In the first quarter of 2025, ransomware attacks against industrial organisations surged, with Dragos identifying 708 incidents worldwide—an increase from approximately 600 in the previous quarter. North America experienced the highest number of attacks (413), followed by Europe (135). The manufacturing sector remained the most targeted, accounting for 68% of all incidents.

Although no new ransomware variants specifically designed for industrial control systems (ICS) were detected, the attacks caused significant operational disruptions. Notable incidents included the South African Weather Service outage, which impacted aviation and agriculture, and an attack on Unimicron, a leading printed circuit board manufacturer.

Emerging ransomware groups such as FunkSec, NightSpire, Kairos, Weyhro, Apos, and Morpheus employed advanced tactics, including AI-driven malware, encryption-less extortion, and sophisticated endpoint detection and response (EDR) evasion tools like RansomHub’s EDRKillshifter. The Cl0p ransomware group notably increased its activity, exploiting vulnerabilities in Cleo Managed File Transfer systems, leading to 154 incidents in Q1—up from just two in the previous quarter.

The growing interconnection between IT and operational technology (OT) systems has amplified the impact of these attacks. Disruptions in IT environments increasingly cascade into OT operations, causing production delays and supply chain issues. Additionally, groups like Babuk Locker have adopted deceptive extortion tactics, such as making unsubstantiated breach claims and recycling outdated or falsified data leaks, complicating incident response efforts.

Dragos emphasizes the need for industrial organisations to enhance their cybersecurity measures, focusing on the convergence of IT and OT systems, to mitigate the evolving ransomware threat landscape.

‍

Source: https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q1-2025/