Dragos Industrial Ransomware Analysis for the Fourth Quarter of 2025

Ransomware activity targeting industrial organizations increased materially during the fourth quarter of 2025, with a higher number of claimed incidents observed on ransomware leak sites compared to earlier quarters. Ransomware-as-a-Service (RaaS) affiliates and Initial Access Brokers (IABs) continue to focus on organizations with the lowest tolerance for downtime and refine their tactics. Dragos observed sharp increases in ransomware operations impacting industrial organizations, driven by widespread data theft campaigns for extortion and operational maturity of established RaaS platforms. In the fourth quarter of 2025 (October-December), Dragos identified 1,211 ransomware incidents affecting industrial entities worldwide, an increase from 742 in Q3 and 657 in Q2 2025.

Despite this increase, activity remained highly concentrated among a small set of mature RaaS operations, most notably Qilin and Akira. The rise in claims was driven primarily by established groups with stable affiliate ecosystems and consistent operational output, rather than by a broad emergence of new ransomware actors. This pattern indicates that while overall activity intensified in Q4, the ransomware ecosystem continued to consolidate around operators capable of sustaining repeatable intrusion and extortion workflows at scale. For the third consecutive quarter, Qilin was the most active group, accounting for 284 incidents in Q4, up from 138 in Q3.

Manufacturing remained the most impacted sector, accounting for nearly 70% of incidents recorded in Q4. The global electric/renewables sector saw an increase from 16 in Q3 to 40 in Q4. Similarly, transportation organizations saw an increase from 36 incidents in Q3 to 120 in Q4. North America, Europe, and Asia remained the most impacted regions.

In parallel, identity-centric extortion collectives and data theft-focused operations, including groups such as CL0P and the Crimson Collective, continued to apply pressure to enterprise environments that support manufacturing, logistics, energy, and transportation operations. These observations align with Dragos’ broader assessment that ransomware risk to industrial organizations is driven primarily by affiliate behavior, IAB activity, and the exploitation of production-supporting IT systems that industrial operations depend on, even in the absence of direct ICS/OT compromise.

Dragos observed a lower number of newly emerging ransomware groups operating Dedicated Leak Sites (DLSs) in Q4 2025 compared to earlier periods in the year. This marked a clear shift from the widespread brand proliferation and frequent rebranding observed during Q2 and Q3. Despite a substantial increase in overall ransomware claims in Q4, with 1,211 incidents compared to 742 in Q3, the pace of new group emergence slowed. This pattern reflects a period of ecosystem consolidation, in which affiliate attention and access brokers are increasingly concentrated around established RaaS platforms rather than dispersing across newly formed brands.

Newly observed groups during the quarter largely represented rebranded extortion identities, affiliate spin-offs, or low-maturity collectives, rather than ransomware operations introducing novel tooling or materially differentiated tradecraft. These entities generally appeared briefly through isolated leak-site claims and did not demonstrate sustained activity, technical depth, or evidence of mature affiliate ecosystems. Examples of these low-signal identities include Coinbase Cartel, Genesis, Kazu, BlackField, Benzona, BrotherHood, Lockdown, Radiant, FulcrumSec, MintEye Team, Root, Kyber, Tengu, and Trident. Publicly available information on these names remains limited to branding artifacts and sparse victim disclosures, with no confirmed linkage to established RaaS platforms or the introduction of new intrusion techniques.

While these emerging groups contributed to overall leak site activity, they accounted for only a limited share of total incidents relative to dominant RaaS operations. Dragos did not observe confirmed Stage 2 ICS Cyber Kill Chain activity or ICS-specific malware across either established or newly observed groups. Observed activity instead focused on enterprise IT systems that underpin industrial operations, including identity services, file servers, virtualization infrastructure, Enterprise Resource Planning (ERP), Manufacturing Execution System (MES) environments, and remote access platforms.

Tradecraft across these groups relied on familiar initial access mechanisms such as compromised credentials, access obtained through IABs, commodity phishing activity, and exposed VPN or RDP services. These access paths were typically paired with data theft-first extortion workflows that emphasized rapid exfiltration and public disclosure rather than advanced tooling or prolonged dwell time. Although these actors lacked the operational maturity and scale of established RaaS platforms, their activity underscores that industrial organizations remain exposed to disruption when production-supporting business systems are compromised.

