Ransomware surged across the manufacturing sector in 2025, rising 56% year over year to 1,466 incidents and accounting for roughly half of all global attacks, as total cases reached 7,419. Check Point Research disclosed that the spike was driven by vulnerable legacy OT (operational technology) systems, complex supply chains, and rapid scaling of RaaS (ransomware-as-a-service) operations. Major threat actors including Akira, Qilin, Play, Clop, Safepay, NoName057(16), and Chinafans deployed tactics ranging from double extortion and supply chain attacks to website defacement and AI-enhanced malware. The U.S., Europe, India, Brazil, and China were among the hardest hit, with significant operational and financial disruption reported across critical manufacturing processes.
“In 2025, global ransomware incidents surged 32% year-over-year, reaching 7,419 documented cases, while attacks specifically targeting manufacturing rose 56%, increasing from 937 in 2024 to 1,466 incidents,” Check Point reported in its ‘Manufacturing Threat Landscape 2026’ report. “Manufacturing alone accounted for roughly 50% of all ransomware hits, reflecting its high operational criticality and the substantial financial impact of production downtime, which can cost millions per day.”
It added that threat activity is expected to intensify in 2026, with attackers shifting toward AI-driven campaigns, faster execution timelines, and data theft-led extortion rather than traditional encryption-only ransomware. Growing reliance on digital systems, OT environments, and third-party platforms is likely to heighten risk, as adversaries exploit cloud, SaaS, and vendor ecosystems to launch broader, more disruptive attacks across industrial operations.
Check Point identifies three structural weaknesses driving cyber risk in manufacturing sector. Legacy OT systems remain deeply embedded across industrial environments, with many PLCs (programmable logic controllers), SCADA systems, and industrial IoT devices not designed for modern security controls. In Europe, 80% of manufacturers continue to operate critical OT systems with known vulnerabilities, making exploitation feasible and repeatable.
At the same time, growing supply chain complexity is expanding the attack surface. In 2025, supply chain attacks nearly doubled from 154 incidents in 2024 to 297, as threat actors increasingly compromise smaller vendors, managed service providers, or SaaS platforms to gain indirect access to larger industrial targets.
Compounding this, RaaS operations have matured into highly scalable ecosystems. Affiliate-driven models enable threat groups to rapidly expand campaigns, reuse proven tools, and tailor attacks by geography and industry, increasing the pace and reach of cyberattacks.
Manufacturing emerged as a prime target due to its operational criticality and the high cost of downtime, which can run into millions per day, with the U.S., India, Germany, the U.K., and Canada among the most heavily impacted. Attackers increasingly exploited known vulnerabilities, phishing campaigns, and compromised credentials, while supply chain attacks nearly doubled, highlighting how interconnected industrial ecosystems are expanding the attack surface.
The U.S. recorded the highest number of manufacturing ransomware incidents at 713, followed by India (201), Germany (79), the U.K. (65), and Canada (62), underscoring that advanced and emerging industrial economies face comparable levels of exposure.
The U.S. emerges as the top global target for ransomware, 21% of incidents, with manufacturing as the most attacked industry for the fourth year. Ransomware comprised nearly half of manufacturing breaches, with median costs at $500,000. In 2025, 1,929 documented attacks hit industrial sectors, with manufacturing and construction each at 21%. Legacy OT systems and supply chains were key vulnerabilities.
Several incidents highlight operational and financial impact of cyberattacks on the sector. In May 2025, a large North American steel producer halted production after detecting unauthorized access to its systems. In April 2025, a medical device manufacturer experienced network disruption that delayed manufacturing and shipments, with ransomware suspected. The long-term fallout from earlier attacks also persists, including a 2022 Conti ransomware incident in which an aerospace manufacturer paid a $1.75 million settlement following the leak of employee data. In October 2023, a building materials firm was forced offline for months in a likely ransomware attack that triggered a drop in its stock value.
Europe recorded significant ransomware activity in the industrial sector, with manufacturing bearing the brunt. In Q3 2025, industrial ransomware attacks climbed 13% to 742 globally, with Europe seeing 162 incidents, second only to North America. Manufacturers accounted for 72% of these hits, reflecting a broader trend where 80% of firms still harbor critical vulnerabilities in legacy OT systems. Ransomware demands averaged $1.16 million, more than double the previous year’s figure. The European Union Agency for Cybersecurity (ENISA) highlighted ransomware as a prime threat, often leading to data breaches or system downtime.
Notable incidents in this region underscore the scale and impact of attacks on the sector. In October 2025, Qilin ransomware exfiltrated 150 GB of data from Volkswagen Group France, including sensitive vehicle owner information. A month earlier, a ransomware attack on Collins Aerospace disrupted operations across multiple European airports, exposing critical supply chain vulnerabilities.
