Manufacturing most impacted by ransomware in Q1 2025

Today’s ransomware threat actors demonstrate persistent targeting, deliberate operational impacts and strategic approaches, underscoring the heightened risk posed to industrial organisations globally. The first-quarter 2025 industrial ransomware analysis report by Dragos provides deeper insights into these ongoing threats, revealing trends, geographic impacts and sector-specific vulnerabilities identified by the company’s WorldView threat intelligence.

Key findings include:

• Ransomware incidents increased from approximately 600 in Q4 2024 to 708 in Q1 2025.
• Manufacturing was the most impacted sector, representing 68% of incidents. Dragos also observed ransomware activity affecting multiple subsectors within manufacturing, noting that construction, food and beverage, consumer goods and equipment accounted for the highest number of incidents.
• Oceania had 14 incidents (approximately 2% of global ransomware activity) — 13 incidents in Australia and one incident in New Zealand. North America and Europe experienced notable rises in ransomware activity.
• No new ICS-specific ransomware variants were identified in Q1, but major operational disruptions occurred.
• Emerging tactics, techniques and procedures (TTPs) included AI-driven malware, encryption-less extortion, nation-state ransomware convergence and advanced EDR evasion.
• Persistent TTPs featured zero-day vulnerabilities, AI-enhanced phishing, remote access abuse and credential theft.
• Cl0p ransomware incidents surged significantly due to the exploitation of Cleo Managed File Transfer vulnerabilities.
• IT/OT convergence continued to intensify operational impacts.
• Deceptive tactics and unverified claims by ransomware groups complicated defence strategies.

Manufacturing continued to be the most impacted sector, accounting for 480 incidents (68%) in Q1 compared to 424 incidents (70%) in Q4 2024 — with the food and beverage subsector accounting for 16% (75 incidents). Attackers exploited gaps in remote access security, credential management practices and supply chain vulnerabilities, intensifying operational impacts and complicating incident responses.

Image credit: Dragos

Dragos said effectively addressing these dynamic threats requires proactive defensive measures complemented by timely detection capabilities. Using detection rules built on robust threat intelligence enables security teams to identify ransomware-related activities early in the attack cycle, mitigating potential operational disruption before threats escalate into significant breaches.

The report recommended that organisations must enhance cybersecurity defences through the implementation of robust multifactor authentication (MFA), stringent monitoring of critical network points, secure offline backups and strengthened remote access management protocols. Comprehensive training programs, regular reviews of network architectures and adoption of AI-driven detection solutions are essential to counter advanced threats such as AI-crafted phishing, encryption-less extortion and nation-state ransomware convergence observed with actors like Qilin. Furthermore, organisations must validate threat intelligence to effectively manage deceptive practices, such as the unverified claims seen from Babuk 2.

As the ransomware ecosystem continues to fragment and adapt, proactive defence strategies, timely intelligence sharing and collaborative mitigation efforts will be critical for securing critical infrastructure and industrial operations. Addressing IT/OT convergence risks, securing vulnerable supply chains and improving threat reporting practices in critical infrastructure sectors will significantly enhance resilience against the persistent threat posed by ransomware groups.

To read the full details of the report, click here.

Top image credit: iStock.com/Just_Super