Dragos Industrial Ransomware Analysis: Q3 2025

Industrial organizations play a crucial role in global supply chains and critical infrastructure. They are facing escalating risks as Ransomware-as-a-Service (RaaS) affiliates and Initial Access Brokers (IABs) continue to focus on organizations with the lowest tolerance for downtime and refine their tactics. Participants in this increasingly complex ransomware ecosystem exploit unsecured connections between Information Technology (IT) and Operational Technology (OT), resulting in significant disruptions to essential operations. The frequency and severity of these attacks are increasing, posing a serious threat to these organizations.

In the third quarter of 2025 (July-September), Dragos identified 742 ransomware incidents affecting industrial entities worldwide, an increase from the 708 incidents documented in Q1 and the 657 incidents documented in Q2 2025. North America was the most targeted region in Q3, followed by Europe, which experienced a slight decrease in incidents overall. Asia was the third most impacted region, with an increase in incidents in Q3, with Thailand accounting for the majority.

Manufacturing remained the most impacted sector, accounting for 72% of incidents recorded in Q3. The top manufacturing subsector impacted by ransomware was construction, accounting for 142 of the 532 manufacturing incidents in Q3. The global electric/renewables sector saw an increase from 3 incidents in Q2 to 16 in Q3. Similarly, government organizations saw an increase from 4 incidents in Q2 to 35 in Q3.

Qilin was the most active group for the second consecutive quarter, with 138 incidents reported in Q3. Qilin, Akira, Play, and INC ransom accounted for nearly 40% of the activity across industrial organizations in Q3. Law Enforcement actions continue to shape the ransomware landscape, typically driving temporary declines in activity, rebranding, and shifts in affiliates to other RaaS operations.

Until its disruption during Operation Cronos in early 2024, LockBit dominated the RaaS ecosystem. Law Enforcement actions during Operation Cronos resulted in member arrests and seizure of the group’s infrastructure. Affiliates fled to RansomHub and then later to Qilin in early 2025. In September 2025, LockBit released its “LockBit 5.0” affiliate program, allowing affiliates to target sectors typically off-limits under RaaS rules. This aggressive stance appears to be driven by LockBit 5.0’s leader, possibly as a response to prior Law Enforcement actions. The possibility of LockBit’s return has yet to shift the ransomware ecosystem to the longstanding brand.

The industrial ransomware landscape in Q3 2025 was shaped by three parallel dynamics. Mature Ransomware-as-a-Service (RaaS) operations continued to drive the majority of activity affecting industrial entities. At the same time, fragmentation across the ecosystem created a growing number of low-discipline, short-lived operators. Identity-centric extortion collectives also expanded their reach into enterprise environments that support manufacturing, logistics and transportation workflows. These developments reinforce Dragos’s assessment that the ransomware ecosystem is driven primarily by affiliates, Initial Access Brokers (IAB) and broader operational behavior, rather than the names of RaaS brands appearing on leak sites. Even smaller or newly surfaced groups can impose meaningful pressure on industrial organizations when they compromise the business systems that underpin production and supply-chain continuity.

During Q3, Dragos observed a sharp increase in newly identified or rebranded ransomware operations impacting industrial organizations. This trend reflects the broader fragmentation of the RaaS ecosystem, where leaked builders, recycled infrastructure, and the migration of affiliates from disrupted programs enable short-lived ransomware operators to form with minimal overhead. The expanding availability of AI-assisted tools has further reduced the barrier to entry, allowing lower-skilled actors to assemble or modify ransomware payloads without deep technical expertise. While the maturity of these groups varies considerably, several demonstrated notable activity across industrial verticals and production-supporting IT systems.

In Q3, new ransomware groups continued to show a clear focus on industrial organizations. While these groups did not achieve Stage 2 ICS Cyber Kill Chain activity or cause direct industrial disruptions, they still present a growing risk. Their operations consistently targeted the IT systems that support production, logistics and engineering workflows. These groups relied on familiar initial access vectors such as compromised credentials, access purchased from IABs, commodity phishing kits, and exposed RDP or VPN services. They paired these access methods with fast-paced, data-theft–first extortion tactics. Although none demonstrated ICS-specific capabilities, their victimology confirms that industrial organizations remain exposed to emerging, low-maturity operators that can disrupt production-supporting business systems with relatively simple tradecraft.

