Dragos Industrial Ransomware Analysis: Q1 2025

Our recent blog highlighting the latest Dragos Knowledge Pack explored critical advancements in ransomware detection capabilities for the Dragos Platform, designed to help industrial organizations proactively defend against evolving cyber threats. These continuously updated detections are crucial, especially as ransomware incidents affecting critical and industrial infrastructure increase frequency and impact. Today’s ransomware threat actors demonstrate persistent targeting, deliberate operational impacts, and strategic approaches, underscoring the heightened risk posed to industrial organizations globally. This quarterly ransomware threat landscape report provides deeper insights into these ongoing threats, revealing significant trends, geographic impacts, and sector-specific vulnerabilities identified by Dragos WorldView threat intelligence.

“Advanced Persistent Threat” (APT) historically referred to state-aligned threat groups, characterized by sophisticated capabilities, persistent targeting, and specific operational goals. This distinguished them from ransomware operators, hacktivists, and less sophisticated attackers. However, ransomware has become one of the most prevalent and impactful advanced persistent threats facing organizations globally. Although individual ransomware techniques, tactics, and procedures (TTPs) may not always reflect novel or technically sophisticated methods, their persistent application, deliberate targeting, significant operational impacts, and increasing adoption by sophisticated threat adversaries align ransomware firmly within the broader definition of APT.

Industrial organizations, vital to global supply chains and infrastructure, face particularly heightened risks as ransomware groups continue to advance their tactics, exploit unsecured connectivity between information technology (IT) and operational technology (OT), and cause significant disruptions to essential operations with increasing regularity and severity.

Ransomware remains a persistent threat to industrial organizations, consistently disrupting critical operations and challenging the security of essential infrastructure. In Q1 2025, Dragos identified 708 ransomware incidents impacting industrial entities worldwide, representing an increase from approximately 600 incidents documented in Q4 2024. This rise underscores the escalating frequency and complexity of ransomware operations affecting sectors such as manufacturing, transportation, industrial control systems (ICS) equipment, and engineering. North America reported 413 incidents in Q1, up from 360 in the previous quarter. Europe also saw an uptick from 102 to 135 incidents.

Manufacturing continued to be the most impacted sector, accounting for 68 percent (480 incidents) in Q1 compared to 70 percent (424 incidents) in Q4 2024. While Dragos did not detect any new ransomware variants specifically engineered to target ICS environments this quarter, high-impact incidents such as the South African Weather Service (SAWS) outage, which severely disrupted aviation and agricultural forecasting, and the attack on Unimicron, a leading printed circuit board manufacturer, highlight the substantial operational and supply chain disruptions ransomware can inflict on industrial organizations.

In Q1 2025, ransomware groups and affiliates leveraged a combination of emerging and persistent tactics, techniques, and procedures (TTPs). Notable emerging TTPs included AI-driven malware employed by FunkSec, encryption-less extortion methods, nation-state convergence as exemplified by Moonstone Sleet’s use of Qilin ransomware, and advanced endpoint detection and response (EDR) evasion tools like RansomHub’s EDRKillshifter. Persistent TTPs observed were the continued exploitation of zero-day vulnerabilities such as the Windows Common Log File System (CLFS), sophisticated AI-enhanced phishing campaigns, abuse of remote access tools, targeted ESXi ransomware attacks with SSH tunneling, credential theft, and brute-force attacks. Cl0p ransomware incidents significantly surged from just two incidents in Q4 2024 to 154 incidents in Q1 2025, attributed mainly to exploiting Cleo Managed File Transfer vulnerabilities.

The intensifying convergence of IT and OT further amplified operational impacts, causing IT disruptions to cascade into operational environments, as evidenced by the manufacturing delays experienced by National Presto Industries. Further complicating defense strategies, ransomware groups like Babuk Locker increasingly employ deceptive extortion tactics. These adversaries made numerous unsubstantiated breach claims, leveraging psychological pressure by recycling outdated or falsified data leaks. Such misleading claims complicated incident response and verification processes, burdening affected organizations.

Based on Dragos’s proprietary intelligence and external sources, this detailed analysis provides defenders with critical insights into ransomware trends, victimology, observed TTPs, and their operational impacts for Q1 2025. By outlining these key incidents and emerging threats, Dragos aims to enhance awareness among industrial organizations, enabling informed decisions and proactive cybersecurity measures. The same insights actively power the Dragos Platform threat detections, guide OT-specific threats through OT Watch, and support our frontline OT Cyber Services, ensuring that the latest adversary behavior and real-world events drive every part of our offering.

