Ransomware attacks surged again in Q1 2025, with manufacturing absorbing the brunt of 708 reported incidents worldwide, according to OT cybersecurity firm Dragos. As attackers adopt AI-enabled methods and blend them with persistent vulnerabilities, operational disruptions are escalating across industrial supply chains.
Manufacturing Targeted in Majority of Attacks
The manufacturing sector remained ransomware’s primary bullseye in Q1 2025, accounting for 68% of all attacks, up from 424 incidents last quarter to 480. According to Dragos, these attacks are not isolated disruptions; they ripple through logistics, delay production schedules, and compromise downstream operations. The outage at the South African Weather Service (SAWS), for instance, hampered both aviation and agricultural planning, while the Unimicron breach raised alarms across the electronics supply chain.
Geographically, North America was the epicenter, with 413 incidents – 374 of them in the United States alone. Europe followed with 135 cases, notably in Germany, the UK, and Italy. Asia’s 78 recorded incidents included sustained pressure on Indian and Japanese industrial firms. Manufacturing, transportation, and engineering firms were the most affected, while ICS-specific incidents declined, hinting at a tactical pivot rather than diminished interest.
Despite no new ransomware variants explicitly engineered for ICS environments this quarter, attackers leveraged a dangerous mix of AI-enabled malware, encryption-less extortion, and evasive tools targeting EDR systems. The attack surface is also expanding thanks to ongoing IT-OT convergence, where disruptions in enterprise systems increasingly cascade into physical operations. Cases like the manufacturing delays at National Presto Industries illustrate this dual-system vulnerability.
Attackers Combine Deception and Speed
Threat groups continued to exploit zero-day flaws and poor credential management while layering in new methods. FunkSec deployed AI-generated malware, while Babuk Locker and others issued false breach claims using recycled data to pressure victims. These tactics complicate verification and response, particularly in sectors with limited cybersecurity resources.
Transportation and logistics reported 108 attacks, up from 69, suggesting attackers are extending their reach beyond production to the broader supply chain. Lower incident counts in ICS equipment and engineering may indicate underreporting rather than reduced threat levels.
Cybersecurity Now a Core Operational Risk
Traditional IT controls alone are insufficient when attackers target production lines, transport systems, and supplier networks. Integrating cybersecurity into day-to-day operations, through tighter access governance, scenario-based planning, and improved supplier risk visibility, offers a more durable path to resilience. As threat actors refine their methods, defense must become less reactive and more structurally embedded across the value chain.