Overall, Q4 activity demonstrates that increased ransomware volume did not translate into broader ecosystem fragmentation. Instead, impactful operations, affiliate migration, and access broker activity continued to consolidate around a small number of reliable, affiliate-supported RaaS platforms. Peripheral brands continued to appear and disappear but did not materially alter the industrial ransomware threat landscape. This reinforces that industrial ransomware risk should be assessed not solely by aggregate incident counts, but by which actors are generating those incidents and how consistently they are able to operationalize access and extortion.

CL0P remained one of the most influential extortion-focused groups affecting industrial organizations in late 2025 by driving a disproportionate share of leak site claims through encryption-less extortion and platform-driven data theft campaigns. Rather than expanding endpoint encryption activity, CL0P increased DLS volume by exploiting widely deployed enterprise file transfer and business application platforms, enabling large-scale data exfiltration followed by coordinated disclosure pressure.

During the latter part of 2025, CL0P continued this approach by launching a new extortion campaign targeting Gladinet CentreStack environments. Public reporting indicates that operators abused vulnerable or exposed CentreStack file-sharing configurations to access centralized repositories used for enterprise file synchronization, remote access, and third-party data exchange. These platforms are commonly deployed to support business operations, engineering collaboration, and supplier communications. By targeting centralized file-sharing infrastructure, CL0P enabled rapid data exfiltration while avoiding the operational noise and detection risk associated with traditional ransomware deployment.

In parallel, CL0P expanded its mass extortion campaign against Oracle E-Business Suite (EBS) environments, first reported in late October. Activity observed through November and December followed delayed disclosure patterns consistent with prior campaigns targeting MOVEit Transfer, Cleo MFT, and CrushFTP. Although individual leak site postings did not always explicitly reference Oracle EBS, the timing, victim distribution, and affected sectors align with the exploitation of vulnerable EBS web components, including UiServlet, SyncServlet, and TemplatePreview. These components enabled unauthenticated remote code execution and selective data theft from ERP, procurement, engineering, and financial systems.

CL0P’s EBS-related activity affected organizations across more than twenty industry verticals, with a notable concentration in industrial and operationally adjacent sectors, including OEM manufacturing, Engineering, Procurement, and Construction (EPC) contractors, energy and engineering services, mining, marine logistics, utilities, and telecommunications. Victims spanned North America, Europe, the Middle East, Africa, and Asia-Pacific, reflecting an opportunistic global campaign driven by exposure of internet-facing enterprise systems embedded across industrial supply chains.

From an industrial risk perspective, CL0P activity demonstrates how ransomware impact can be scaled through structural dependencies in enterprise environments rather than through malware sophistication or direct control-system access. While no confirmed Stage 2 ICS Cyber Kill Chain activity was observed, compromise of shared file transfer and ERP-adjacent platforms introduced cascading risk across suppliers, customers, and service providers. CL0P’s campaigns illustrate that meaningful industrial impact can be achieved without encrypting endpoints, relying instead on data sensitivity, breadth of exposure, and coordinated disclosure pressure.

Everest activity during Q4 2025 illustrates how targeted extortion operations can generate meaningful industrial impact without relying on high incident volume or widespread encryption. Rather than pursuing broad campaigns, Everest focused on a limited number of intrusions where stolen data could be leveraged to disrupt operations, expose supply chain relationships, and create sustained pressure beyond the initially affected organization.

One of the most operationally visible incidents occurred in the aviation sector. In September, a cyber incident affecting Collins Aerospace disrupted passenger check-in and boarding systems across multiple European airports, including London Heathrow, Berlin, and Brussels. While no flight-safety systems were impacted, the outage caused widespread operational disruption. In October, Everest claimed responsibility and escalated pressure by publicly naming downstream aviation entities, including airlines and airport operators, as secondary exposure points. This behavior reflects Everest’s deliberate use of customer and partner dependencies to amplify impact beyond the primary victim.

A similar pattern was observed in the energy sector. Following a breach involving an external file-transfer solution at Svenska kraftnät, Sweden’s state-owned power grid operator, Everest claimed exfiltration of a large volume of data. Although electricity transmission remained operational, grid-related material later appeared under a separate persona in underground marketplaces. While Dragos did not identify verified evidence of live operational access, the reuse and redistribution of infrastructure-related data introduced persistent secondary risk and uncertainty for critical infrastructure stakeholders.

Everest demonstrated this approach again in automotive and technology manufacturing environments. In late 2025, the group added Chrysler to its leak site, releasing large volumes of enterprise and technical data. In this case, exposed CRM and customer service records increased the likelihood of follow-on phishing, vishing, and identity abuse. Similarly, in the ASUS case, published material reportedly included internal engineering documentation, tooling, and test data, expanding exposure to third-party partners and creating long-term intellectual property and supply chain risk. No encryption-driven production outages were publicly confirmed in either incident, yet the downstream impact potential remained significant.

