At Black Hat USA 2025, Deepen Desai, EVP of Cybersecurity at Zscaler, joins theCUBE’s Jackie McGuire to unpack the latest insights from Zscaler’s ThreatLabz 2025 Ransomware Report. Desai outlines staggering metrics from the study, including a 146% year-over-year increase in ransomware attacks and 238 terabytes of stolen data, highlighting the shift from encryption-based attacks to pure data exfiltration. He explains how ransomware-as-a-service, initial access brokers and AI-powered social engineering are fueling the surge, making attacks faster, more targeted and harder to detect.
The conversation explores why zero trust must be treated as a journey, not a product, with practical steps for reducing attack surfaces, preventing compromise and containing lateral movement. Desai also details how AI is accelerating both offensive and defensive tactics, and previews his Black Hat session that demonstrates real-world ransomware chains, including AI-driven “help desk” phishing calls. This interview offers actionable takeaways for leaders aiming to strengthen cyber resilience in an era where adversaries innovate at machine speed.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Black Hat USA 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For Black Hat USA 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Black Hat USA 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Black Hat USA 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to Black Hat USA 2025
Please sign in with LinkedIn to continue to Black Hat USA 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Deepen Desai, Zscaler
At Black Hat USA 2025, Deepen Desai, EVP of cybersecurity at Zscaler, joins theCUBE’s Jackie McGuire to unpack the latest insights from Zscaler’s ThreatLabz 2025 Ransomware Report. Desai outlines staggering metrics from the study, including a 146% year-over-year increase in ransomware attacks and 238 terabytes of stolen data, highlighting the shift from encryption-based attacks to pure data exfiltration. He explains how ransomware-as-a-service, initial access brokers and AI-powered social engineering are fueling the surge, making attacks faster, more targeted and harder to detect.
The conversation explores why zero trust must be treated as a journey, not a product, with practical steps for reducing attack surfaces, preventing compromise and containing lateral movement. Desai also details how AI is accelerating both offensive and defensive tactics, and previews his Black Hat session that demonstrates real-world ransomware chains, including AI-driven “help desk” phishing calls. This interview offers actionable takeaways for leaders aiming to strengthen cyber resilience in an era where adversaries innovate at machine speed.
At Black Hat USA 2025, Deepen Desai, EVP of Cybersecurity at Zscaler, joins theCUBE’s Jackie McGuire to unpack the latest insights from Zscaler’s ThreatLabz 2025 Ransomware Report. Desai outlines staggering metrics from the study, including a 146% year-over-year increase in ransomware attacks and 238 terabytes of stolen data, highlighting the shift from encryption-based attacks to pure data exfiltration. He explains how ransomware-as-a-service, initial access brokers and AI-powered social engineering are fueling the surge, making attacks faster, more targeted...Read more
exploreKeep Exploring
What are the key findings from the ThreatLabz 2025 Ransomware Report presented at Black Hat 2025?add
What are the key trends observed in ransomware attacks over the past few years?add
What are the trends and consequences related to ransomware, particularly regarding the decision to pay ransoms?add
>> Hello CUBE community. Welcome back to Black Hat 2025 at the Mandalay Bay in Las Vegas, Nevada. I am your Principal Practice Lead and Security Analyst and favorite media host for theCUBE, Jackie McGuire. I am very lucky to be joined today by Deepen Desai. Your title is EVP-
Deepen Desai
>> EVP, cybersecurity....
Jackie McGuire
>> cybersecurity, make sure I get that right. We're here to talk about your ThreatLabz 2025 Ransomware Report. You showed me some of the figures from it, and they're a little bit staggering. I mean, I think we've been living in ransomware and the whole, since it seems like COVID, this has been a huge thing so you would think that the growth would level out at some point, but that has not been the case. Let's talk about some of the key findings. What surprised you in the report?
Deepen Desai
>> Yeah, so I'll start by sharing the premise on this report. You're right, we've been doing this for five plus years now. This is our annual research report where we take into account things that we're seeing in Zscaler's cloud. This is one of the largest cloud where we're protecting thousands of global customers. Just to give idea on the scale, we're seeing close to 500 billion transactions daily. We're extracting 500 trillion signals from it and-
Jackie McGuire
>> 500 billion transactions daily.
Deepen Desai
>> Yeah, that's what we're securing for these global enterprises. Now, every year, the team will look into the intel side of the house, the telemetry of what is being blocked in the security cloud. The annual report that you see published will account for attacks that were successfully blocked in the cloud across different stages of the lifecycle, as well as the tracking that the team does in the wild. There are more than 250 prevalent families that the team tracks, some of these are ransomware families as well. And the goal over there is to understand the TTPs that these threat actors are leveraging and publish it, share it with some of the best practices that the organization should follow. That's what the report constitutes. It's telemetry from Zscaler Cloud as well as in the wild activity of these attacks that the team is tracking in order to make sure we're evolving the platform to protect these organizations that rely on Zscaler. The key trends, I mean, ransomware as you mentioned, we've been living this since pandemic and even before actually. Before pandemic, we saw WannaCry, NotPetya. Those names made it like, "Okay, this is a big problem."