Check Point reported that Brazil faced 248 ransomware incidents in 2024-2025, with 166 directly targeting the country, manufacturing represented 20.56% of attacks, the highest among sectors. Credentials for industrial firms fetch high prices ($4,000-$70,000) on dark web markets due to potential production disruptions. In the first quarter of 2025, Brazil led South America with 22 incidents, focusing on food and beverage manufacturing. Supply chain attacks amplified risks, with criminals exploiting vendor systems.
Several incidents highlight the broader impact of cyberattacks across interconnected industrial ecosystems. In 2021, JBS Foods, the world’s largest meat processor based in Brazil, paid $11 million in ransom after an attack shut down plants in North America and Australia, disrupting global supply chains, with effects continuing to reverberate. In September 2025, KillSec ransomware targeted MedicSolution, exposing lab results and patient data from multiple institutions and indirectly affecting industrial healthcare integrations. Earlier in July 2025, a supply chain breach at C&M Software used compromised client credentials to access financial systems, underscoring risks to connected industrial payment infrastructures.
“In December 2025, the manufacturing sector experienced a noticeable spike in cyber-attack activity, driven by a convergence of year-end operational pressure and attacker opportunism,” the report detailed. “As manufacturers entered peak production and fulfillment cycles, the financial and operational impact of downtime increased significantly, making organizations more vulnerable to extortion-driven campaigns. Ransomware groups such as Akira and Qilin intensified targeting during this period, exploiting reduced staffing over the holidays, delayed patching tied to fiscal year transitions, and persistent OT vulnerabilities.”
Ransomware remains the dominant threat, accounting for nearly half of manufacturing breaches. The leading entry point is the exploitation of vulnerabilities, responsible for 32% of incidents, often targeting legacy OT systems or zero-day flaws such as the Windows Common Log File System, with campaigns like Cl0p leveraging weaknesses in tools such as Cleo Managed File Transfer. Phishing and malicious emails account for 23% of attacks and are increasingly enhanced by AI to deliver more convincing social engineering, including spear-phishing campaigns targeting supply chains in sectors like semiconductors.
Compromised credentials and brute-force attacks continue to play a critical role, with industrial access credentials selling for between $4,000 and $70,000 on the dark web, while credential-stealing malware such as W32.Worm.Ramnit surged 3,000% in early 2025. Supply chain attacks have nearly doubled, rising from 154 incidents in 2024 to 297 in 2025, as attackers exploit third-party vendors, including through HR platforms and OAuth tokens, to reach larger targets.
Threat actors are also increasingly relying on double extortion or extortion-only tactics, combining data theft with encryption or bypassing encryption entirely while threatening public data leaks. At the same time, defense evasion techniques and AI-driven malware are becoming more prevalent, with tools designed to bypass endpoint detection and response systems. Attackers are also abusing remote access pathways and exploiting interconnected IoT and OT environments, including through SSH tunneling in ESXi ransomware campaigns targeting smart factories, while nation-state actors continue to deploy denial-of-service attacks and data manipulation techniques to disrupt industrial control systems and cause operational outages.
Check Point reported that data on attacks against China’s industrial sector is limited, as reporting often focuses on China as a cyber aggressor. However, ransomware groups claimed 90 victims in China in 2025-2026, including manufacturing firms. Manufacturing remains vulnerable to global trends, with 71% surge in threat actor activity targeting the sector. A notable incident in December 2025 saw Luxshare Precision Industry Co. Ltd., a major electronics manufacturer, targeted by Ransomhouse, resulting in the theft of sensitive client data.
India became APAC’s ransomware epicentre in 2025, with 65% of hit companies paying ransoms, average $1.35 million. Manufacturing and critical IT services were hardest hit, with Qilin leading assaults. A massive, alleged attack in 2025 targeted energy, railways, and gas infrastructure, wiping servers and databases.
Several incidents highlight the ongoing impact of cyber threats in India’s industrial ecosystem. Tengu ransomware recently targeted Deck India Engineering Pvt. Ltd., a heat treatment firm, exposing sensitive data. In the first quarter of 2025, Raymond Limited, a major fabric manufacturer, faced an IT disruption caused by ransomware, affecting operations. The effects of earlier attacks continue to linger, including the 2023 ransomware incident at AIIMS Delhi, which disrupted health services and indirectly impacted industrial medical supply chains.
Check Point recommends implementing a zero-trust architecture across both IT and OT environments, alongside prioritizing the rapid patching of known vulnerabilities, particularly in public-facing applications, VPNs, and ICS or OT components. Organizations are advised to adopt automated patch management and maintain an up-to-date asset inventory to reduce exploitation risks, which remain a primary entry point for attackers.
The company also emphasizes strengthening vulnerability management and patching processes, while maintaining offline, immutable, and regularly tested backups to enable rapid recovery without paying ransoms. Protecting backup systems from tampering is critical, as attackers are increasingly targeting them to maximize disruption and pressure victims.