Noticeably, Gentlemen ransomware group was one of the quarter’s fastest-growing emerging operations. Of its 39 claimed victims, 16 were industrial organizations, an unusually high concentration for a recently surfaced non-RaaS group. Gentlemen operated as a tightly controlled, non-affiliate team and relied on compromised credentials, Group Policy modification, the termination of security and backup services and encrypted exfiltration using tools such as WinSCP before deploying its encryptor. Its frequent leak-site publications created sustained pressure on victims despite its relatively small operational footprint.

Sinobi, first observed in July, accumulated 42 claimed victims, including 23 industrial organizations across manufacturing, construction, renewables, and telecommunications. The group reportedly relied on access obtained through IAB activities, commodity phishing kits, and the exploitation of vulnerable VPN, Citrix, and Fortinet appliances. In one documented case, Sinobi used compromised third-party provider credentials to gain domain-level access and reach its victim. The group’s victimology, which includes suppliers as well as engineering and construction firms that support industrial operations, combined with its use of compromised third-party access, aligns with the broader supply-chain-focused activity increasingly adopted by ransomware groups in 2025.

Although these newly emerged ransomware groups did not demonstrate Stage 2 capabilities or cause confirmed operational disruptions in Q3, their activities highlight an expanding exposure surface for industrial organizations. As RaaS fragmentation continues, even low-maturity crews are able to compromise production-supporting IT systems, steal sensitive data and apply meaningful extortion pressure. Their presence reinforces that risk does not originate solely from dominant and well-established ransomware groups, but also from smaller operators capable of rapid intrusion and disruptive impact through simple but effective tradecraft.

Among established RaaS operations, Qilin remained one of the most active groups affecting industrial organizations in Q3 2025. Dragos tracked more than 130 Qilin-linked industrial incidents, with affiliates driving victim selection, intrusion techniques and overall impact severity. Qilin was also one of the few groups this quarter with a confirmed industrial operational impact. In September, Asahi Group Holdings in Japan reported production and logistics delays following a Qilin intrusion, demonstrating how ransomware activity in enterprise IT environments can cascade into manufacturing disruptions even without direct access to ICS networks.

Qilin affiliates further expanded their access techniques during Q3 by exploiting Fortinet vulnerabilities, including CVE-2024-55591 and CVE-2024-21762, which enabled unauthenticated access and remote code execution on FortiGate and FortiProxy devices. Qilin continued to rely on a modular payload capable of configurable encryption scope, UAC bypass, regsvr32-based DLL execution, XChaCha20 encryption, and standard anti-analysis behavior. Combined with active affiliate recruitment and a mature negotiation and leak-site infrastructure, Qilin remained one of the most consequential RaaS threats to industrial organizations throughout the quarter.

In September, LockBit attempted a return to the ransomware ecosystem with the release of LockBit 5.0, introducing a revised affiliate model that removed previous sector restrictions and encouraged broader targeting. The rebrand followed Operation Cronos in early 2024, which dismantled significant portions of the group’s infrastructure and resulted in multiple arrests. Despite the relaunch, LockBit struggled to regain momentum. Most former LockBit affiliates had already migrated to RansomHub and later to Qilin, both of which provided more stable operations and consistent payouts. As a result, LockBit’s industrial footprint in Q3 remained minimal.

LockBit’s attempted comeback reinforces a core characteristic of the RaaS economy. Brands can be replaced, but affiliates cannot. Once operators disperse to more reliable platforms, re-establishing operational scale becomes extremely difficult. LockBit’s limited activity in Q3 illustrates how sustained law-enforcement pressure can permanently disrupt even the most entrenched ransomware programs.