Across these incidents, Everest campaigns exhibited consistent execution and escalation behavior, suggesting a centralized and tightly controlled operational model rather than broad affiliate participation. This structure enabled the group to manage disclosure timing, selectively apply pressure, and sustain extortion leverage even in the absence of immediate operational downtime.

Although no confirmed Stage 2 ICS Cyber Kill Chain activity was observed, Everest’s activity highlights credible pathways to indirect operational and reputational impact in industrial environments where trust relationships, data integrity, and ecosystem interdependence are critical.

Akira continued to function as one of the most reliable sources of ransomware pressure on industrial organizations through consistent affiliate-driven operations, rather than through novel tradecraft or high-profile campaigns. Akira’s activity during 2025 reflects a mature RaaS model optimized for repeatability, where stable access pathways and predictable execution produced a steady stream of industrial victims.

Observed intrusions associated with Akira commonly originated from exposed or compromised remote access infrastructure, including VPN services and edge devices used to support distributed workforces and third-party access. Public reporting throughout 2025 linked Akira activity to abuse of SonicWall SSL VPN environments, where compromised credentials or vulnerable configurations enabled initial footholds into enterprise networks supporting manufacturing, logistics, and industrial services. These access paths provided direct entry into identity systems, file servers, and virtualization infrastructure that underpin operational workflows.

Once access was established, Akira affiliates prioritized speed and coverage over stealth. Post-compromise activity frequently involved lateral movement across Windows and virtualized environments, disruption of backup and recovery processes, and rapid encryption of business systems critical to scheduling, procurement, and production planning. Although no confirmed Stage 2 ICS Cyber Kill Chain activity was observed, the loss of availability across production-supporting IT systems often resulted in precautionary shutdowns, degraded logistics coordination, and extended recovery timelines.

Akira’s victimology remained heavily concentrated in sectors with low tolerance for downtime, including manufacturing, construction, transportation, and industrial services. These environments offer predictable monetization due to tightly coupled IT–OT dependencies, where disruption of enterprise systems can cascade into operational impact without requiring direct access to control networks.

In the fourth quarter of 2025, ransomware attacks continued to significantly disrupt industrial organizations, leading to operational halts, financial losses, and compromised data integrity. Notable incidents included:

• Date: November 2025
• Impact: LG Energy Solution (LGES), one of the world’s largest producers of lithium-ion batteries for electric vehicles and grid-scale energy storage, confirmed a ransomware incident affecting one overseas facility. According to the company, the intrusion did not impact headquarters or other global sites, and the affected plant has since resumed normal operations following containment and recovery activities. Akira ransomware operators later added LGES to their DLS, claiming theft of corporate data, including employee information, internal documents, and operational databases. These claims have not been publicly confirmed by LGES.

• Date: December 2025
• Impact: Romanian Waters (Administrația Națională Apele Române), the country’s national water management authority, announced that it had been the victim of a ransomware attack that left staff locked out of approximately 1,000 computer systems. The company stated the attack impacted equipment from workstations to servers, but noted that operational technologies, including hydrotechnical infrastructure such as dams and flood defenses, were unaffected. Romanian authorities’ initial technical assessment was that the attackers used the legitimate Windows tool BitLocker to attempt to demand ransom from the organization. The incident has not been linked to any known adversary or ransomware operation.

• Date: December 2025
• Impact: Oltenia Energy Complex (Complexul Energetic Oltenia), Romania’s largest coal-based energy producer, confirmed a ransomware incident that partially affected the company’s operations in December. As a result of the attack, some documents and files were encrypted, and several computer applications became temporarily unavailable, including ERP systems, document management applications, the company’s email service, and website. The company emphasized that the incident did not jeopardize the operation of Romania’s National Energy System. The company linked the attack to The Gentleman ransomware operation, and the group later claimed to have data belonging to the organization on its DLS.

Figure 1 Ransomware Targets by Region, Fourth Quarter of 2025

In Q4 2025, ransomware activity impacting industrial organizations increased across all regions, reinforcing the global and persistent nature of the threat. Manufacturing, construction, engineering, and telecommunications sectors continued to be targeted worldwide. North America remained the most impacted region by a wide margin, while Europe and Asia also saw notable activity. South America, the Middle East, Africa, and Australia/New Zealand experienced lower overall volumes, but continued to face consistent, opportunistic targeting of industrial organizations.

