Report: Bad news, as industrial ransomware attacks rise sharply in Q3

“Participants in this increasingly complex ransomware ecosystem exploit unsecured connections between information technology (IT) and operational technology (OT), resulting in significant disruptions to essential operations,” Dragos said in its Q3 report.

“The frequency and severity of these attacks are increasing, posing a serious threat to these organisations.”

Dragos tracked 742 ransomware targeting industrial victims worldwide in the third quarter of 2025, compared to 708 incidents in the first quarter of the year and just 657 in the second.

Manufacturing continues to be the sector most under threat, soaking up 72 per cent of all attacks in the period, with construction the most impacted sub-sector.

The Qilin group in particular led the charge with 138 incidents, and just four groups – Qilin, Akira, Play, and INC Ransom – accounted for 40 per cent of all those tracked.

Emerging threats

VIEW ALL

Entirely new and rebranding ransomware operations increased in the quarter, due to leaked ransomware builders, recycled infrastructure, and affiliate migration, leading to a proliferation of new threats.

“The expanding availability of AI-assisted tools has further reduced the barrier to entry, allowing lower-skilled actors to assemble or modify ransomware payloads without deep technical expertise,” Dragos said.

“While the maturity of these groups varies considerably, several demonstrated notable activity across industrial verticals and production-supporting IT systems.”

Although none of the new and active groups caused any direct industrial disruption, they still present a “growing risk” for their willingness to target – indeed, focus on – industrial systems. The Gentlemen ransomware group, first observed in September, is a perfect example – out of 39 victims, 16 were industrial organisations.

The Sinobi group, spotted in July, tells a similar tale. Twenty-three of its 42 victims were industrial entities in manufacturing, construction, renewables, and telecommunications.

“As RaaS fragmentation continues, even low-maturity crews are able to compromise production-supporting IT systems, steal sensitive data and apply meaningful extortion pressure,” Dragos said.

“Their presence reinforces that risk does not originate solely from dominant and well-established ransomware groups, but also from smaller operators capable of rapid intrusion and disruptive impact through simple but effective tradecraft.”

Three groups stood out from the pack, however, for very different reasons.

The Qilin group, which has claimed at least 11 victims in Australia this year, remained one of the most active RaaS operators in the period. Dragos linked more than 130 industrial ransomware incidents to Qilin affiliates; in particular, it was a Qilin operative that targeted the Asahi Group in Japan, which resulted in delays in production and logistics.

On the other hand, despite a rebrand, the LockBit ransomware operation released version 5.0 of its malware, stoically continuing its criminal work despite the efforts of Operation Cronos to disrupt its work. That said, the group is, according to Dragos, a “diminished brand”.

“Despite the relaunch, LockBit struggled to regain momentum. Most former LockBit affiliates had already migrated to RansomHub and later to Qilin, both of which provided more stable operations and consistent payouts,” Dragos said.

“As a result, LockBit’s industrial footprint in Q3 remained minimal.”

And of course, there was Scattered Lapsus$ Hunters, which, in the wake of targeting Qantas, claimed to be behind the hack that ground Jaguar Land Rover production lines to a halt, resulting in a drop in the UK’s gross domestic product (GDP).

“Across these incidents, the tradecraft remained consistent: compromise of identity and enterprise IT platforms that underpin OT continuity, rather than direct targeting of ICS networks,” Dragos said.

Who was hacked, and where

Incidents in the United States and Canada once again led to the North America region leading the world when it comes to industrial ransomware impact, with 392 incidents in the US, and 41 in Canada. The rate of digital dependency in the region and reliance on remote access makes it a particularly attractive target.

Manufacturing was unsurprisingly the most targeted sector, followed by construction, engineering, automotive, equipment suppliers, and telecommunications.

Europe followed with 162 incidents, with manufacturing and construction the lead targets, while Asia saw 72 industrial ransomware attacks. In the case of Asia, manufacturing and telecommunications were prime targets.

South America and the Middle East were the next most impacted, with 38 and 15 incidents, respectively, again with a focus on construction and manufacturing. Africa recorded 14 incidents spread almost equally throughout the continent.

The ANZ region, thankfully, only saw six similar incidents.

“Although the volume was low relative to other regions, the region’s industrial supply chain and heavy reliance on remote connectivity continue to present opportunities for opportunistic ransomware operators,” Dragos said.

Sadly, Dragos believes this pace of activity will only accelerate. Fragmentation across the ransomware ecosystem is leading to a profusion of diverse and skilled threat groups that are increasingly empowered by artificial intelligence.

And while criminal groups continue their dire trade, the company also expects geopolitical and ideological actors to adopt the RaaS model to sow disruption among their enemies.

“The RaaS ecosystem lowers barriers to entry, provides scalable infrastructure and enables groups with minimal technical capability to participate in high-impact extortion operations,” Dragos said.

“As a result, industrial organisations should anticipate continued growth in both the number of active groups and the frequency of attacks.”

You can read the full Dragos Industrial Ransomware Analysis: Q3 2025, here.