But then there were a multiple trends that we saw. Initially they were encrypting files, then they started encrypting and exfiltrating data. So that's what we used to call double extortion. More recently, and this is something that we've been observing from last couple years now, ransomware families are not doing encryption, so they're just exfiltrating data, and that's one of the key trends that we highlighted at this year's report as well. They're not just exfiltrating small amount of data, they're exfiltrating large volume of data. We saw a big spike in that as well. The report highlights 238 terabytes of data stolen from these enterprises that were successfully attacked by these ransomware operators. The volume of attack also went up. We saw about 146% year-over-year increase in number of ransomware attacks that were seen against these organizations that we blocked in Zscaler cloud.
Jackie McGuire
>> What do you think causes that increase? Do you think it's that AI and those types of tools are making it more accessible to people? Do you think that because it's become a very profitable industry, more people are getting into it? What do you think is behind this incredible increase?
Deepen Desai
>> All the things that you mentioned actually.
Jackie McGuire
>> All of the above?
Deepen Desai
>> Yes, all of the above. Look, it's a business operation. They are going through their own level of transformation as well, and I'll mention a couple points over there, but there are multiple things. One is yes, it's very, very lucrative. I mean, every successful ransomware attack that these guys are able to carry out, the ransom amount is worth it for them to go through the entire lifecycle. There is also this ransomware as a service infrastructure play where there are experts that are very good at infiltrating an organization. We call it initial access broker groups, so Scattered Spider is an example, there are multiple others. Their goal is just to get inside the organization, establish that foothold, and then they will rent ransomware as a service infrastructure from these ransomware operators in order to carry out very sophisticated scale ransomware attacks. They don't need to be an expert at doing what typical ransomware-
Jackie McGuire
>> You can just go buy a login on the dark web, buy ransomware, and then deploy it, and you really don't need to have any level of hacking skills to do this, right?
Deepen Desai
>> Yes.
Jackie McGuire
>> It's terrifying to think about, and this has been a theme over the last six months since I've been writing, is attackers aren't breaking in, they don't have to. They're just buying your credentials on the dark web, they're already out there. You might not want to think this, but many of your employees use the same password at work that they do on their personal devices, and so when one of those info stealers takes that, it's pretty easy to get somebody's credentials.
Deepen Desai
>> You're right, stolen credentials are important, but they're definitely taking it further using AI, which you mentioned as well. Where an example that I plan to demo in one of my talks over here at Black Hat as well is they will identify five to six privileged employees at an organization. They will then spam them with email saying, "Hey, there was an unusual login activity," with the intent of phishing for their account credentials. But then within five minutes of those email going out, they will get a call from AI help desk. So this is a cloned help desk that is calling the employee saying, "Hey, there was an unusual activity. You must have received this email. Do A, B, and C," and that makes it very, very difficult for these employees to distinguish between, okay, is this real? I mean a security awareness training that at that point is very, very important, it needs to be updated. And then also prioritizing a zero trust framework becomes very important because you need to assume that that employee may make a mistake and that identity may get compromised, that asset may get compromised. What's the security from that point onward? That's where the zero trust piece comes in.
Jackie McGuire
>> Yeah, I know when I was talking with Jay at Zenith, he was saying, "You just have to assume you've been compromised," because you have, and the dwell times have gone from a couple months to over a year. Hackers are patient, they'll breach you and they'll just wait. They'll wait for an opportunity. Let's talk about zero trust a little bit. When we're thinking about all of these crazy spikes and successful attacks and the amount of data, the low hanging fruit there that you typically think are the first couple things that you need to address.
Deepen Desai
>> Yeah, so look, when I talk to my CXO peers, I always use the four critical stages of the attack when they're planning their zero trust journey. Zero trust has become a buzzword that many of the vendors are abusing. But at a fundamental level, there are three principles. One is never trust, always verify. That's where the identity piece comes in, the posture piece comes on. Least privilege access as the access control, adaptive access control, which is risk-based, very, very important. And third is assume breach, which is where assume compromise fundamental comes in. Now, with those three principles in mind, you should look at four stages. One is reduce your external attack surface. What can you do to reduce the number of opportunities that these bad guys will have? Whether it is one of the asset that is exposed that may be targeted to a vulnerability in it, or second is of course those VPN appliances. Legacy architecture with threat actors are significantly increasingly targeting using zero-day attacks, so preventing that external attack surface becomes important. Number two is preventing compromise. This is where applying consistent security control no matter where your users or assets are, whether the user is traveling, whether their user is in office, very important. Number three is eliminating the latter propagation phase. So this is, when I say assume breach, what we mean by that is I would tell the CXO that I'm talking to, if your laptop were to get compromised, what all things is exposed from that point onward. So making sure you have truly implemented zero trust architecture with segmentation where you're not bringing users on the same network as the crown jewel application. Very, very important. So containing that blast radius using segmentation is important. And then the last thing is everyone is after your data. You're seeing that even in case of ransomware, they don't need to encrypt your files. They don't need to cause business disruption. They just need to steal your data, and even then their chance of getting successful ransom payment has gone up.