• North America: Recorded 639 incidents, maintaining its position as the most impacted region. Activity was driven by sustained targeting of industrial organizations across manufacturing, construction, engineering, transportation, and telecommunications sectors. The region’s high concentration of mid-market industrial firms, widespread remote access usage, and reliance on production-supporting IT systems continue to make it an attractive target for ransomware affiliates.
• Europe: Reported 273 incidents, remaining the second-most impacted region. Activity continued to concentrate in industrially dense countries with strong manufacturing and engineering bases. Interconnected supply chains and cross-border operations contributed to Europe’s continued exposure during the quarter.
• Asia: Documented 113 incidents, reflecting continued growth compared to earlier quarters. Ransomware activity in the region primarily affected manufacturing, electronics, telecommunications, and logistics organizations, driven by rapid digitalization and high-volume supply chain operations.
• South America: Experienced 99 incidents, with targeting focused on manufacturing, construction, chemicals, and food production. Many impacted organizations operated with constrained cybersecurity resources and relied heavily on third-party IT service providers, increasing exposure to ransomware intrusion.
• The Middle East: Recorded 53 incidents, with activity affecting construction, manufacturing, energy, and telecommunications organizations. While overall volume remained lower than in North America and Europe, the region’s strategic industrial assets and ongoing digital transformation continue to draw attention from ransomware operators.
• The ANZ region: Observed 18 incidents, primarily impacting manufacturing, engineering, and industrial equipment suppliers. Although activity levels were comparatively low, dependence on remote connectivity and geographically distributed operations remained a consistent risk factor.
• Africa: Recorded 16 incidents, with activity spanning manufacturing, construction, chemicals, and utilities. While reporting volume remained limited, the presence of industrial victims across multiple countries reflects continued opportunistic targeting of emerging markets.

Figure 2 Ransomware Incidents by Industry Sector, Fourth Quarter of 2025

Ransomware activity in Q4 2025 continued to significantly impact industrial organizations, reinforcing adversaries’ sustained focus on sectors with tight operational dependencies and low tolerance for downtime. Manufacturing remained the most heavily targeted sector by a wide margin, while transportation, industrial control systems (ICS) equipment and engineering, and telecommunications continued to experience persistent activity. Energy-related sectors, including oil and natural gas and electric utilities, also remained consistently targeted throughout the quarter.

• Manufacturing: Recorded 819 incidents, accounting for the majority of ransomware activity impacting industrial organizations in Q4. This represented a substantial increase compared to Q3 and reflects continued targeting of production-supporting IT systems, supplier coordination platforms, and enterprise environments tightly coupled to operational workflows.
• Transportation and Logistics: Reported 120 incidents, highlighting sustained targeting of logistics providers, aviation services, and maritime operations. Disruption in this sector continues to pose downstream risk to manufacturing supply chains and distribution networks.
• Industrial Control Systems (ICS) Equipment and Engineering: Experienced 113 incidents, reflecting ongoing attention to engineering firms and equipment providers that design, deploy, and maintain systems supporting industrial operations.
• Telecommunications: Recorded 42 incidents, underscoring continued adversary interest in connectivity providers that support remote access, vendor communications, and industrial data flows.
• Oil and Natural Gas (ONG): Experienced 49 incidents, demonstrating persistent targeting of upstream, midstream, and downstream energy organizations and the service providers that support them.
• Electric: Recorded 31 incidents, reflecting continued exposure among utilities and power-sector suppliers as digital transformation and remote management capabilities expand.
• Mining: Reported 19 incidents, showing sustained targeting of resource extraction and metals production organizations with distributed operations and heavy reliance on centralized IT systems.
• Renewables: Experienced 9 incidents, indicating ongoing but lower volume targeting of renewable energy operators and related service providers.
• Government: Recorded 6 incidents, reflecting continued but comparatively lower activity against public-sector organizations during the quarter.
• Water: Recorded 3 incidents, representing limited but persistent targeting of water-sector entities that provide essential services.

As illustrated in Figure 3, ransomware activity impacting industrial sectors remained significant in the fourth quarter of 2025. Manufacturing continued to be the most impacted sector, increasing from 532 incidents in Q3 to 819 in Q4, while activity affecting ICS equipment and engineering remained elevated. Transportation, government, and telecommunications sectors also experienced persistent targeting, highlighting the continued breadth and scale of ransomware operations across industrial environments.

