An extensive and detailed summary of recent analysis reveals an alarming and intensifying surge in ransomware activity targeting industrial organizations and their supporting infrastructure during the third quarter of 2025. This sustained escalation in cyberattacks is not merely a statistical anomaly but a clear indicator of a growing and material risk to the operational integrity of the world’s most critical sectors. Industries responsible for manufacturing essential goods, generating energy, and managing global transportation are increasingly finding themselves in the crosshairs of sophisticated adversaries, leading to a heightened probability of significant operational disruptions. This analysis will dissect the latest data behind this trend, identify the sectors bearing the brunt of these attacks, profile the key criminal syndicates involved, and explore the future trajectory of this evolving threat landscape.
The Anatomy of the Attack Data Targets and Tactics
A Rising Tide Q3 2025 Ransomware Statistics
The data for the third quarter paints a stark picture of escalating aggression, with a total of 742 distinct ransomware incidents recorded against industrial entities. This figure marks a continued and worrying quarterly increase, building on the 708 cases reported in the first quarter and the 657 in the second, confirming a definitive upward trend in adversarial campaigns. The geographical distribution of these attacks highlights North America as the primary theater of operations, continuing its unfortunate distinction as the most heavily targeted region. While Europe experienced a slight and likely temporary decrease in attack volume, the Asian region witnessed a significant rise in incidents, driven in large part by a concentrated spike in attacks targeting organizations within Thailand.
Beneath these top-line numbers, three crucial and interwoven dynamics are shaping the modern industrial threat landscape. First, mature and well-established Ransomware-as-a-Service (RaaS) operations continue to function as the primary engine powering the majority of attacks, providing the tools and infrastructure for a wide network of affiliates. Second, the broader ransomware ecosystem is undergoing a period of significant fragmentation, leading to the proliferation of smaller, more agile, and often less predictable attacker groups. Finally, a new breed of threat actor, described as “identity-centric extortion collectives,” has emerged, focusing its efforts on the enterprise IT environments that are indispensable for manufacturing, logistics, and transportation workflows. This evolution underscores that the true drivers of the ransomware threat are not just the infamous RaaS brand names but the underlying network of affiliates and brokers whose shared tactics create a persistent and adaptable risk.
The Crosshairs on Critical Sectors
The manufacturing sector remains the undisputed epicenter of industrial ransomware activity, absorbing the vast majority of attacks. Throughout the third quarter, manufacturing accounted for a staggering 72% of all reported incidents, representing 532 separate cases of compromise and extortion. A more granular examination reveals a clear hierarchy of targets within this vertical. The construction sub-sector was the hardest hit, suffering 142 incidents, followed by equipment manufacturers with 77 incidents. The food and beverage industry, a critical component of the global supply chain, faced 64 distinct attacks, highlighting its vulnerability to disruptions that can have immediate public consequences.
While manufacturing bore the brunt of these campaigns, ransomware actors demonstrated a sustained and calculated interest in a wide array of other critical industrial sectors. Firms specializing in Industrial Control Systems (ICS) equipment and engineering were targeted in 52 incidents, a strategic choice by adversaries seeking to disrupt the very entities that design and maintain secure industrial facilities. The transportation and logistics sector faced 36 attacks, reflecting ongoing efforts to paralyze supply chains. Furthermore, government entities, oil and natural gas operators, and the electric sector also experienced significant attack volumes, with 35, 26, and 12 incidents, respectively. These figures illustrate a broad-based campaign targeting organizations where operational downtime carries the highest possible cost.
The Adversary Landscape Profiling Key Threat Actors
The RaaS Dominators and Emerging Threats
An analysis of the threat actor landscape reveals a clear hierarchy of dominance, with a few key groups responsible for a significant portion of the quarter’s activity. The Qilin ransomware group emerged as the most prolific operator, linked to 138 incidents. Its success is rooted in a stable affiliate network and a proven ability to exploit exposed infrastructure, a strategy exemplified by its attack on Asahi Group Holdings, where an IT intrusion successfully cascaded into the manufacturing environment, causing tangible production and logistics delays. Following Qilin, the Akira group was responsible for 94 incidents, continuing to leverage a mix of VPN vulnerabilities and credential abuse. The Play and INC Ransom groups were also highly active, logging 64 and 51 incidents, respectively, with INC Ransom’s growth notably fueled by affiliates migrating from the now-defunct LockBit platform.
Beyond these established leaders, the ecosystem is characterized by a “long tail” of mid-tier operators and aggressive newcomers who contribute significantly to the overall volume of attacks. Two new groups, Gentlemen and Sinobi, stood out for their rapid growth and a disproportionately high concentration of industrial victims. Gentlemen, a non-affiliate group, was responsible for 16 industrial attacks, employing tactics like Group Policy modification and data exfiltration with common IT tools. Sinobi, which first appeared in July, quickly claimed 23 industrial victims by leveraging access from Initial Access Brokers and exploiting vulnerable network appliances, demonstrating a clear focus on suppliers and engineering firms as part of a broader supply-chain targeting strategy.