In Q3 2025, Scattered Lapsus$ Hunters illustrated how identity-driven, cloud-focused intrusions can create measurable industrial impacts without any confirmed ICS compromise. Operating as an alliance between operators historically known as Scattered Spider, ShinyHunters, and LAPSUS$, the group continued to rely on help desk social engineering, MFA abuse, and valid accounts access rather than custom malware. Their campaigns in this period consistently targeted Azure AD, VPN and Citrix gateways, Enterprise Resource Planning (ERP) platforms, and virtualization infrastructure, using techniques such as self-service password reset abuse, MFA enrollment hijacking, and exploitation of public-facing applications to gain high-privilege access into enterprise environments.

In September 2025, Scattered Lapsus$ Hunters claimed an intrusion against Jaguar Land Rover (JLR), publishing alleged screenshots of JLR’s internal SAP ERP environment and triggering multi-day production shutdowns across UK assembly plants due to disrupted logistics and production planning. While JLR has publicly confirmed the incident, the company has not attributed it to any group at this time. Around the same timeframe, the group executed a confirmed intrusion against a U.S. financial institution, chaining Azure AD self-service password reset, Citrix/VPN access, compromise of VMware ESXi and backup accounts, and attempted exfiltration from Snowflake and AWS. Earlier Q3 activity in the aviation sector followed a similar identity-first pattern, placing the actor adjacent to ERP-linked airline systems and critical scheduling workflows. Across these incidents, the tradecraft remained consistent: compromise of identity and enterprise IT platforms that underpin OT continuity, rather than direct targeting of ICS networks.

From an industrial perspective, Scattered Lapsus$ Hunters in Q3 represents the maturing convergence of extortion, cloud compromise, and ERP disruption. Dragos assesses that while no Stage 2 ICS Cyber Kill Chain activity has been confirmed, the group’s ability to degrade or disable ERP, cloud, and virtualization systems that support manufacturing and transportation operations poses a credible path to indirect OT impact, particularly in sectors such as automotive, aviation, and logistics that operate with low tolerance for downtime and heavy dependence on tightly integrated IT–OT workflows.

In Q3 2025, Dragos observed notable trends and developments in ransomware activity that continued to shape the industrial cybersecurity landscape. This section highlights key patterns, operational shifts, and critical observations that defenders must consider to proactively manage and mitigate ransomware threats.

Scattered Spider continued to use help desk impersonation and social engineering tactics in its operations throughout 2025, often posing as a member of the victim organization to gain access to credentials and Multi-Factor Authentication (MFA) codes. Scattered Spider is also well known for registering and impersonating domains to facilitate phishing attacks. The group collaborated with ShinyHunters to steal data from Salesforce systems, and in Q2 2025, it targeted retail, insurance, and aviation companies to deploy DragonForce ransomware. In Q3, Scattered Spider announced the development of a “ShinySp1d3r” RaaS. This development would combine Scattered Spider’s English-speaking social engineering techniques with disruptive encryption. The alliance with Shiny Hunters could strengthen Scattered Spider’s operations, as several members of the group have been arrested. Notably, two suspected members of the Scattered Spider cybercrime collective were arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) in 2024.

Ransomware actors continued to exploit VPN and Remote Monitoring and Management (RMM) software to gain initial access to networks. Throughout Q3, reports emerged of an increase in ransomware activity targeting SonicWall firewall devices for initial access, with each incident involving VPN access through SonicWall SSLVPNs. SonicWall issued an updated product notice suggesting that the activity was tied to CVE-2024-40766, a vulnerability originally disclosed in August 2024, and emphasized the importance of resetting passwords in the vulnerability remediation steps. In some of these incidents, Akira ransomware was attributed to the activity, which aligns with its previously observed Akira behavior of aggressively targeting edge devices, deploying ransomware for disruption, and gathering sensitive data. The Akira ransomware group follows a standard attack flow: obtaining initial access via an SSLVPN component, escalating privileges to an elevated account or service account, locating and stealing sensitive files from network shares or file servers, deleting or stopping backups, and deploying ransomware encryption at the hypervisor level for maximum impact.