Emerging Ransomware Groups and Activity

In Q1 2025, several new ransomware groups emerged, significantly increasing threats to industrial and enterprise organizations through sophisticated targeted cyber operations. These groups leveraged advanced and evolving tactics, techniques, and procedures (TTPs), presenting novel challenges for defenders. The following new ransomware groups were observed impacting industrial sectors:

FunkSec NightSpire Kairos Weyhro Apos Morpheus

CiphBit Skira CrazyHunter Hellcat Van Helsing Ralord

FunkSec: AI-Driven Malware Innovator

FunkSec operates with a hybrid model that blends Ransomware-as-a-Service (RaaS) and hacktivist elements. FunkSec rapidly established itself with at least 10 confirmed incidents in Q1 2025. The group’s innovative malware utilized artificial intelligence (AI) to employ intermittent encryption and sophisticated code obfuscation techniques, effectively bypassing traditional security controls.

FunkSec’s operational capabilities notably benefited from associations with previously active ransomware groups and hacktivist personas, particularly individuals linked to FSociety and Bjorka, who operate Babuk2 ransomware. Affiliates from these groups brought experience with phishing techniques, deceptive extortion tactics, and targeted malware deployment strategies, accelerating FunkSec’s operational growth without significantly increasing technical sophistication.

Lynx: Scalable RaaS Platform

Lynx, which emerged in 2024, accelerated its operations throughout Q1 2025. They publicly claimed 148 incidents, approximately 30 percent of which targeted industrial sectors, primarily manufacturing and transportation. This highlights the group’s strategic emphasis on industrial organizations for ransom extortion.

Affiliates associated with Lynx consistently leveraged a combination of established Tactics, Techniques, and Procedures (TTPs), including sophisticated phishing campaigns, credential theft, and misuse of legitimate remote access software such as AnyDesk. Lynx affiliates alsoadopted advanced Endpoint Detection and Response (EDR) evasion techniques, complicating detection and incident response efforts by enabling attackers to maintain persistent access and operate stealthily within victim networks.

DragonForce: Alliance-Driven Operations

DragonForce, emerged in August 2023 as a pro-Palestinian hacktivist collective based in Malaysia. They notably evolved into a financially driven ransomware operation. While still exhibiting ideological motivations, the group’s operational emphasis shifted primarily toward ransomware extortion, targeting a broad spectrum of sectors, including government entities, retail operations, manufacturing companies, and construction firms.

Throughout Q1 2025, DragonForce publicly claimed responsibility for at least 15 ransomware incidents impacting industrial organizations. Their operational methods typically incorporate double extortion tactics, involving both the encryption of critical data and subsequent threats to disclose stolen information unless ransom demands are met. Furthermore, the group extensively exploits vulnerabilities within supply chains, often leveraging compromised or stolen credentials to infiltrate targeted organizations.

DragonForce’s capabilities have been significantly enhanced by actively participating in “The Five Families” ransomware alliance. This collaborative framework facilitates extensive resource sharing, technical cooperation, and strategic alignment among affiliated groups, amplifying operational effectiveness and threat potency.

Advanced cyber intrusion techniques employed by DragonForce include exploiting known vulnerabilities, particularly in Ivanti Connect Secure and Policy Secure appliances (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893), conducting extensive brute-force attacks against authentication systems, and deploying sophisticated offensive cybersecurity tools such as Cobalt Strike, Mimikatz, and SystemBC. These tools enable DragonForce affiliates to achieve lateral movement, privilege escalation, and persistent access within compromised networks, significantly complicating defensive efforts and incident response operations.

Ransomware Activity Trends and Observations

In Q1 2025, Dragos observed notable trends and developments in ransomware activity that continued to shape the industrial cybersecurity landscape. This section highlights key patterns, operational shifts, and critical observations that defenders must consider to manage and mitigate ransomware threats proactively.

Continued Exploitation of Zero-Day Vulnerabilities & File Transfer Software

Ransomware groups continued leveraging zero-day vulnerabilities, notably the Common Log File System (CLFS) vulnerability, enabling attackers to escalate privileges and gain deeper network access. Dragos tracked increased exploitation rates, reflecting ransomware groups’ growing technical sophistication and investment in exploit development.

