat ransomware group (a.k.a. “ALPHV”). Despite the payment, BlackCat reneged on their agreement, continuing to threaten the provider. This is just one case that demonstrates the growing victimization of the healthcare industry by increasingly ruthless ransomware gangs.

For a deeper understanding of the ongoing ransomware crisis in healthcare, and to learn more about BlackCat—identified as one of the top five ransomware families to watch in 2025—read the ThreatLabz report.

2. Educational institutions face mounting pressure as the fourth-most affected sector by ransomware Between April 2023 and April 2024, educational organizations were hit by 217 ransomware attacks, marking a year-over-year increase of more than 35%. This surge highlights a troubling trend: cybercriminals are progressively targeting schools, colleges, and universities—and their troves of sensitive student data.

The financial stakes for these institutions are enormous. Not only do they face hefty ransom payments, but they also grapple with significant costs associated with data recovery efforts and system restoration. A prime example of this threat, as highlighted in the report, is the Hive ransomware group, which managed to extort over $100 million from school districts and other sectors before being taken down, only to rebrand and resume operations as “Hunters International.”

Several factors contribute to the education sector’s heightened vulnerability, with one of the most critical being limited cybersecurity budgets. However, as ransomware increasingly targets educational institutions, the pressure is mounting to invest in robust security solutions to safeguard against the costly repercussions of ransomware attacks.

3. Government entities see a nearly 50% year-over-year increase in ransomware attacks Despite intensified efforts by governments and law enforcement to disrupt cybercriminal activity over the past year, ransomware threat groups remain persistent. Government organizations experienced 95 ransomware attacks between April 2023 and April 2024.

This 48% year-over-year spike in ransomware attacks is a clear signal that government organizations must strengthen their ransomware protection strategies. As ransomware groups evolve their tactics, it is crucial for all public sector entities to fortify not only their internal networks but also the interconnected digital ecosystems that include third-party contractors. The ThreatLabz 2024 Ransomware Report offers ransomware protection guidance and best practices for the government and public sector to reduce ransomware risks.

4. Organizations contend with a growing threat of falling victim to multiple ransomware attacks in a single yearThe valuable and sensitive data held by healthcare, education, and public sector organizations makes them prime targets for ransomware attacks—as proven by ThreatLabz research. These industries often rely on outdated systems and lack modern security measures, which significantly increases their vulnerability, leading to repeated breaches and extortion attempts.

ThreatLabz has observed a growing trend where an organization has been subject to multiple ransomware incidents within one year. For instance, in February 2023, a major US pharmaceutical distributor suffered a breach that compromised one of its subsidiaries, leading to stolen data leaked by the Lorenz ransomware groups. The same distributor experienced another ransomware attack just a year later, in February 2024.

This pattern underscores the critical importance of ransomware protections. If healthcare, education, and public sector organizations fail to prioritize zero trust security measures for stopping ransomware, they risk becoming ongoing targets for ransomware groups.

5. LockBit remains a formidable ransomware force, posing an ongoing threat to critical sectors As the most active ransomware group during the ThreatLabz report analysis period, LockBit was responsible for 988 attacks. ThreatLabz reports that LockBit’s cybercriminal network has targeted critical sectors including healthcare, has collectively targeted more than 2,000 systems worldwide, and has extorted more than $120 million from victims.

Despite recent disruptions, including the seizure of part of its infrastructure by the FBI and UK law enforcement and the subsequent indictment of a LockBit developer, LockBit has resumed operations and launched new attacks.

ThreatLabz anticipates that while the LockBit brand may eventually be retired due to increased scrutiny, it is likely to reemerge under a new name. Read the report for a deeper dive into LockBit’s tactics and learn why the group will remain a threat to essential sectors in 2025.

Safeguarding healthcare, education, and public sector against ransomwareThe latest findings from the ThreatLabz 2024 Ransomware Report are a wake-up call for healthcare, education, and public sector organizations. These sectors are fundamental to the fabric and functioning of society, yet they are among the most vulnerable to ransomware attacks due to the sensitive data they handle, often outdated systems, and the critical services they provide.

If your organization operates within these essential sectors, now is the time to take decisive action. Reevaluate your current security posture and reinforce your defenses to combat ransomware—starting with the adoption of a zero trust architecture.

Staying ahead of existing and emerging ransomware threats is crucial. Download the Healthcare, Education & Public Sector Insights: Zscaler ThreatLabz 2024 Ransomware Report today for more in-depth analysis of ransomware trends and trajectories and expert guidance on protecting your organization.  

​[#item_full_content] [[{“value”:”Ransomware has rapidly escalated from being a financial nuisance to a significant, multi-dimensional threat that jeopardizes the core of our most essential services. Sectors like healthcare, education, and government are particularly vulnerable, where a single attack can cripple critical operations, expose sensitive information, and, in the most severe cases, put lives at risk.

This post summarizes ransomware trends for these critical and essential sectors based on findings from new ransomware research by ThreatLabz: Healthcare, Education & Public Sector Insights: Zscaler ThreatLabz 2024 Ransomware Report.

The alarming rise of ransomware attacksOver the past year, ransomware attacks have surged in frequency and boldness fueled by generative AI advancements. According to ThreatLabz research, global ransomware incidents have seen a significant 17.8% increase, as evidenced by ransomware activity blocked by the Zscaler cloud. Even more concerning is the 57.8% surge in ransomware attacks identified through analysis of malicious data leak sites. This rise in activity includes some of the most audacious ransom demands—and payouts—ever seen. ThreatLabz uncovered a record-setting $75 million ransom payment in 2024, underscoring the escalating financial stakes and evolving tactics behind ransomware attacks.