Ransomware affiliates and IABs continue to leverage legitimate Remote Monitoring and Management (RMM) software in attacks. In Q2, ransomware affiliates leveraged SimpleHelp RMM vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) to achieve remote code execution and privilege escalation in targeted environments. In Q3, industry reporting indicates that phishing emails sent from legitimate but compromised email accounts delivered ScreenConnect disguised as virtual meeting invites in Zoom or Microsoft Teams. Successful attacks could lead to the access being sold back into the IAB marketplace and used to fuel future RaaS operations.

In Q3 2025, ransomware attacks continued to cause significant disruptions to industrial organizations, severely impacting operations, data integrity, and supply chains. The following incidents represent the most operationally impactful ransomware attacks affecting industrial sectors.

• Date: August 6, 2025
• Impact: Pakistan Petroleum Limited (PPL), a state-owned oil and gas company, identified a ransomware intrusion impacting multiple segments of its IT infrastructure. In its public statement, PPL confirmed receipt of a ransomware note and reported the matter to law enforcement and regulatory authorities. The company’s internal teams, supported by external cybersecurity experts, enacted containment measures and suspended select non-critical IT services. PPL stated that there was no current indication of compromise to business-critical or sensitive operational data, and core operational systems, including those used by joint venture partners, remained unaffected.

• Date: August 16, 2025
• Impact: Data I/O Corporation, a provider of programmable Integrated Circuit systems widely used in electronics manufacturing, disclosed a ransomware intrusion affecting internal IT systems. Upon detection, the company activated incident response protocols, secured its global IT infrastructure, and engaged external cybersecurity experts to investigate. The attack disrupted multiple operational functions, including internal/external communications, shipping, receiving, and manufacturing production.

• Date: September 1, 2025
• Impact: Jaguar Land Rover (JLR) confirmed a cyber incident that forced the company to proactively shut down parts of its global IT systems, disrupting manufacturing and retail operations. The incident severely disrupted manufacturing operations for nearly five weeks. The impact on JLR extended to a large number of other companies in its supply chain, with impacts felt across numerous other organizations, ranging from JLR’s own multi-tier manufacturing supply chain to downstream entities such as dealerships.

• Date: September 19, 2025
• Impact: Collins Aerospace (a RTX subsidiary) confirmed a cyber intrusion that disrupted its operations. Collins technology is used at airports to enable passengers to check in, print boarding passes and luggage tags, and dispatch their bags. The cyberattack impacted check-in and boarding systems at major airports, forcing them to turn to manual processes. This resulted in delays and flight cancellations. Authorities confirmed that, although flight safety was not compromised, passengers experienced hours-long delays and schedule changes due to the outage.

• Date: September 29, 2025
• Impact: The beverage manufacturer Asahi confirmed a ransomware attack caused system failures and prolonged downtime at some of its factories in Japan. “As a result of the containment measures, operations across our domestic group companies—including order placement and product shipment—have been affected. Additionally, we are currently unable to receive email communications from external sources,” the company said in a statement one week after the attack. Asahi also confirmed that the attacks exfiltrated data from its servers, stating that it is investigating the nature and scope of the information stolen. The disruption in Asahi’s ordering systems lasted for multiple weeks.

In Q3 2025, ransomware activity continued to impact every global region, underscoring the persistent and geographically distributed nature of the threat to industrial organizations. Manufacturing, construction, engineering, and telecommunications sectors remained consistently targeted across all regions. North America again recorded the highest volume of activity, while Europe experienced a slight decline from Q2. Asia saw steady growth, driven primarily by increased activity in Thailand, India, and South Korea. Activity across South America, the Middle East, Africa, and Oceania remained smaller in scale but consistent, reflecting opportunistic targeting of regional industrial ecosystems.