Ransomware groups were persistent in exploiting widely used file transfer software vulnerabilities for initial access and encryption-less extortion.  In October 2024, Cleo released version 5.8.0.21 to patch the severe zero-day vulnerability in their file transfer software, CVE-2024-50623, which allowed unauthorized file uploads and downloads, leading to Remote Code Execution (RCE). However, it was later revealed that the patch was incomplete, leaving the products susceptible to exploitation. Another vulnerability, CVE-2024-55956, was discovered in Cleo’s Autorun directory, further complicating mitigation efforts. In post-exploitation activities, attackers have deployed modular Java backdoors to maintain access, steal data, and move laterally within networks.

Throughout December 2024 and the first quarter of 2025, Cl0p posted various lists of victims allegedly related to their Cleo MFT exploitation campaign. Some lists contained partial company names to apply pressure on the victims. Other lists contained full company names and dates when stolen data would be published on the Cl0p DLS. Cl0p claimed over 300 victims because of this campaign, with 154 of those in industrial sectors such as manufacturing, food & beverage, and transportation.

In early April 2025, active exploitation of another file transfer software was confirmed, a vulnerability impacting CrushFTP (CVE-2025-31161). CrushFTP is the latest file transfer software targeted for mass exploitation following repeated attacks on popular tools from Cleo, MOVEit, GoAnywhere, and Accellion.

AI-Enhanced Phishing Campaigns

Ransomware groups and their affiliates increasingly leveraged advanced artificial intelligence (AI) tools to orchestrate sophisticated phishing campaigns, significantly boosting both their precision and effectiveness. Utilizing AI-driven platforms and generative language models, attackers produced highly personalized phishing emails tailored to specific roles, interests, and communication styles of targeted individuals. This method enabled attackers to craft contextually relevant and highly credible messages, reducing the likelihood of detection by traditional email security solutions.

Attackers  employed sophisticated, AI-generated phishing lures to enhance targeting precision and success rates. These AI-crafted campaigns exhibited enhanced personalization and context-aware messaging, significantly improving attackers’ ability to deceive employees and bypass traditional email security controls.

For instance, ransomware groups such as Black Basta notably utilized AI-assisted social engineering tactics, including carefully tailored emails and realistic impersonations of trusted IT support personnel via platforms such as Microsoft Teams. These lures exhibited linguistic fluency and convincingly replicated internal communications, leading recipients to unwittingly grant attackers remote system access.

Encryption-Less Extortion

During Q1 2025, ransomware groups increasingly adopted encryption-less extortion tactics, emphasizing data theft and public exposure threats without employing traditional encryption methods. This tactical shift significantly reduced operational complexity and accelerated adversaries’ capability to pressure victims by immediately threatening sensitive data leaks. Notable examples include Cl0p ransomware’s extensive exploitation of vulnerabilities in Cleo Managed File Transfer (MFT), resulting in substantial breaches and swift demands for ransom despite frequently not encrypting victim files. Similarly, Hunters International publicly pivoted toward pure data extortion tactics, explicitly abandoning traditional encryption methods, aligning with an observed trend previously reported for groups like BianLian. This evolution underscores the growing effectiveness of psychological leverage in ransomware operations, complicating response strategies, particularly for industrial organizations where data disclosure can severely impact operations, regulatory compliance, and brand reputation.

Credential Theft and Brute-Force Attacks

Credential theft, brute-force attacks, and exploitation of remote access tools continued to dominate ransomware groups’ initial access strategies in Q1 2025. Groups such as Black Basta, RansomHub, and DragonForce increasingly relied on compromised or weakly secured credentials as primary intrusion vectors, utilizing automated brute-forcing frameworks and credential-stuffing techniques to systematically target network perimeter devices, including VPNs, firewalls, and remote desktop services.

Notably, Black Basta’s leaked chat logs revealed extensive use of an automated brute-force framework, referred to as BRUTED, to target widely used enterprise edge devices such as Palo Alto Networks GlobalProtect, Cisco AnyConnect, and Fortinet SSL VPN. This tool enabled rapid identification and exploitation of weak or reused passwords, facilitating efficient entry into victim networks.

Once inside, adversaries commonly leveraged legitimate remote administration tools like AnyDesk, or QuickAssist to blend malicious activity with normal administrative operations, thereby maintaining persistence and evading detection. Credential-based intrusions further enabled lateral movement, privilege escalation, and deployment of secondary payloads such as ransomware, significantly complicating incident response and recovery efforts.

