Ransomware Trends in the Industrial Sector: A Q2 2025 Analysis
Decreasing but Concerning Trends in Ransomware Attacks
In the second quarter of 2025, ransomware attacks targeting industrial entities saw a slight decline, dropping from 708 incidents in the first quarter to 657. While this reduction is a positive sign, the overall number of attacks remains troubling for many sectors, particularly as threats continue to evolve. Surveillance by the operational technology security firm Dragos highlights these trends in their Industrial Ransomware Analysis: Q2 2025.
Regional Analysis of Ransomware Incidents
Notably, not all regions experienced a decline. Dragos reported increases in ransomware incidents in three specific areas. Europe saw a rise from 135 incidents in the first quarter to 173 in the second, indicating a growing concern for organizations operating within that region. The Middle East recorded a jump from 11 incidents to 17, while Africa noted a minimal increase, moving from three to five incidents.
Sector-Specific Insights
The manufacturing industry continues to be the most frequently targeted sector, accounting for 65% of all ransomware incidents. Conversely, the electricity sector experienced a significant drop, with only three incidents recorded compared to 15 in the prior quarter. This pattern points to a shifting focus among cybercriminals, raising questions about the vulnerability of critical infrastructure.
Geopolitical Influences on Cyber Crime
The ongoing Israel-Iran conflict is also reflected in the rise of hacktivist groups employing ransomware against targets in both the U.S. and Israel. During this period, Iranian ransomware groups have increased payouts to affiliates targeting their regime’s adversaries. These geopolitical tensions appear to motivate specific cyber threats, significantly influencing the landscape of ransomware activities.
Law Enforcement Action
The quarter saw notable law enforcement efforts as well. Operation Endgame 2.0 involved a coalition of European agencies dismantling critical ransomware infrastructure. Additionally, both Moldovan and Dutch authorities arrested an affiliate connected to the DoppelPaymer ransomware group, highlighting the ongoing global efforts against cybercrime networks. These disruptions may have contributed to shifts within criminal operations, with some affiliates migrating to more active groups.
Emergence of New Ransomware Groups
For the second consecutive quarter, analysts documented the rise of 12 new ransomware groups, including Gunra, Kraken, and Qilin. The disappearance of RansomHub has allowed established actors to fill the void, with Qilin positioning itself as a key player. This operation not only recruits affiliates but also offers various “professional services” to enhance ransom negotiations.
Incredibly, Qilin accounted for 19% of all ransomware incidents affecting industrial settings in Q2, leveraging vulnerabilities in Fortinet products for rapid network access. The group has also begun expanding its focus from financial gains to activities resembling those of nation-state actors, indicating a dangerous evolution in ransomware strategy.
Noteworthy Cybercriminal Strategies
The Devman group has shifted its tactics towards “big game hunting,” targeting organizations with significant revenues, particularly in critical infrastructure and healthcare sectors. With a transition from C++ to Rust programming language, Devman has enhanced its affiliates’ capability for stealth and efficiency. The group’s manipulation of media exposure serves as an additional pressure tactic applied against their victims.
Another prominent group, SafePay, accelerated its operations dramatically, running up to 49 attacks in the second quarter compared to just 13 previously. This uptick can be attributed to innovations derived from LockBit 3.0 source code, allowing for advanced double-extortion tactics and emphasizing modular flexibility.
Geographic Breakdown of Attacks
In terms of geographic impact, the Oceania region experienced 10 ransomware incidents, with Australia being the most affected. Attacks here primarily focused on manufacturing and industrial control systems, alongside the oil and gas sectors.
North America remains the most targeted area, with 355 incidents constituting 54% of global activity, predominantly affecting manufacturing and transport sectors. Europe follows at 26%, while Asia accounts for about 9%, again spotlighting transport and manufacturing as prime targets.
Future Projections and Strategies for Resilience
Looking forward, Dragos anticipates an increase in AI-driven phishing schemes, coupled with targeted attacks rooted in ongoing geopolitical issues. As the ransomware ecosystem continues to fragment, actors will likely migrate in search of more efficient malware and lucrative rewards.
To counter these evolving threats, industrial organizations are encouraged to adopt proactive cybersecurity measures. Prioritizing a zero-trust model, enhancing vulnerability management, and improving detection capabilities using AI are fundamental steps. Furthermore, training employees to recognize sophisticated social engineering tactics, maintaining secure backups, and regularly conducting incident response simulations are essential for improving overall organizational preparedness.
For those interested, the complete report can be accessed for further insights.
