In Q2 2025, the industrial ransomware threat landscape remained highly active, although there was a slight decrease in the total number of incidents—from 708 in Q1 to 657. North America continued to be the most affected region, but Europe, the Middle East, and Africa all saw notable increases in ransomware activity. Manufacturing was the hardest-hit sector (65 % of incidents), with construction being the top subsector. Significant growth was also observed in the industrial control systems (ICS) space, as well as in mining, water, and secondary sectors. Among threat actors, Qilin emerged as the dominant group, escalating from 21 incidents in Q1 to 101 in Q2. Other notable actors included Akira, Play, and Safepay.

Several new ransomware groups—such as Gunra, Dire Wolf, Kraken, Silent, Anubis, BERT, Chaos, Crypto24, IMN Crew, Kawa4096, Underground, and Warlock—made their debut in Q2, introducing advanced techniques and increasing the complexity of defenses. Notably, Qilin raised the professional bar by offering legal advisory services and a PR team for affiliate negotiations—a shift reflecting its evolving sophistication and strategic vision. That evolution was further underscored by its adoption by North Korea’s Moonstone Sleet, signaling a pivot toward geopolitically motivated operations. At the same time, international law enforcement efforts, including Operation Endgame 2.0 and arrests of affiliates, disrupted legacy ransomware networks like RansomHub, driving affiliate migration toward groups like Qilin.

‍

Source: https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2025/