Ransomware Impacts on Industrial Organizations

In Q1 2025, ransomware attacks continued to cause significant disruptions to industrial organizations, severely impacting operations, data integrity, and supply chains. The following incidents represent the most operationally impactful ransomware attacks affecting industrial sectors:

South African Weather Service (SAWS)

• Date: January 28, 2025
• Impact: SAWS experienced severe disruption to critical weather forecasting services, significantly affecting aviation, marine, and agricultural sectors. The attack forced the organization to rely on alternative channels for forecasts, severely limiting the timely dissemination of critical weather data and alerts.

National Presto Industries, Inc.

• Date: March 1, 2025
• Impact: National Presto Industries experienced a significant cyberattack that led to a system outage, disrupting key operational areas including manufacturing, shipping, receiving, and back-office functions.

Lee Enterprises

• Date: February 3, 2024
• Impact: Lee Enterprises experienced a severe cyberattack that disrupted critical newspaper production and distribution operations across dozens of its publications nationwide. The incident resulted in delayed or canceled print editions and prolonged outages affecting operational systems for several weeks.

Regional Impact Observations, First Quarter of 2025

Ransomware incidents in Q1 2025 varied by region, with North America remaining the most frequently impacted area. The data demonstrates a global scope for ransomware threats, affecting diverse geographies and industrial sectors, particularly manufacturing, transportation, and industrial control systems (ICS) equipment and engineering.

• North America: 413 incidents were reported (approximately 58 percent of global ransomware activity). The United States accounted for the majority (374 incidents), with Canada contributing 52, driven by attacks on manufacturing and transportation sectors.
• Europe: 135 incidents (approximately 19 percent of global ransomware activities). The United Kingdom, Germany, and Italy were primary targets, with attacks focusing on manufacturing and utilities.
• Asia: 78 incidents (approximately 11 percent of global ransomware activities). India (13 incidents) and Japan (8 incidents) saw significant activity, with manufacturing and engineering sectors impacted.
• South America: 54 incidents (approximately 8 percent of global ransomware activity). Brazil registered the most attacks (22 incidents), primarily targeting food and beverage manufacturing and transportation systems.
• Middle East: 11 incidents (approximately 1.5 percent of global ransomware activity). The United Arab Emirates and Saudi Arabia saw small clusters of attacks.
• Oceania: 14 incidents (approximately 2 percent of global ransomware activity). Australia (13 incidents) and one incident in New Zealand.
• Africa: 3 incidents in South Africa and Tunisia accounted for the most reported attacks, with the South African Weather Service (SAWS) outage highlighting risks to critical infrastructure, though low counts suggest significant underreporting.

Industry Impacts, First Quarter of 2025

Ransomware incidents in Q1 2025 continued to target industrial organizations, with the manufacturing sector remaining the most impacted. The data reflects a sustained focus on critical sectors, affecting manufacturing, transportation, and industrial control systems (ICS) equipment and engineering, with notable underreporting in utilities.

• Manufacturing: 480 reported incidents, up from 424 in Q4 2024, accounting for 68 percent of all ransomware activity.
• Transportation and Logistics: 108 incidents, up from 69 in Q4 2024, representing 15 percent of total activity.
• Industrial Control Systems (ICS) Equipment and Engineering: 32 incidents, down from 58 in Q4 2024, representing 4.5 percent of total activity.
• Electric: 15 incidents, up from 5 in Q4 2024, representing 2 percent of total activity.
• Oil and Natural Gas (ONG): 15 incidents, down from 19 in Q4 2024, representing 2 percent of total activity.
• Communications: 39 incidents, representing 5.5 percent of total activity.
• Government: 10 incidents, up from 5 in Q4 2024, representing 1.4 percent of total activity.
• Water: 2 incidents, down from 5 in Q4 2024
• Mining: 2 incidents, down from 4 in Q4 2024
• Renewables: 5 incidents, up from 3 in Q4 2024

In addition to these primary industries and sectors, Dragos observed ransomware activity affecting multiple subsectors within Manufacturing (480 total incidents). The percentage breakdown, based on all manufacturing incidents, is as follows:

