Ransomware attacks targeting industrial entities dropped slightly in the second quarter of 2025, and while that news is welcome, the number of attacks remains worrying.
Operational technology security firm Dragos tracked 657 ransomware incidents targeting industrial entities in the April-June period, down from 708 in the previous quarter.
“Though the quantity of observed incidents were down overall, three regions experienced an increase in incidents,” Dragos said in its Industrial Ransomware Analysis: Q2 2025 report.
“Europe led the increase in incidents with 135 in Q1 and 173 in Q2. The Middle East saw an increase from 11 attacks in Q1 to 17 in Q2. Africa experienced the smallest increase, with three incidents in Q1 and five in Q2.”
Manufacturing remained the most targeted sector, drawing 65 per cent of all incidents, while attacks targeting the electricity sector saw a sharp drop with just three incidents in the second quarter, compared to the 15 recorded in the previous quarter.
The Israel-Iran conflict saw hacktivist groups deploying ransomware against targets in the US and Israel, while Iranian ransomware groups offered affiliates greater payouts to target the regime’s enemies.
The quarter also saw some significant law enforcement activity. Operation Endgame 2.0 saw a coalition of European agencies dismantle vital ransomware infrastructure, while Moldovan and Dutch authorities arrested an affiliate of the DoppelPaymer ransomware group.
“This operational disruption likely accelerated affiliate migration observed from dormant groups like RansomHub to increasingly active operations such as Qilin,” Dragos said.
Ransomware groups and tactics
For the second quarter in a row, analysts have observed the emergence of 12 new ransomware groups: Gunra, Dire Wolf, Kraken, Silent, Anubis, BERT, Chaos, Crypto24, IMN Crew, Kawa4096, Underground, and Warlock.
Established operators took advantage of the disappearance of the once prolific RansomHub operation, however. Qilin emerged as a ransomware-as-a-service operation to watch, recruiting affiliates and providing them with a range of “professional services”, including legal advice to bolster ransom negotiations and tame “journalists” to shape the narrative around their criminal operations.
Qilin was responsible for 19 per cent of all ransomware activity targeting industrial systems in the second quarter of 2025, and its exploitation of vulnerabilities in Fortinet security products allowed for rapid access to networks.
The group also switched its targeting from purely financial operations to the rarified heights of nation-state activity, with the uptake of its ransomware platform by the Moonstone Sleet threat actor, a known nation-state actor in the employ of North Korea.
“Correspondingly, Qilin’s activity dramatically surged from 21 ransomware incidents affecting industrial organisations in Q1 to 101 incidents in Q2,” Dragos said.
“This marked escalation underscores the group’s strategic commitment to impact industrial sectors, further solidifying Qilin’s emerging threat status.”
The Devman group directed its affiliates to engage in “big game hunting”, targeting critical infrastructure organisations with revenue in excess of US$100 million and healthcare entities earning US$50 million. The group also moved its software from C++ to the Rust programming language, delivering a significant boost to its affiliates’ stealth capabilities and efficiency.
Devman also honed its pressure tactics, utilising media exposure to pressure its victims psychologically.
SafePay also accelerated its operations, hitting 49 industrial targets in the second quarter of the year compared to 13 in the previous period.
“Likely derived from leaked LockBit 3.0 source code, its ransomware toolkit emphasises modular flexibility and advanced double-extortion tactics, combining destructive encryption and extensive data exfiltration,” Dragos said.
“3.0 source code, its ransomware toolkit emphasises modular flexibility and advanced double-extortion tactics, combining destructive encryption and extensive data exfiltration.”
Who was hacked, and where
A total of 10 industrial ransomware incidents occurred in the Oceania region, with Australia the most targeted country. Attacks in the region focused on manufacturing, industrial control systems, and the oil and natural gas sectors.
North America remained the most targeted nation, with 355 incidents – fully 54 per cent of all incidents globally, where manufacturing and transport were the most targeted sectors. Europe attracted 26 per cent of activity, also mostly impacting manufacturing and transport. Asia ran third, with about 9 per cent of global activity, with the transportation, manufacturing, and telco sectors most targeted.
Manufacturing was unsurprisingly the most targeted sector, and within that, the construction, equipment, food and beverage, automotive, and electronic sub-sectors bore the brunt of intrusions.
Dragos expects AI-driven phishing to increase throughout the rest of the year, alongside targeted attacks driven by geopolitical divisions. Exploitation of known vulnerabilities will continue, while fragmentation of the ransomware ecosystem will continue to drive affiliates from one operation to another in search of reliable malware and greater paydays.
“To effectively manage these evolving risks, industrial organisations must adopt a strong, proactive cyber security posture,” Dragos said.
“Prioritising a zero-trust approach, implementing rigorous vulnerability management practices, enhancing detection capabilities with AI-driven tools, and ensuring segmented, resilient networks will be essential. Strengthening employee training to recognise and counter sophisticated social engineering attempts, maintaining secure offline backups, and regularly conducting incident response simulations will enhance organisational preparedness.”
You can read the full report here.
