OT cybersecurity specialist, Dragos has revealed In Q1 2025, 708 ransomware incidents were carried out, impacting industrial entities worldwide, representing an increase from approximately 600 incidents documented in Q4 2024.
Manufacturing continued to be the most impacted sector, accounting for 68 percent (480 incidents) in Q1 compared to 70 percent (424 incidents) in Q4 2024. While Dragos did not detect any new ransomware variants specifically engineered to target ICS environments this quarter, high-impact incidents such as the South African Weather Service (SAWS) outage, which severely disrupted aviation and agricultural forecasting, and the attack on Unimicron, a leading printed circuit board manufacturer, highlight the substantial operational and supply chain disruptions ransomware can inflict on industrial organizations.
In Q1 2025, ransomware groups and affiliates leveraged a combination of emerging and persistent tactics, techniques, and procedures (TTPs). Notable emerging TTPs included AI-driven malware employed by FunkSec, encryption-less extortion methods, nation-state convergence as exemplified by Moonstone Sleet’s use of Qilin ransomware, and advanced endpoint detection and response (EDR) evasion tools like RansomHub’s EDRKillshifter.
Persistent TTPs observed were the continued exploitation of zero-day vulnerabilities such as the Windows Common Log File System (CLFS), sophisticated AI-enhanced phishing campaigns, abuse of remote access tools, targeted ESXi ransomware attacks with SSH tunnelling, credential theft, and brute-force attacks.
The intensifying convergence of IT and OT further amplified operational impacts, causing IT disruptions to cascade into operational environments, as evidenced by the manufacturing delays experienced by National Presto Industries. Further complicating defense strategies, ransomware groups like Babuk Locker increasingly employ deceptive extortion tactics. These adversaries made numerous unsubstantiated breach claims, leveraging psychological pressure by recycling outdated or falsified data leaks. Such misleading claims complicated incident response and verification processes, burdening affected organizations.
Some other key figures from Q1 include:
- North America: 413 incidents were reported (approximately 58 percent of global ransomware activity). The United States accounted for the majority (374 incidents), with Canada contributing 52, driven by attacks on manufacturing and transportation sectors.
- Europe: 135 incidents (approximately 19 percent of global ransomware activities). The United Kingdom, Germany, and Italy were primary targets, with attacks focusing on manufacturing and utilities.
- Asia: 78 incidents (approximately 11 percent of global ransomware activities). India (13 incidents) and Japan (8 incidents) saw significant activity, with manufacturing and engineering sectors impacted.
Abdul Alamri, Principal Threat Intelligence Analyst at Dragos comments: “Ransomware incidents in Q1 2025 continued to target industrial organisations, with the manufacturing sector remaining the most impacted.”
The data reflects a sustained focus on critical sectors, affecting manufacturing, transportation, and industrial control systems (ICS) equipment and engineering, with notable underreporting in utilities:
- Manufacturing: 480 reported incidents, up from 424 in Q4 2024, accounting for 68 percent of all ransomware activity
- Transportation and Logistics: 108 incidents, up from 69 in Q4 2024, representing 15 percent of total activity
- Industrial Control Systems (ICS) Equipment and Engineering: 32 incidents, down from 58 in Q4 2024, representing 4.5 percent of total activity
- Electric: 15 incidents, up from 5 in Q4 2024, representing 2 percent of total activity
- Oil and Natural Gas (ONG): 15 incidents, down from 19 in Q4 2024, representing 2 percent of total activity
- Communications: 39 incidents, representing 5.5 percent of total activity
- Government: 10 incidents, up from 5 in Q4 2024, representing 1.4 percent of total activity
- Water: 2 incidents, down from 5 in Q4 2024
- Mining: 2 incidents, down from 4 in Q4 2024
- Renewables: 5 incidents, up from 3 in Q4 2024
Alamri concludes: “During Q1, ransomware groups continued to rapidly evolve their tactics and alliances, significantly impacting industrial organisations worldwide. Industrial sectors, particularly manufacturing, transportation, and ICS equipment and engineering, remained primary targets. Attackers exploited gaps in remote access security, credential management practices, and supply chain vulnerabilities, intensifying operational impacts and complicating incident responses.”
“Effectively addressing these dynamic threats requires proactive defensive measures complemented by timely detection capabilities. Leveraging detection rules built on robust threat intelligence enables security teams to identify ransomware-related activities early in the attack cycle, mitigating potential operational disruption before threats escalate into significant breaches. Addressing IT-OT convergence risks, securing vulnerable supply chains, and improving threat reporting practices in critical infrastructure sectors will significantly enhance resilience against the persistent threat posed by ransomware groups.”