The healthcare and education industries were among the hardest hit sectors overall between April 2023 and April 2024, with government agencies also experiencing a substantial year-over-year increase in ransomware attacks. Here are five key takeaways and related findings from the ThreatLabz 2024 Ransomware Report.

1. The healthcare sector emerges as the second-most targeted industry by ransomware attacks Healthcare organizations have become a major focus for ransomware threat actors in recent years. Between April 2023 and April 2024, the sector experienced 312 ransomware attacks, making it the second-most heavily targeted industry. The sensitive and critical nature of healthcare data, combined with the sector’s reliance on medical devices and timely access to patient records, render it especially attractive to ransomware threat actors.

Throughout 2023 and 2024, the healthcare sector witnessed severe disruptions due to ransomware, leading to significant operational challenges across the industry. One notable incident involved a healthcare technology provider that paid a staggering $22 million ransom to the BlackCat ransomware group (a.k.a. “ALPHV”). Despite the payment, BlackCat reneged on their agreement, continuing to threaten the provider. This is just one case that demonstrates the growing victimization of the healthcare industry by increasingly ruthless ransomware gangs.

For a deeper understanding of the ongoing ransomware crisis in healthcare, and to learn more about BlackCat—identified as one of the top five ransomware families to watch in 2025—read the ThreatLabz report.

2. Educational institutions face mounting pressure as the fourth-most affected sector by ransomware Between April 2023 and April 2024, educational organizations were hit by 217 ransomware attacks, marking a year-over-year increase of more than 35%. This surge highlights a troubling trend: cybercriminals are progressively targeting schools, colleges, and universities—and their troves of sensitive student data.

The financial stakes for these institutions are enormous. Not only do they face hefty ransom payments, but they also grapple with significant costs associated with data recovery efforts and system restoration. A prime example of this threat, as highlighted in the report, is the Hive ransomware group, which managed to extort over $100 million from school districts and other sectors before being taken down, only to rebrand and resume operations as “Hunters International.”

Several factors contribute to the education sector’s heightened vulnerability, with one of the most critical being limited cybersecurity budgets. However, as ransomware increasingly targets educational institutions, the pressure is mounting to invest in robust security solutions to safeguard against the costly repercussions of ransomware attacks.

3. Government entities see a nearly 50% year-over-year increase in ransomware attacks Despite intensified efforts by governments and law enforcement to disrupt cybercriminal activity over the past year, ransomware threat groups remain persistent. Government organizations experienced 95 ransomware attacks between April 2023 and April 2024.

This 48% year-over-year spike in ransomware attacks is a clear signal that government organizations must strengthen their ransomware protection strategies. As ransomware groups evolve their tactics, it is crucial for all public sector entities to fortify not only their internal networks but also the interconnected digital ecosystems that include third-party contractors. The ThreatLabz 2024 Ransomware Report offers ransomware protection guidance and best practices for the government and public sector to reduce ransomware risks.

4. Organizations contend with a growing threat of falling victim to multiple ransomware attacks in a single yearThe valuable and sensitive data held by healthcare, education, and public sector organizations makes them prime targets for ransomware attacks—as proven by ThreatLabz research. These industries often rely on outdated systems and lack modern security measures, which significantly increases their vulnerability, leading to repeated breaches and extortion attempts.

ThreatLabz has observed a growing trend where an organization has been subject to multiple ransomware incidents within one year. For instance, in February 2023, a major US pharmaceutical distributor suffered a breach that compromised one of its subsidiaries, leading to stolen data leaked by the Lorenz ransomware groups. The same distributor experienced another ransomware attack just a year later, in February 2024.

This pattern underscores the critical importance of ransomware protections. If healthcare, education, and public sector organizations fail to prioritize zero trust security measures for stopping ransomware, they risk becoming ongoing targets for ransomware groups.

5. LockBit remains a formidable ransomware force, posing an ongoing threat to critical sectors As the most active ransomware group during the ThreatLabz report analysis period, LockBit was responsible for 988 attacks. ThreatLabz reports that LockBit’s cybercriminal network has targeted critical sectors including healthcare, has collectively targeted more than 2,000 systems worldwide, and has extorted more than $120 million from victims.

Despite recent disruptions, including the seizure of part of its infrastructure by the FBI and UK law enforcement and the subsequent indictment of a LockBit developer, LockBit has resumed operations and launched new attacks.

ThreatLabz anticipates that while the LockBit brand may eventually be retired due to increased scrutiny, it is likely to reemerge under a new name. Read the report for a deeper dive into LockBit’s tactics and learn why the group will remain a threat to essential sectors in 2025.

Safeguarding healthcare, education, and public sector against ransomwareThe latest findings from the ThreatLabz 2024 Ransomware Report are a wake-up call for healthcare, education, and public sector organizations. These sectors are fundamental to the fabric and functioning of society, yet they are among the most vulnerable to ransomware attacks due to the sensitive data they handle, often outdated systems, and the critical services they provide.

If your organization operates within these essential sectors, now is the time to take decisive action. Reevaluate your current security posture and reinforce your defenses to combat ransomware—starting with the adoption of a zero trust architecture.

Staying ahead of existing and emerging ransomware threats is crucial. Download the Healthcare, Education & Public Sector Insights: Zscaler ThreatLabz 2024 Ransomware Report today for more in-depth analysis of ransomware trends and trajectories and expert guidance on protecting your organization.”}]]