DataCenterNews Asia Pacific - Specialist news for cloud & data center decision-makers
Asia
Flux result e4336e7b a328 4fd8 a6ca b050d73b6f11
#
DR
#
VPNs
#
Ransomware

Manufacturing leads ransomware targets in 2025 report

Thu, 16th Apr 2026
Author image
By Sean Mitchell, Publisher

Manufacturing was the most targeted sector for ransomware in 2025, according to Check Point's latest threat analysis, which counted 1,466 incidents against manufacturers worldwide.

That was up 56 per cent from 937 incidents in 2024. Across all sectors, documented ransomware cases rose 32 per cent year on year to 7,419, placing manufacturing at the centre of current extortion activity.

The figures suggest a sector under growing pressure as factories adopt more connected systems and digital processes while still relying on older operational technology. Production outages can halt output, disrupt safety controls, and affect suppliers and customers across multiple markets.

The US recorded the highest number of manufacturing ransomware incidents with 713 cases, followed by India with 201. Germany recorded 79, the UK 65, and Canada 62.

Key weaknesses

The report identified three main factors behind the rise in attacks. First is the continued use of legacy operational technology, including programmable logic controllers, SCADA systems, and industrial internet of things devices not built to current security standards.

In Europe, 80 per cent of manufacturers still operate critical OT systems with known vulnerabilities, leaving a large installed base of equipment exposed to well-understood attack methods.

Second is supply chain complexity. Attacks that used supply chain access as an entry route rose from 154 incidents in 2024 to 297 in 2025 as threat groups increasingly targeted smaller suppliers, managed service providers, and software platforms to reach larger industrial organisations.

The third factor is the growth of ransomware-as-a-service models. These affiliate structures let groups reuse tools, scale activity more quickly, and tailor operations by region and sector.

Threat groups

Among the groups highlighted, Akira was described as one of the most lucrative ransomware operations active in manufacturing, with estimated proceeds of USD $244 million by late 2025. The group commonly gained access through virtual private networks without multi-factor authentication, exploited vulnerabilities, and spear phishing.

The report also cited Qilin, a Russia-based ransomware-as-a-service operation focused heavily on manufacturing and logistics, and Play, which has continued to hit US manufacturers. The FBI had recorded about 900 entities affected by Play by mid-2025, according to the report.

Beyond financially motivated groups, industrial businesses also faced activity from hacktivist and geopolitical actors. Groups including NoName057(16) and Chinese-aligned defacement actors targeted industrial organisations with denial-of-service attacks, OT reconnaissance, and website defacement during periods of geopolitical tension.

Attack routes

Ransomware remained the dominant threat type, accounting for 890 manufacturing incidents in 2025. But attackers used a broader mix of entry points and techniques before launching extortion attempts.

Exploited vulnerabilities accounted for 32 per cent of attacks, often involving legacy OT environments and internet-facing applications. Phishing and malicious email campaigns represented 23 per cent of incidents, with lures increasingly enhanced by artificial intelligence.

Compromised credentials also became more valuable. Industrial access credentials were being sold on dark web marketplaces for between USD $4,000 and USD $70,000, giving criminal groups a route into sensitive environments without needing to breach them directly.

Supply chain compromise and abuse of remote access tools also featured prominently, allowing attackers to move between information technology and operational technology systems with limited detection. Many now combine encryption with data theft, extortion-only tactics, and broader disruption of information systems.

Regional pressure

Europe saw particularly intense activity, with manufacturing representing 72 per cent of industrial ransomware attacks in the third quarter of 2025. Average ransom demands in the region reached USD $1.16 million, more than double the previous year.

In the US, manufacturing remained the most attacked sector for the fourth consecutive year, and ransomware made up nearly half of all industrial breaches. Median attack costs reached USD $500,000, excluding longer-term operational losses.

India stood out in the Asia-Pacific region, where 65 per cent of affected companies paid ransoms and average payments reached USD $1.35 million. Manufacturing and critical IT services were especially exposed.

The report argues that manufacturers need to focus more closely on identity controls, network segmentation, patching speed, credential security, offline backups, staff training, and third-party risk management as attackers continue to target weak points across both factory systems and corporate networks.

It adds that patching and compensating controls for exposed systems should be implemented in hours rather than days or weeks.

Related stories
Siemens launches DC protection kit for data centres
Tenable launches OT discovery tool for exposure management
Cloudflare, Wiz link AI security tools for unified view
Equinix launches Fabric Intelligence for AI networking
Cyber security chiefs split on quantum threat urgency

Top stories

Equinix launches Fabric Intelligence for AI networks
QBE Asia flags rising marine risks across shipping
Schneider Electric & Microsoft unveil Azure AI factory tools
The autonomous SOC: A dangerous illusion as firms shift to human-led AI security
Iceotope passes 200 patents as AI cooling demand rises