Figure 3 Ransomware Incidents by Industry Sector, Fourth Quarter of 2025

Dragos observed significant ransomware activity across multiple subsectors within manufacturing during the fourth quarter of 2025.

The breakdown of 819 total manufacturing incidents in Q4 is as follows

• Construction: 188 incidents (23%)
• Food and Beverage: 109 incidents (13%)
• Equipment: 93 incidents (11%)
• Automotive: 84 incidents (10%)
• Consumer Goods: 78 incidents (10%)
• Electronics: 40 incidents (5%)
• Healthcare Manufacturing: 39 incidents (5%)
• Textile: 29 incidents (4%)
• Packaging: 26 incidents (3%)
• Chemical: 24 incidents (3%)
• Plastics: 20 incidents (2%)
• Metals: 19 incidents (2%)
• Pharmaceuticals: 18 incidents (2%)
• Semiconductor: 13 incidents (2%)
• Aerospace: 11 incidents (1%)
• Paper: 11 incidents (1%)
• Defense Manufacturing: 6 incidents (<1%)
• Glass: 6 incidents (<1%)
• Maritime Manufacturing: 5 incidents (<1%)

Within the 120 transportation-related incidents observed in Q4, activity was distributed as follows:

• Logistics: 68 incidents (57%)
• Aviation: 20 incidents (17%)
• Maritime: 7 incidents (6%)
• Rail/Warehousing: 25 (20%)

Ransomware activity impacting ICS equipment and engineering organizations totaled 113 incidents in Q4. The subsector breakdown is as follows:

• ICS Equipment: 63 incidents (56%)
• ICS Engineering: 50 incidents (44%)

Figure 4 Ransomware Incidents by Ransomware Group, Fourth Quarter of 2025

Dragos’ analysis of ransomware activity in Q4 2025 shows a continued shift toward ecosystem consolidation, despite an overall increase in claimed incidents. While a variety of small and short-lived ransomware brands remained present, the majority of impactful activity continued to be generated by a relatively small number of established and consistently active RaaS operations. Several dominant groups expanded their operational tempo during the quarter, while many emerging or rebranded identities remained low-volume and operationally limited:

• Qilin: Recorded 284 incidents, making it the most active ransomware operation impacting industrial organizations in Q4. Qilin’s sustained dominance reflects a mature and stable affiliate ecosystem, continued exploitation of internet-facing infrastructure, and persistent targeting of manufacturing, construction, and supply chain-dependent environments.
• Akira: Reported 143 incidents,remaining one of the most consistently active groups targeting industrial organizations. Activity continued to align with previously observed trade craft, including abuse of VPN infrastructure, credential compromise, and rapid encryption of production-supporting IT systems.
• LockBit 5.0: Accounted for 70 incidents, reflecting a partial resurgence in activity following its attempted re-entry into the ransomware ecosystem. While visible, LockBit 5.0 did not reclaim its former position of dominance and remained secondary to more stable RaaS platforms.
• Sinobi: Recorded 65 incidents, demonstrating measurable growth compared to earlier quarters. Activity remained selective and industrial-heavy, withtargeting acrossconstruction, equipment manufacturing, electronics, and renewables.
• CL0P: Registered 56 incidents, driven primarily by data-centric, encryption-less extortion campaigns targeting enterprise file transfer and business application platforms rather than endpoint encryption.
• Play: Recorded 51 incidents, sustaining consistent activity across engineering, construction, aerospace, and industrial equipment manufacturers.
• INC Ransom: Accounted for 48 incidents, continuing to benefit from affiliate migration and maintaining broad targeting across manufacturing, chemicals, construction, and government entities.
• Safepay: Recorded 39 incidents, reflecting steady activity against production-supporting IT environments across manufacturing, electronics, and telecommunications sectors.
• DragonForce: Documented 33 incidents, with activity spanning engineering, construction, renewables, and telecommunications sectors.
• Everest: Registered 32 incidents, reflecting its continued use of selective, high-impact extortion campaigns focused on downstream and long-tail operational risk rather than volume-driven encryption.
• Devman and Dire Wolf: Each recorded 24 incidents,maintaining targeted activity against industrial and operationally adjacent organizations.
• Lynx:Accounted for 20 incidents, reflecting reduced but still persistent activity across multi-sector industrial environments.
• Emerging and Mid-Volume Groups: Groups such as Coinbase Cartel (19), Gentlemen (19), CiphBit (17), Medusa (15), Warlock (15), RALord (14), and RansomHouse (14) contributed to leak-site volume but did not approach the scale or consistency of dominant RaaS operations.
• Lower-Volume and Peripheral Groups: A broad set of groups, including NightSpire, Scattered LAPSUS$ Hunters, Rhysida, BlackShrantac, Payouts King, Anubis, Space Bears, Chaos, Beast, Genesis, Kazu, RADAR, SECUROTROP, Trident, and others, recorded fewer than 15 incidents each. These actors continued to populate the ransomware ecosystem, often appearing briefly with limited operational maturity.
• Minimal-Activity Groups: Several identities, including Brain Cipher, Embargo, FulcrumSec, Gunra, Kyber, MintEye Team, ROOT, Skira, and others, registered one or two incidents. These groups remain low-signal and did not materially affect the industrial ransomware landscape during Q4.