• North America: remained the most impacted region, recording 434 incidents, driven largely by activity in the United States (392) and Canada (41). Targeted sectors included manufacturing, construction, engineering, automotive, equipment suppliers, and telecommunications. The sustained concentration of activity reinforces the region’s continued attractiveness to affiliates due to high digital dependency, widespread reliance on remote access technologies and the prevalence of mid-market industrial organizations with low tolerance for downtime.
• Europe: reported 162 incidents, maintaining its position as the second-most impacted region. Germany (32), the United Kingdom (27), Italy (24), France (20) and Spain (16) accounted for the majority of European activity. Attacks were heavily concentrated in manufacturing, construction, engineering, and packaging industries, reflecting the region’s dense industrial footprint and interconnected supply chains.
• Asia: documented 73 incidents, with notable activity in Thailand (14), India (11), South Korea (6), Singapore (6), Japan (6), Taiwan (7) and Indonesia (5). Many incidents affected manufacturing, telecommunications, electronics, and food and beverage sectors. Industrial organizations in Asia continue to face risk due to the combination of rapid digitalization, high-volume supply-chain operations and uneven security posture across regional markets.
• South America: South America experienced 38 incidents, with Brazil (9), Mexico (8), Colombia (7) and Argentina (5) among the most impacted countries. Activity in this region primarily targeted manufacturing, construction, chemicals, and food production. The distribution of victims indicates ongoing exposure across mid-market industrial entities, many of which rely heavily on external IT service providers and face resource limitations in security operations.
• The Middle East: recorded 15 incidents, with activity in Turkey (6), Egypt (3), Kuwait (2), Saudi Arabia (1), Iran (1), Israel (1), and Palestine (1). Targeting in the region primarily affected construction, manufacturing, chemicals, and telecommunications. While overall volume remained modest compared to other regions, the region’s strategic industrial importance and ongoing digital transformation make it a continued area of interest for both RaaS affiliates and extortion groups.
• The ANZ region: observed 6 incidents, with Australia (5) and Tonga (1) impacted. Attacks focused on manufacturing, engineering, and equipment suppliers. Although the volume was low relative to other regions, the region’s industrial supply chain and heavy reliance on remote connectivity continue to present opportunities for opportunistic ransomware operators.
• Africa: recorded 14 incidents, with activity distributed across Kenya (4), Algeria (1), Angola (1), Cameroon (1), Eswatini (1), Morocco (1), Namibia (1), South Africa (1), Tunisia (1), Zimbabwe (1), and Uganda (1). Sectors impacted include electric utilities, plastics, chemicals, manufacturing, and construction. While reporting volume remains lower than other regions, the consistent appearance of industrial victims reflects increased targeting of emerging markets with developing cybersecurity maturity.

Ransomware incidents in Q3 2025 continued to significantly impact industrial organizations, reinforcing adversaries’ sustained interest in sectors with tight operational dependencies and high sensitivity to downtime. Manufacturing remained the most heavily targeted sector, with continued attention on industrial control systems (ICS) equipment and engineering, transportation, and telecommunications.

• Manufacturing: recorded 532 incidents, accounting for approximately 72% of total ransomware activity in Q3. This sector remained the dominant target due to its dependence on production-supporting IT systems and globally distributed supply chains.
• Transportation and Logistics: reported 36 incidents, representing about 5% of total activity. This reflects continued targeting of logistics operations and aviation and maritime transport workflows.
• Industrial Control Systems (ICS) Equipment and Engineering: experienced 52 incidents, approximately 7% of total activity. This reflects ongoing attention to firms that design, deliver, or maintain systems supporting industrial facilities and infrastructure.
• Telecommunications: recorded 33 incidents, accounting for roughly 4% of Q3 activity. Threat actors continued to view telecom providers as valuable targets due to their role in remote access, connectivity, and service continuity.
• Oil and Natural Gas (ONG): experienced 26 incidents, demonstrating persistent interest in upstream, midstream, and downstream operations and the suppliers that support them.
• Government: recorded 35 incidents, continuing the trend of attackers targeting public-sector organizations with broad service footprints and low disruption tolerance.
• Electric: experienced 12 incidents, highlighting continued exposure among utilities and power-sector suppliers as operators modernize their digital and remote-access environments.
• Mining: reported 8 incidents, showing consistent targeting of resource extraction operations and metals production.
• Renewables and Water: Both sectors recorded 4 incidents each. While smaller in number, these incidents affected critical service providers whose digital transformation efforts continue to expand their attack surface.