In a significant development that underscores the fluid nature of the cybercriminal world, the attempted relaunch of the notorious LockBit operation failed to gain meaningful traction. Following a major law enforcement takedown earlier in the year, most of its skilled affiliates had already migrated to more stable and reputable RaaS platforms like RansomHub and Qilin. This exodus left LockBit’s industrial footprint in the third quarter minimal, proving that even the most infamous brands are subject to the market forces and reputational dynamics of the ransomware ecosystem.
A Strategic Pivot Targeting IT to Disrupt OT
A central theme emerging from the quarter’s activity is the strategic decision by ransomware groups to target enterprise Information Technology (IT) systems as an indirect but highly effective means of disrupting Operational Technology (OT). Rather than investing in specialized tools and knowledge required to directly attack industrial control systems, adversaries have found they can achieve significant operational impact by compromising the business systems that support production, logistics, and engineering workflows. This approach allows them to leverage common, commodity-level attack techniques while still causing maximum disruption.
The initial access vectors used in these attacks remain consistent and opportunistic. Attackers frequently rely on compromised credentials, access purchased from Initial Access Brokers (IABs), standard phishing kits, and the exploitation of exposed Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) services. These entry points are then paired with rapid data theft and extortion tactics. The case of the Scattered Lapsus$ Hunters group perfectly illustrates this trend. Their identity-driven, cloud-focused intrusions, which targeted Enterprise Resource Planning (ERP) and virtualization systems, led to measurable industrial impacts without ever directly touching an ICS environment, particularly in sectors like automotive and aviation that depend on tightly integrated IT and OT workflows for just-in-time production.
Future Outlook The Intensifying and Evolving Threat
The Deepening Convergence of IT and OT Risk
Looking ahead, the trend of targeting high-value IT systems that are critical for production continuity is expected to intensify. Adversaries will increasingly focus their efforts on disrupting platforms like Manufacturing Execution Systems (MES), which manage and monitor work-in-progress on a factory floor, and the virtualization environments that host critical operational applications. This approach offers attackers the greatest possible operational leverage for the lowest technical investment. By crippling the systems that manage production schedules, raw material inventory, and finished goods logistics, attackers can effectively halt physical operations without needing any specialized ICS attack tools or knowledge.
This strategy represents a path of least resistance for cybercriminals seeking to maximize pressure on their victims. The convergence of IT and OT has created a target-rich environment where a single compromise in the enterprise network can have cascading effects that ripple across the entire production line. This deep interconnectedness means that traditional security models, which often treat IT and OT as separate domains, are becoming increasingly obsolete. Adversaries understand this dependency and are actively exploiting it to create disruptive events that force organizations to consider paying a ransom to restore not just data, a business function, but their core physical operations.
AI and Fragmentation as Threat Multipliers
The ransomware ecosystem is forecasted to continue its trend toward fragmentation, a dynamic that will likely lead to a higher density of smaller, more agile, and harder-to-track attacker groups. The widespread availability of leaked ransomware source code, recycled infrastructure from defunct operations, and the constant migration of affiliates between RaaS programs have significantly lowered the barrier to entry. This environment makes it easier than ever for new operator groups to emerge, launch campaigns, and disappear, increasing the overall volume and unpredictability of ransomware activity.
Simultaneously, the emergence of Artificial Intelligence (AI) is poised to act as a significant force multiplier for these adversaries. AI-powered tools will enable the creation of more sophisticated and convincing phishing campaigns, automate reconnaissance to identify vulnerabilities more quickly, and develop advanced evasion techniques to bypass traditional security controls. This technological advancement will reduce attacker dwell times and empower even low-skilled operators to achieve intrusion outcomes that were previously the domain of highly resourced teams. Consequently, the scalable RaaS model will likely be adopted by an even wider range of actors, further increasing the frequency and potential impact of attacks on industrial targets.
Preparing for the Next Wave of Attacks
The evidence from the third quarter confirmed a statistically proven and sustained rise in industrial ransomware, with the manufacturing sector bearing an overwhelming and disproportionate share of the impact. The analysis revealed a clear strategic pivot by threat actors, who consistently targeted enterprise IT systems to create cascading disruptions in physical operations, a trend that highlighted the deep and often insecure convergence of digital and industrial environments. This threat was driven by a dynamic landscape of both dominant RaaS syndicates and a growing number of agile new entrants, whose collective actions demonstrated the resilience and adaptability of the cybercriminal ecosystem.
This upward trajectory was predicted to continue, intensified by powerful threat multipliers. The ongoing fragmentation of the ransomware ecosystem promised a higher frequency of attacks from a more diverse set of actors, while the integration of Artificial Intelligence into adversary toolkits threatened to increase the sophistication and speed of their campaigns. It became clear that the persistent and evolving nature of this cyber risk necessitated a fundamental shift in defensive thinking. Industrial organizations could no longer afford to view IT and OT security as separate disciplines. Building true resilience required a unified strategy that protected both environments holistically, acknowledging their critical interdependencies and preparing for the next inevitable wave of attacks.