• Construction: 83 incidents (17 percent of manufacturing).
• Food and Beverage: 75 incidents (16 percent).
• Consumer Goods: 74 incidents (15 percent).
• Equipment: 71 incidents (15 percent).
• Electronics: 39 incidents (8 percent).
• Metals: 28 incidents (6 percent).
• Machinery: 24 incidents (5 percent).
• Automotive: 21 incidents (4 percent).
• Chemicals: 15 incidents (3 percent).
• Pharmaceuticals: 12 incidents (3 percent).
• Agriculture: 11 incidents (2 percent).
• Textiles: 8 incidents (2 percent).
• Others (including Aerospace, Electrical, Automation, Packaging, Paper, Plastics, Defense, Printing, Recycling, Rubber, Semiconductor, Healthcare, Maritime, and Glass): The remaining percentage of manufacturing incidents is distributed in smaller numbers across these industries.

Ransomware Groups Trends, Patterns, and Observations – First Quarter of 2025

Dragos’s analysis of Q1 2025 ransomware activity indicates continued fragmentation in the ecosystem, with both established and emerging groups impacting industrial organizations. Several groups demonstrated notable prevalence, leveraging advanced tactics to disrupt manufacturing, transportation, and industrial control systems (ICS) sectors.

• Cl0p: Accounted for 154 incidents, up from 2 in Q4 2024 (~22 percent of global ransomware activity). The group’s dramatic surge was driven by exploiting Cleo Managed File Transfer vulnerabilities (CVE-2024-50623, CVE-2024-55956), heavily impacting manufacturing supply chains.
• Akira: Linked to 83 incidents, up from 43 in Q4 2024 (~12 percent). Known for double extortion and cross-platform ransomware, Akira targeted manufacturing and transportation, using sophisticated phishing and ESXi attacks.
• RansomHub: Reported 82 incidents, up from 56 in Q4 2024 (~12 percent). Its aggressive RaaS model, utilizing EDR evasion tools like EDRKillshifter, attracted affiliates and focused on industrial sectors.
• Lynx: Accounted for 48 incidents, up from 11 in Q4 2024 (~7 percent). This emerging RaaS group used custom encryptors and EDR evasion, targeting manufacturing and transportation with double extortion tactics.
• Play: Linked to 40 incidents, down from 63 in Q4 2024 (~6 percent). The group continued targeting critical infrastructure, employing zero-day exploits and remote access tool abuse.
• Babuk 2: Involved in 29 incidents, up from fewer than 4 in Q4 2024 (~4 percent). Known for deceptive tactics and encryption-less extortion, Babuk 2’s unverified claims complicated threat intelligence for ICS equipment providers.
• Cactus: Accounted for 25 incidents, up from 22 in Q4 2024 (~4 percent). The group used double extortion, focusing on manufacturing and leveraging stolen credentials.
• Qilin: Linked to 21 incidents, up from 17 in Q4 2024 (~3 percent). Associated with nation-state convergence (e.g., Moonstone Sleet), Qilin targeted industrial and critical infrastructure sectors.
• Fog: Reported 19 incidents, up from 12 in Q4 2024 (~3 percent). The group focused on industrial targets, exploiting stolen credentials and supply chain vulnerabilities.
• DragonForce: Involved in 15 incidents, up from 12 in Q4 2024 (~2 percent). Part of “The Five Families” alliance, it exploited supply chain vulnerabilities in manufacturing and construction.
• Sarcoma: Accounted for 14 incidents, up from 4 in Q4 2024 (~2 percent). This RaaS group used double extortion and supply chain attacks, notably impacting Unimicron’s electronics manufacturing.
• Frag: Linked to 13 incidents, up from fewer than 4 in Q4 2024 (~2 percent). The group targeted industrial sectors with double extortion tactics.
• MedusaLocker: Reported 13 incidents, down from 22 in Q4 2024 (~2 percent). Known for double extortion, it continued targeting manufacturing and critical infrastructure.
• Inc Ransom: Involved in 13 incidents, down from 17 in Q4 2024 (~2 percent). The group focused on industrial targets, using double extortion and credential theft.
• SafePay: Accounted for 13 incidents, up from 8 in Q4 2024 (~2 percent). The group targeted industrial sectors, employing double extortion tactics.
• Arcus Media: Linked to 12 incidents, up from fewer than 4 in Q4 2024 (~2 percent). The group focused on industrial and critical infrastructure targets.
• Hunters International: Reported 11 incidents, down from 26 in Q4 2024 (~2 percent). The group exploited remote access vulnerabilities, targeting industrial sectors.
• FunkSec: Involved in 10 incidents, up from 5 in Q4 2024 (~1 percent). Its AI-driven malware and phishing lures targeted communications and water sectors, posing risks to critical infrastructure.
• 8Base, NightSpire, LockBit 3: Each accounted for 7 incidents, stable for 8Base from 7 in Q4 2024, up for NightSpire from fewer than 4, down for LockBit 3 from 70 (~1 percent each). NightSpire and 8Base targeted industrial sectors with double extortion, while LockBit 3 maintained activity despite law enforcement disruptions.
• Monti, Space Bears: Each reported 5 incidents, up from fewer than 4 in Q4 2024 (~1 percent each). Both groups focused on critical infrastructure, using stealthy encryption.
• APT73, Eldorado, Medusa Blog, Kairos: Each involved in 4 incidents, stable for Eldorado from 4 in Q4 2024, up for others from fewer than 4 (~1 percent each). These groups targeted industrial and critical infrastructure sectors.
• BianLian, Black Basta, Weyhro, Apos, Interlock: Each accounted for 3 incidents, down for BianLian (12), Black Basta (25) from Q4 2024, up for others from fewer than 4 (~0.4 percent each). Black Basta used sophisticated social engineering, while others employed double extortion. Interlock notably impacted National Presto Industries.
• Abyss, Morpheus, Rhysida, CiphBit, Termite, Skira, Kill Security, Cicada 3301, CrazyHunter, Arkana: Each reported 2 incidents, down for Rhysida (7), Termite (4), Kill Security (13), Cicada 3301 (4) from Q4 2024, up for others from fewer than 4 (~0.3 percent each). These groups targeted industrial sectors with varying tactics.
• RansomEXX, Hellcat, Van Helsing, Flocker, Everest, Three AM, Ralord, DarkVault, RansomHouse, RA Group: Each accounted for 1 incident, down for RansomHouse (7), RA Group (4) from Q4 2024, up for others from fewer than 4 (~0.1 percent each).
• Additional groups: Accounted for the remaining 110 incidents, contributing to the total of 708 incidents in Q1 2025.