As illustrated in Figure 5, Q4 activity reflects a clear consolidation trend.Qilin, Akira, INC Ransom, Play, and CL0P expanded their footprint, while LockBit 5.0 demonstrated only limited recovery. Although new and rebranded groups continued to appear, their impact remained marginal. This reinforces the assessment that industrial ransomware exposure in Q4 was driven primarily by a small number of reliable, affiliate-supported RaaS operations, rather than by broad ecosystem fragmentation or brand proliferation.

Figure 5 Ransomware Activity by Group/Strain: Q3 2025 vs. Q4 2025

Looking ahead, ransomware risk to industrial organizations is expected to continue to increase. These increases will likely be driven less by the emergence of ICS-specific malware and more by adversaries’ growing focus on the IT systems that underpin OT operations. Enterprise platforms such as ERP, MES, virtualization infrastructure, identity services, remote access gateways, and vendor connectivity systems will remain high-value targets because disruption at this layer can rapidly translate into operational delays, shutdowns, and supply chain impact without requiring direct interaction with ICS networks.

The ransomware ecosystem is also likely to remain highly dynamic, shaped by the continued expansion and specialization of affiliates and IABs. As observed throughout 2025, core RaaS operators will maintain the tooling, infrastructure, and monetization frameworks, while affiliates and IABs act as the primary drivers of victimselection, access acquisition, and operational execution. Even as ransomware brand names fluctuate, the underlying access paths, intrusion workflows, and targeting logic are expected to remain consistent.

Fragmentation across the ecosystem will continue to enable new and short-lived extortion identities to emerge, but impactful activity will remain concentrated among a smaller set of reliable, affiliate-supported RaaS platforms. At the same time, the increasing availability of stolen credentials, commodity infostealers, and ready-made access from IAB marketplaces will further lower the barrier for affiliates to launch opportunistic campaigns against industrial organizations, increasing both the density and tempo of ransomware activity.

Artificial Intelligence (AI) is expected to amplify these trends rather than fundamentally alter them. AI-assisted phishing, automated reconnaissance, and evasion techniques will continue to reduce dwell times and enable less technically sophisticated actors to achieve intrusion outcomes previously associated with more advanced operators. This will further shift ransomware risk toward speed, scale, and access quality rather than bespoke malware capabilities.

Taken together, these dynamics reinforce a critical reality for industrial defenders: ransomware-related OT disruption is most likely to occur through compromise of IT–OT boundary systems, OT-support virtualization, identity platforms, and trusted vendor pathways. As affiliates refine their workflows and leverage IAB-provided access, industrial organizations must apply ICS-grade security rigor not only to control networks, but to all enterprise systems that support, enable, or interface with OT operations. Doing so remains essential to limiting the operational impact of ransomware campaigns in 2026 and beyond.

Clop Ransomware Targets Gladinet CentreStack in Data Theft Attacks – BleepingComputer
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign – Google Threat Intelligence Group
European Airports Snarled by Cyberattack, Disruption to Stretch into Sunday – Reuters
Sweden’s Power Grid Operator Confirms Data Breach Claimed by Ransomware Gang – The Record
Chrysler Allegedly Compromised by Everest Ransomware Gang – SCWorld
ASUS Listed by Everest Ransomware Group, 1 TB Data Stolen – TechPowerUp
Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN – ArcticWolf
#StopRansomware: Akira Ransomware – CISA
Romanian Energy Provider Hit by Gentlemen Ransomware Attack – Bleeping Computer
LG Battery Subsidiary Says Ransomware Attack Targeted Overseas Facility – The Record
Press Release – Administrația Națională Apele Române
Romanian National Water Agency Hit by BitLocker Ransomware Attack – The Record