Fast Facts
- Ransomware activity against industrial organizations increased to 742 incidents in Q3 2025, with manufacturing comprising 72% of cases, particularly hitting construction, electronics, and food sectors.
- The ransomware ecosystem remains fragmented, dominated by mature RaaS operations like Qilin and emerging low-discipline groups, facilitated by infrastructure reuse, leaks, and AI tools lowering entry barriers.
- New ransomware groups (e.g., Gentlemen, Sinobi) are targeting production-support IT systems through simple tactics such as credential theft and exposed remote services, posing growing industrial risks without direct ICS attacks.
- Future threats are expected to escalate as adversaries focus on IT systems underpinning OT operations, with rising AI-assisted techniques enabling faster, more effective intrusion and extortion campaigns across sectors.
Problem Explained
From July to September 2025, Dragos reported a significant increase in ransomware activity targeting industrial organizations. The firm recorded 742 incidents, up from 708 in the first quarter and 657 in the second. North America remained the most heavily targeted region, especially within manufacturing, which accounted for 72% of all cases. Construction was notably the hardest-hit subsector, with 142 incidents. The report attributes this surge to three key factors: the proliferation of mature Ransomware-as-a-Service (RaaS) operations, the fragmentation of the ransomware ecosystem leading to numerous short-lived, low-discipline groups, and the expansion of identity-centric extortion collectives into enterprise environments supporting manufacturing and logistics.
The story highlights that these attacks largely target IT systems supporting operational workflows, such as enterprise resource planning (ERP) and manufacturing execution systems (MES), rather than directly compromising industrial control systems (ICS). Several groups, notably Qilin and Sinobi, led the activity, exploiting vulnerabilities like exposed remote desktop protocol (RDP) services and compromised third-party credentials to infiltrate companies. While these groups did not cause direct industrial disruptions, their operations created significant risks—potentially leading to delays, shutdowns, or supply chain disruptions. Furthermore, the report notes that the expanding availability of AI-assisted tools has lowered entry barriers, enabling smaller, less sophisticated actors to conduct impactful attacks. Overall, Dragos’s assessment underscores a growing and diversifying threat landscape, emphasizing that the risk to industrial sectors is likely to intensify as adversaries increasingly focus on disrupting IT systems that underpin physical operations.
Critical Concerns
Ransomware attacks are surging across industries, especially hitting manufacturing, which accounts for 72% of Q3 cases. Any business, regardless of size, is vulnerable because hackers target weaknesses in security. If compromised, your operations could halt suddenly, causing costly downtime. Data theft, loss of customer trust, and financial penalties are immediate risks. Furthermore, recovery costs can be overwhelming, draining resources and damaging reputation. Consequently, without robust defenses, your business remains exposed and at serious risk of costly disruptions. As threats grow more relentless, proactive measures become essential to safeguard your future.
Possible Next Steps
In today’s rapidly evolving cyber landscape, prompt action against ransomware threats is essential to safeguard vital industrial operations and prevent catastrophic financial and operational damage. Swift remediation is key to minimizing downtime, reducing data loss, and maintaining stakeholder trust in the face of mounting cyber threats.
Assessment & Detection
- Conduct immediate intrusion detection and analysis
- Identify affected systems and data
Containment
- Isolate infected devices and networks
- Disable affected user accounts and services
Eradication
- Remove ransomware from affected systems using specialized tools
- Patch vulnerabilities exploited during the attack
Recovery
- Restore data from secure backups
- Validate system integrity before bringing services online
Communication
- Inform internal stakeholders and affected parties
- Coordinate with law enforcement and cybersecurity authorities
Prevention
- Update and patch all systems regularly
- Implement strong authentication protocols
- Enhance email security and user awareness training
- Enable multi-factor authentication (MFA)
- Develop and routinely test incident response plans
- Deploy endpoint security solutions with real-time monitoring
- Segment networks to limit the spread of ransomware
Stay Ahead in Cybersecurity
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