Conclusion

During Q1 2025, ransomware groups continued to rapidly evolve their tactics and alliances, significantly impacting industrial organizations worldwide. Established operators such as Cl0p, Akira, and RansomHub maintained high levels of activity, while emerging threats, including FunkSec, Sarcoma, and Lynx, introduced advanced techniques like AI-driven malware and sophisticated EDR evasion strategies. Their strategic focus on exploiting vulnerabilities in IT systems, specifically Cleo Managed File Transfer platforms, remote access tools, and unpatched software, led to notable operational disruptions across various industries.

Industrial sectors, particularly manufacturing, transportation, and ICS equipment and engineering, remained primary targets. Attackers exploited gaps in remote access security, credential management practices, and supply chain vulnerabilities, intensifying operational impacts and complicating incident responses.

Effectively addressing these dynamic threats requires proactive defensive measures complemented by timely detection capabilities. As highlighted in our recent blog detailing the latest Dragos Knowledge Pack enhancements, continuous advancements in ransomware detections are critical. Leveraging detection rules built on robust threat intelligence enables security teams to identify ransomware-related activities early in the attack cycle, mitigating potential operational disruption before threats escalate into significant breaches.

Organizations must urgently enhance cybersecurity defenses through the implementation of robust multi-factor authentication (MFA), stringent monitoring of critical network points, secure offline backups, and strengthened remote access management protocols. Comprehensive training programs, regular reviews of network architectures, and adoption of AI-driven detection solutions are essential to counter advanced threats such as AI-crafted phishing, encryption-less extortion, and nation-state ransomware convergence observed with actors like Qilin. Furthermore, organizations must rigorously validate threat intelligence to effectively manage deceptive practices, such as the unverified claims seen from Babuk 2.

As the ransomware ecosystem continues to fragment and adapt, proactive defense strategies, timely intelligence sharing, and collaborative mitigation efforts will be critical for securing critical infrastructure and industrial operations. Addressing IT-OT convergence risks, securing vulnerable supply chains, and improving threat reporting practices in critical infrastructure sectors will significantly enhance resilience against the persistent threat posed by ransomware groups.