As illustrated in Figure 3, ransomware activity impacting industrial sectors remained significant in the third quarter of 2025. Manufacturing continued to be the most impacted sector, increasing from 428 incidents in Q2 to 532 in Q3, while activity affecting ICS equipment and engineering remained elevated. The transportation, government, and telecommunications sectors also experienced persistent targeting, highlighting the ongoing scope of ransomware operations across industrial environments.

Dragos observed significant ransomware activity across multiple subsectors within manufacturing. The breakdown of 532 total manufacturing incidents in Q3 is as follows:

• Construction: 142 incidents (27%)
• Equipment: 77 incidents (14%)
• Food and Beverage: 64 incidents (12%)
• Electronics: 50 incidents (9%)
• Consumer Goods: 34 incidents (6%)
• Automotive: 32 incidents (6%)
• Healthcare Manufacturing: 26 incidents (5%)
• Chemical: 17 incidents (3%)
• Plastics: 16 incidents (3%)
• Pharmaceuticals: 13 incidents (2%)
• Metals & Textile: 9 incidents each (2%)
• Aerospace & Semiconductor: 8 incidents each (2%)
• Packaging: 7 incidents (1%)
• Paper: 7 incidents (1%)
• Defense Manufacturing: 6 incidents (1%)
• Glass: 4 incidents (<1%)
• Maritime Manufacturing: 3 incidents (<1%)

Dragos’s analysis of ransomware activity in Q3 2025 shows continued fragmentation across the ransomware ecosystem. Established RaaS operations remained highly active while a growing number of emerging groups registered consistent targeting of industrial organizations. Several groups expanded their operational tempo, and others demonstrated increased activity following affiliate migration from disrupted brands. Key groups and their associated activity are summarized below:

• Qilin: recorded 138 incidents, maintaining its position as the most active ransomware operation impacting industrial organizations in Q3. Qilin’s volume reflects a stable and well-resourced affiliate ecosystem, continued exploitation of internet-facing infrastructure and a sustained presence across manufacturing, construction, and supply-chain environments.
• Akira: reported 94 incidents, remaining one of the most consistently active groups targeting industrial organizations. Akira activity continued to rely on SonicWall VPN exploitation, credential abuse, and multi-platform ransomware deployment across manufacturing, aerospace, and engineering sectors.
• Play: registered 64 incidents, sustaining significant activity across engineering, construction, aerospace, and equipment manufacturers. The group continued to target critical industrial suppliers and project-driven organizations, leveraging compromised credentials and exposed RDP services.
• INC Ransom: recorded 51 incidents, reflecting continued growth following affiliate migration from other disrupted RaaS programs. INC Ransom maintained broad targeting across automotive, chemical, equipment manufacturing, construction, and government entities.
• Safepay and Lynx: each accounted for 34 incidents, demonstrating steady activity across manufacturing, electronics, telecommunications, and construction. Safepay continued to target production-supporting IT systems, while Lynx maintained visibility across multi-sector industrial environments.
• DragonForce: documented 29 incidents, continuing its notable presence across engineering, construction, renewables, and telecommunications. The group’s activity remained consistent with its prior focus on supply-chain supporting industries.
• World Leaks: reported 30 incidents, reflecting a stable pattern of double-extortion activity impacting manufacturing, chemicals, pharmaceuticals, engineering, and renewables.
• Sinobi: accumulated 23 incidents, reflecting selective and industrial-heavy targeting across construction, electronics, equipment, and renewables. Activity remained consistent with Q3 supply-chain exposure trends.
• Warlock: recorded 18 incidents, with victims across aerospace, maritime, equipment manufacturing, pharmaceuticals and petrochemicals.
• Devman and Gentlemen: reported 16 incidents each. Devman continued its targeted penetration of high-value industrial organizations, while Gentlemen showed one of the highest industrial victim concentrations among emerging Q3 groups.
• Beast, Dire Wolf, J Group, Payouts King and Medusa: These groups recorded 10–13 incidents each, exhibiting persistent activity across engineering, construction, industrial equipment, consumer manufacturing, and aerospace.
• Mid-volume Emerging Groups: Arcus Media, BlackNevas, Cephalus, Interlock, and Nitrogen each accounted for 5 incidents. Their operations spanned manufacturing, telecommunications, chemicals, pharmaceuticals, and engineering.
• Lower-volume Groups: A large number of groups, including Kraken, NightSpire, D4RK4RMY, Chaos, Gunra, Kawa4096, RALord, MyData, Space Bears and PEAR , recorded 2–4 incidents, contributing to the growing long-tail of small operators enabled by ecosystem fragmentation.
• Minimal-activity Groups: Operators such as 3AM, Abyss, BQTlock, CLOP, DataCarry, Embargo, LunaLock, Metaencryptor, Ransomed, SatanLock, Underground, Weyhro and Yurei each registered one incident. These groups remain low-signal but highlight the continuous turnover and emergence of short-lived brands.

