Industrial ransomware attacks surge, manufacturing hit hardest

Ransomware attacks against industrial organisations rose again in the third quarter of 2025, with Europe recording 162 incidents as part of a global surge led by North America, according to new data from Dragos.

The OT-focused security firm identified 742 ransomware incidents worldwide affecting industrial entities between July and September. This marked an increase from 657 cases in the second quarter and 708 in the first.

Dragos said the quarterly total represented a 13% rise on the second quarter. The company also reported a 5% increase on the first quarter figure.

North America remained the most affected region. The region recorded 434 incidents during the quarter.

Europe was the second most targeted region. Industrial organisations across the continent reported 162 incidents.

Asia was the third most impacted region. The region documented 73 incidents in the quarter.

Dragos said Thailand accounted for the majority of Asian cases. It also noted activity in India, South Korea, Singapore, Japan, Taiwan and Indonesia.

South America experienced 38 incidents. The Middle East recorded 15 incidents, while Africa recorded 14.

The Australia and New Zealand region observed 6 incidents. Dragos said this kept ANZ as one of the least targeted regions by volume.

Manufacturing hit hardest

Manufacturing remained the main industrial target for ransomware groups. The sector accounted for 532 of the 742 incidents in the quarter.

This represented around 72% of all recorded industrial ransomware activity. Dragos said the impact in manufacturing mirrored global trends from earlier in the year.

Construction was the most affected manufacturing subsector. It accounted for 142 of the 532 manufacturing incidents.

The report highlighted a rapid rise in attacks on some other industrial verticals. These included energy and government bodies.

Incidents in the global electric and renewables sector increased from 3 in the second quarter to 16 in the third. Dragos said this marked a sharp escalation over a three-month period.

Government organisations also saw a jump in activity. Cases rose from 4 in the second quarter to 35 in the third.

Evolving ransomware ecosystem

Dragos described three main trends in the industrial ransomware landscape during the quarter. These were the role of mature Ransomware-as-a-Service operations, a rise in short-lived groups, and the spread of identity-focused extortion collectives.

The firm said established Ransomware-as-a-Service groups continued to drive most of the activity against industrial entities. These operations run structured models and supply tooling and infrastructure to affiliates.

At the same time, Dragos observed growing fragmentation across the ecosystem. This involved a larger number of low-discipline, short-lived operators.

The company said identity-centric extortion collectives also expanded their reach. These groups increasingly targeted enterprise environments that support manufacturing, logistics and transportation workflows.

These environments include planning, scheduling and remote access systems. Many of these systems sit within information technology networks but support operational processes.

IT-OT exposure

Dragos linked many incidents to weaknesses at the boundary between IT and OT systems. It said participants in the ransomware ecosystem exploited unsecured connections between corporate networks and operational environments.

These intrusions often began in office IT systems. The disruptions then spread into production processes that rely on those systems.

In September, a group calling itself Scattered Lapsus$ Hunters claimed an intrusion against Jaguar Land Rover. The group published what it said were screenshots of JLR's internal SAP enterprise resource planning environment.

The incident triggered multi-day production shutdowns across UK assembly plants. Dragos attributed the stoppages to disrupted logistics and production planning.

Dragos said this case showed how an attack on business IT applications can halt factory output. The systems affected included core planning and supply chain tools.

Industrial organisations often use ERP platforms, manufacturing execution systems, virtualisation environments and remote access tools to manage operations. These systems sit above industrial control system networks but support day-to-day production.

Abdul Alamri, Principal Threat Intelligence Analyst at Dragos, said adversaries were placing greater focus on this technology stack. He said these systems were becoming high-priority targets.

"Ransomware activity targeting industrial organizations is expected to intensify as adversaries increasingly focus on the IT systems that underpin OT operations. ERP platforms, MES servers, virtualization environments, and remote access infrastructure will continue to serve as high-value targets because disruption at this layer can rapidly translate into delays, shutdowns, and supply-chain impact without requiring access to ICS networks," said Alamri.

Dragos said it expected ransomware groups to keep refining their focus on industrial IT environments in the coming quarters. It forecast further growth in activity against sectors with low tolerance for downtime and complex supply chains.