Ransomware attacks targeting industrial operators increased by 46% in the first quarter of 2025 compared to the previous quarter, according to a new cybersecurity threat report.
The findings highlight growing risks to critical infrastructure sectors such as energy, manufacturing and utilities, which are becoming frequent targets due to their dependence on uninterrupted operations.
The analysis, based on billions of cybersecurity logs and thousands of threat events, documents a marked rise in both ransomware and malware activity during the period under review.
A significant contributor to this trend was the proliferation of credential-stealing trojans, with one variant, W32.Worm.Ramnit, accounting for over one-third of all malicious files blocked. This marks a 3,000% increase in activity for the trojan compared to the previous quarter.
“Industrial operations across critical sectors like energy and manufacturing must avoid unplanned downtime as much as possible – which is precisely why they are such attractive ransomware targets,” said Paul Smith, director of operational technology cybersecurity engineering and author of the report.
“These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving,” Smith said.
The report also identified 2,472 potential ransomware attacks in the first quarter of 2025 alone, representing 40% of the total volume recorded for the entire previous year. This surge indicates a steady escalation in the frequency and ambition of cybercriminal campaigns.
USB-based threats continue to be a persistent risk for operational systems, with 1,826 unique threats detected in the same quarter. Of these, 124 were previously unidentified, underlining the evolving nature of malware delivered through removable media.
This trend builds on a 33% increase in USB malware detections in 2023, following a 700% rise in 2022.
The report further noted that threats are also being introduced via commonly used plug-in hardware such as charging cables, external mice and laptops—devices often connected during maintenance or software updates in industrial environments.
The US Cybersecurity and Infrastructure Security Agency (CISA) classifies incidents as substantial when they enable unauthorised access that causes operational disruption or impairment. Industry data suggests that such disruptions cost large companies an estimated $1.5 trillion annually, equating to approximately 11% of their revenue.
“With increasingly significant threats and updated SEC reporting regulations requiring the disclosure of material cybersecurity incidents, industrial operators must act decisively to mitigate costly unplanned downtime and risks, including those linked to safety,” Smith said.
“Leveraging Zero Trust architecture and AI for security analysis can speed detection and enable smarter decision making and proactive defence in an increasingly complex digital landscape,” he said.