The figure below illustrates Q3 shifts across the ecosystem. Qilin, INC Ransom, Play, and World Leaks expanded their footprint, while Akira and Lynx demonstrated consistent strength. Several emerging groups, including Gentlemen, Sinobi, Warlock, and Payouts King, saw measurable growth. Fragmentation across the broader ransomware ecosystem continues to introduce new operators at a rapid pace, reinforcing the assessment that industrial exposure now results from both major RaaS programs and a widening long-tail of smaller, less mature groups.

Ransomware activity targeting industrial organizations is expected to intensify as adversaries increasingly focus on the IT systems that underpin OT operations. ERP platforms, MES servers, virtualization environments, and remote access infrastructure will continue to serve as high-value targets because disruption at this layer can rapidly translate into delays, shutdowns, and supply-chain impact without requiring access to ICS networks. This trend will remain central to the threat landscape through 2025 as attackers seek the greatest operational leverage with the least technical overhead.

At the same time, fragmentation across the ransomware ecosystem is likely to accelerate. The continued appearance of short-lived, low-discipline groups reflects an environment where leaked builders, recycled infrastructure, and affiliate migration make it easier than ever for new operators to emerge. As small groups expand, the density of ransomware activity increases, placing additional pressure on industrial organizations already facing resource constraints and legacy IT-OT interdependencies.

Artificial Intelligence (AI) is also expected to play a growing role in the evolution of ransomware operations. AI-assisted phishing, automated reconnaissance, and evasion techniques will reduce dwell times and enable even low-skilled operators to achieve intrusion outcomes previously associated with more sophisticated adversaries. As these capabilities become more accessible, the operational tempo and impact of ransomware campaigns will continue to rise.

Finally, more adversaries, including those with financial, ideological or geopolitical motivations, are likely to adopt RaaS models to achieve their objectives. The RaaS ecosystem lowers barriers to entry, provides scalable infrastructure and enables groups with minimal technical capability to participate in high-impact extortion operations. As a result, industrial organizations should anticipate continued growth in both the number of active groups and the frequency of attacks.

• Threat Spotlight: ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration - ReliaQuest
• Scattered Spider – CISA
• Two teenage suspected Scattered Spider members charged in UK over TfL hack – The Record
• Gen 7 and newer SonicWall Firewalls – SSLVPN Recent Threat Activity - SonicWall
• Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN – ArticWolf
• Akira Ransomware Group Utilizing SonicWall Devices for Initial Access - Rapid7
• Hackers Weaponize Trust with AI-Crafted Emails to Deploy ScreenConnect – SecurityWeek
• PKCERT Advisory
• Data I/O Corporation 8-K Filing, August 21, 2025 – U.S. Securities and Exchange Commission
• JLR cyber-attack caused UK car production to hit 70-year low for September - BBC
• Jaguar Land Rover ‘severely disrupted’ by cybersecurity incident – The Record
• European Airports Snarled by Cyberattack, Disruption to Stretch into Sunday - Reuters
• Update on System Disruption Due to Cyberattack – Asahi
• Sinobi Ransomware via Compromised SonicWall Credentials – eSentire
• Ransomware in Focus: Qilin - S-RM
• Unmasking the Gentlemen Ransomware - Trend Micro