Full Report
In the third quarter of 2025 (July-September), Dragos identified 742 ransomware incidents affecting industrial entities worldwide, an increase from the 708 incidents documented in Q1 and the 657 incidents documented in Q2 2025. North America was the most targeted region in Q3, followed by Europe, which experienced a slight decrease in incidents overall. Asia was the third most impacted region, with an increase in incidents in Q3, with Thailand accounting for the majority. Manufacturing remained the most impacted sector, accounting for 72% of incidents recorded in Q3. The top manufacturing subsector impacted by ransomware was construction, accounting for 142 of the 532 manufacturing incidents in Q3. The global electric/renewables sector saw an increase from 3 incidents in Q2 to 16 in Q3. Similarly, government organizations saw an increase from 4 incidents in Q2 to 35 in Q3.
Analysis Summary
# Incident Report: Global Industrial Ransomware Activity - Q3 2025
## Executive Summary
During the third quarter of 2025 (July–September), Dragos documented a sustained escalation in ransomware targeting industrial control system (ICS) environments, with 742 incidents identified globally, surpassing volumes from Q1 (708) and Q2 (657). North America was the most active region, while the Manufacturing sector remained the dominant target (72% of incidents), specifically impacting the construction subsector heavily. Attack methodology focused on exploiting unsecured IT/OT connections, driven by mature RaaS ecosystems, leading to significant operational pressure on critical infrastructure entities.
## Incident Details
- **Discovery Date:** Throughout Q3 2025 (July 1 – September 30, 2025)
- **Incident Date:** Q3 2025 (July – September)
- **Affected Organization:** 742 industrial entities worldwide (Specific organizations not detailed individually)
- **Sector:** Primarily Manufacturing (72% of incidents), Electric/Renewables sector (increased to 16 incidents), Government organizations (increased to 35 incidents).
- **Geography:** Global; North America (Most targeted), Europe (Slight decrease), Asia (Increased activity, majority in Thailand).
## Timeline of Events
The data provided reflects aggregated statistics over a defined period, not a single event timeline.
### Initial Access
- **Date/Time:** Throughout Q3 2025
- **Vector:** Exploitation of unsecured connections between Information Technology (IT) and Operational Technology (OT) environments. Leverage by Initial Access Brokers (IABs) and RaaS affiliates.
- **Details:** The threat landscape indicated an emphasis on identity-centric extortion targeting supporting enterprise environments (e.g., manufacturing, logistics). Mention of Sinobi ransomware utilizing compromised SonicWall SSL VPN credentials in related external reporting suggests this vector type was relevant.
### Lateral Movement
- **Date/Time:** Within the incident lifecycle
- **Vector:** Not explicitly detailed, but implied by the mature RaaS operations leveraging affiliates who compromise business systems underpinning production.
- **Details:** Attackers successfully moved from initial access points to impact critical industrial operations, evident by the high percentage of incidents across core sectors.
### Data Exfiltration/Impact
- **Date/Time:** Within the incident lifecycle
- **Vector:** Ransomware deployment leading to disruption of essential operations.
- **Details:** Significant operational pressure resulting from successful encryption or denial of access to core systems. Qilin was the most active group (138 incidents).
### Detection & Response
- **Date/Time:** Post-attack phase, throughout Q3 2025
- **Vector:** General observation of threat group behavior shaping the landscape.
- **Details:** Law Enforcement actions continued to influence the ecosystem, though the immediate impact varied. LockBit's reemergence with "LockBit 5.0" in September 2025 signaled aggressive targeting, potentially bypassing prior internal rules.
## Attack Methodology
*Note: Specific TTPs for all 742 incidents are not provided. The following reflects generalized observations about the Q3 threat landscape.*
- **Initial Access:** Exploitation of IT/OT integration points; likely use of compromised credentials via IABs.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed; implied effectiveness given the high volume of successful compromises.
- **Credential Access:** Implied through identity-centric extortion tactics.
- **Discovery:** Not detailed.
- **Lateral Movement:** Movement likely focused on systems critical to production and supply chain continuity residing in the IT environment supporting OT.
- **Collection:** Not detailed.
- **Exfiltration:** Implied tactics of double extortion common in modern RaaS operations.
- **Impact:** Encryption and operational disruption of industrial control systems or supporting enterprise IT environments.
## Impact Assessment
- **Financial:** Not specified, but implied significant due to the low tolerance for downtime exhibited by the targeted entities.
- **Data Breach:** Not specified, but modern trends suggest data exfiltration was a component of the extortion strategy.
- **Operational:** High impact across the Manufacturing sector (72% of incidents). Notable increases in the Electric/Renewables sector (3 to 16 incidents) and Government (4 to 35 incidents). Construction was the highest subsector impacted within Manufacturing (142 incidents).
- **Reputational:** Not detailed, though incidents referencing flight delays (Brussels Airport proxy reference) suggest public-facing impacts occurred.
## Indicators of Compromise
*No specific IoCs were present in the context provided, only mentions of specific ransomware strains (Qilin, Akira, Play, INC) and potential related vectors (SonicWall credentials).*
## Response Actions
*Specific individual response actions were not documented. The context focuses on the external environment shaping responses.*
- **Containment measures:** Law Enforcement actions partially shaped the ecosystem by disrupting groups (e.g., reference to prior Operation Cronos).
- **Eradication steps:** Affiliates migrated following disruptions (LockBit affiliates moved to RansomHub, then Qilin).
- **Recovery actions:** Not detailed.
## Lessons Learned
- The ransomware ecosystem is driven fundamentally by **affiliates, IABs, and operational behavior**, rather than purely by the visibility of major RaaS brands.
- Even small or new groups can cause **meaningful disruption** if they compromise the business systems critical for manufacturing and supply-chain continuity.
- The convergence point remains the **unsecured IT/OT connections**, which threat actors actively target.
- The apparent relaxation of targeting rules by LockBit 5.0 indicates that **RaaS rules are susceptible to change**, potentially exposing previously protected sectors late in Q3.
## Recommendations
- Implement stringent **network segmentation and monitoring** focusing on IT/OT boundaries to prevent intrusion propagation.
- Enhance defenses against **identity-centric attacks**, ensuring robust multi-factor authentication and credential hygiene across enterprise and operational networks.
- Security programs targeting industrial entities must prioritize visibility into **affiliate tactics** originating from mature RaaS operations like Qilin, which was the most active group.
- Review and update incident response plans to account for rapid escalations across sectors such as Electric/Renewables and Government, which saw significant Q3 increases.