Jackie McGuire
>> Really? It's interesting because I think we had seen that trend go the other direction for a little while where companies were not paying ransom anymore because their cyber risk insurance companies were telling them not to, so is this flipping the other direction now? That's really interesting.
Deepen Desai
>> Well, the trend on ransomware operators moving away from encryption to exfiltration is definitely increasing. The trend on whether to pay or not to pay, it's always mixed.
Jackie McGuire
>> Yeah.
Deepen Desai
>> But I mean we saw 70% more victims year over year this time just by looking at those leak sites. And to give you an example, there was this healthcare company that decided not to pay ransom, I'm not trying to advocate for-
Jackie McGuire
>> You're not advocating one way or the other....
Deepen Desai
>> one way or the other.
Jackie McGuire
>> We're not telling you, we're not giving you insurance advice or ransomware advice.
Deepen Desai
>> Exactly. They didn't pay ransom, but then they were hit with multiple lawsuits, compliance violations, and they ended up paying a probably five times more than the original ransom demand. And then ransomware operators will use these type of public cases to then convince.
Jackie McGuire
>> Put pressure on other people, yeah.
Deepen Desai
>> "Hey, if you don't do this, look at what these guys suffered that didn't pay ransom." So that area, you are going to see more and more of this. And AI is playing a role across different stages of the attack, whether it's that initial compromise where they will do things that I mentioned, making AI do that phone call, or doing internal recon, or doing data exfiltration. So they're able to move fast if they want to, or if they want to just sit in the environment, observe for the right opportunity, they can do that as well.
Jackie McGuire
>> I want to plug here, and I talked to Jay about this, I think we talked about this at RSA, zero trust is not a product, it's not a solution, it's not a patch. It's a process. I always say that I think the zero in zero trust is overwhelming because I think people think that means you're supposed to get to zero vulnerabilities or zero chance and no, it's just the whole never trust, always verify, and we need to emphasize that this is a journey that you're going to be on, because especially right now with things like non-human identities and all of these crazy different, they're not quite humans, but they're not quite machines and they're doing probabilistic things instead of deterministic things. Zero trust is going to have to continue to evolve with you, and you're going to have to continue to evolve with it as things rapidly change. I just want to PSA, because I think that there's sometimes other vendors, and you guys are great about this, but other zero trust vendors will be like, "You just need zero trust and then all your problems are solved, but no lateral movement. You'll be able to keep up with everything," and it's just not the case, right?
Deepen Desai
>> You said it nicely, zero trust is a process. It's a journey. And you need to go through those phases that I described earlier as well. And it is increasingly more important, especially in this day and age where you're going to see those agents being leveraged by threat actors. They don't sleep. They're working 24/7, and they're able to take those attack paths that human adversities won't, so there's a lot of unknown unknowns that we're going to run into when we see these agents trying to go after it. And look, good guys are also going to leverage the same technology to protect themselves, so it will be definitely interesting next few years on this.
Jackie McGuire
>> Yeah, I gave a talk on the benefits and drawbacks of AI and security, and it was literally identical on each column. It was like accelerated pace of innovation, and on the drawbacks it was like attackers have all of these things too. Well, I want to plug you doing a couple things here. I know you have a talk or two that you're giving, so tell us about what you're doing at Black Hat.
Deepen Desai
>> Yeah, so I'll be giving a talk on a ransomware report. We will be actually diving deep into the prevalent ransomware families that we saw their tactics. We will be doing a demo of the attack chain that I mentioned where there's an AI-based help desk by making a phone call. It's a slide based walk through, but it showcases multiple tactics that we have seen several ransomware operators leverage successfully in conducting their attacks over last couple years.
Jackie McGuire
>> Yeah.
Deepen Desai
>> And then of course, we'll end the talk by giving real world advice that we've seen work very well in defending against these type of tactics, the attacks that we're seeing out there.
Jackie McGuire
>> I love that because I think there's a lot of fun, right? A lot of vendors, but to actually see this is what really happened, this is what you can really do to prevent it, that's fantastic. Deepen, thank you so much for joining us. Really appreciate it, it was a fantastic conversation. I am sure we'll have you back again. Really timely information for people.
Deepen Desai
>> Thank you for inviting me, I really enjoyed it. Thank you.
Jackie McGuire
>> Thank you. And thank you for tuning in. From Las Vegas, Nevada, Black Hat 2025, this is Jackie McGuire. Stay tuned, we will be back with lots more interviews, updates, and fantastic guests. Thanks.
Jackie McGuire