Ransomware attacks surged by 46% from Q4 2024 to Q1 2025, according to Honeywell’s cybersecurity threat report. The research underscores the increasing frequency and sophistication of cyberattacks targeting critical infrastructure—particularly in the energy and manufacturing sectors—and highlights how threat actors are sharpening their techniques to exploit vulnerabilities in operational technology (OT).
The report shows a steep rise in both malware and ransomware during this period, including an alarming 3,000% increase in the use of a trojan specifically designed to steal credentials from industrial operators. Among the malware flagged, W32.Worm.Ramnit—a highly dangerous trojan targeting OT systems—accounted for 37% of all files blocked by Honeywell’s Secure Media Exchange (SMX). This sharp uptick signals a growing and focused threat to industrial environments.
“Industrial operations across critical sectors like energy and manufacturing must avoid unplanned downtime as much as possible—which is precisely why they are such attractive ransomware targets,” said Paul Smith, director of Honeywell Operational Technology (OT) Cybersecurity Engineering and author of the report. “These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving.”
To compile the report, Honeywell researchers analyzed over 250 billion logs, 79 million files, and 4,600 incident events blocked across its global install base. Their analysis revealed 2,472 attempted ransomware attacks in Q1 2025 alone—representing 40% of all ransomware incidents recorded in 2024 and indicating a sharply rising trend.
The study also points to persistent risks from external media and USB devices. In Q1 2025, SMX detected 1,826 unique USB threats, including 124 previously unknown variants. This follows a continuing upward trajectory: USB malware detections rose by 33% in 2023 after an unprecedented 700% year-over-year spike in 2022. The report additionally broadened its analysis to include threats delivered via Human Interface Devices (HIDs)—such as mice, mobile phone chargers, and other peripherals often used during software updates or patching of on-premise systems.
The economic stakes are high. The US Cybersecurity and Infrastructure Security Agency (CISA) classifies major cyber incidents as those that enable unauthorized access leading to significant operational disruption. Industry estimates suggest that unplanned downtime—whether due to cyberattacks or equipment failure—costs Fortune 500 companies approximately $1.5 trillion annually, or about 11% of their total revenue.
“With increasingly significant threats and updated SEC reporting regulations requiring the disclosure of material cybersecurity incidents, industrial operators must act decisively to mitigate costly unplanned downtime and risks, including those linked to safety,” Smith said. “Leveraging Zero Trust architecture and AI for security analysis can speed detection and enable smarter decision-making and proactive defense in an increasingly complex digital landscape.”
