SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Ransomware
#
IT Training
#
MFA

Ransomware attacks on industrial targets surge, AI tactics rise

Today
Author image
By Melvin Hipolito, Editor

An analysis by Dragos has found that ransomware incidents targeting industrial organisations rose notably in the first quarter of 2025, with 708 global incidents reported compared to approximately 600 in the previous quarter.

The manufacturing sector bore the brunt, accounting for 68% of all incidents with 480 cases, followed by transportation and logistics, and industrial control systems (ICS) equipment and engineering. North America and Europe experienced the most significant increases, reporting 413 and 135 ransomware incidents respectively. North America's incident rate grew from 360 in Q4 2024, while Europe saw a rise from 102.

Oceania recorded 14 incidents, with Australia accounting for 13 and one in New Zealand. Although numbers were lower in the Middle East and Africa, Dragos highlighted underreporting concerns in regions such as Africa, where only three incidents were recorded but critical infrastructure like the South African Weather Service (SAWS) faced notable disruptions.

In terms of ransomware tactics, Q1 2025 witnessed further evolution and complexity. Dragos reported the emergence of artificial intelligence-driven malware, encryption-less extortion campaigns, and tactics aimed at evading endpoint detection and response (EDR) tools. Groups also exploited zero-day vulnerabilities in widely used file transfer and remote access software, as well as AI-enhanced phishing, targeted ESXi ransomware with SSH tunnelling, and increased credential theft and brute-force attacks.

Cl0p ransomware incidents surged dramatically from two in Q4 2024 to 154 in Q1 2025. This spike was attributed mainly to the exploitation of vulnerabilities in the Cleo Managed File Transfer (MFT) platforms. Vulnerabilities such as CVE-2024-50623 and CVE-2024-55956 enabled unauthorised access, data theft, and subsequent operational disruptions. The exploitation of incomplete patching by Cleo and similar vulnerabilities in other file transfer software, such as CrushFTP, facilitated further incidents.

Ransomware groups employed increasingly deceptive tactics to complicate defence and response strategies. "Deceptive extortion tactics" became more common, with groups making unsubstantiated breach claims and recycling outdated or falsified data leaks in efforts to intensify psychological pressure on victims.

Several new and established ransomware groups were particularly active in Q1 2025. FunkSec, an AI-driven malware operator with a hybrid model blending Ransomware-as-a-Service (RaaS) and hacktivist elements, was responsible for at least 10 confirmed incidents. Lynx, which emerged in 2024, claimed 148 incidents, around 30% involving industrial targets—with sophisticated phishing and credential theft among its preferred methods. DragonForce, a collective originating as a hacktivist entity and now operating as a ransomware extortionist, was linked to 15 incidents, employing double extortion and supply chain infiltration tactics, and benefitting from the "The Five Families" ransomware alliance and the use of offensive security tools like Cobalt Strike and Mimikatz.

Scott Small, Dragos Director of Cyber Threat Intelligence, stated: "'Advanced Persistent Threat' (APT) historically referred to state-aligned threat groups, characterised by sophisticated capabilities, persistent targeting, and specific operational goals. This distinguished them from ransomware operators, hacktivists, and less sophisticated attackers. However, ransomware has become one of the most prevalent and impactful advanced persistent threats facing organisations globally. Although individual ransomware techniques, tactics, and procedures (TTPs) may not always reflect novel or technically sophisticated methods, their persistent application, deliberate targeting, significant operational impacts, and increasing adoption by sophisticated threat adversaries align ransomware firmly within the broader definition of APT."

Industrial organisations, integral to critical infrastructure and global supply chains, face heightened risk from these evolving threats. The report notes that information technology and operational technology (IT-OT) convergence has worsened the cascade effect of IT disruptions into operational environments, as exemplified by recent manufacturing delays experienced by National Presto Industries following a ransomware attack.

Regional breakdowns of incident data showed that the United States experienced the highest number of attacks (374), followed by Canada (52), and then leading European economies such as the United Kingdom, Germany, and Italy. Asia registered 78 incidents, with India and Japan accounting for significant proportions. Key industrial sectors targeted include construction, food and beverage, equipment, electronics, metals, pharmaceuticals, and consumer goods.

Ransomware group activity data reflected a fragmented landscape, with Cl0p, Akira (83 incidents), and RansomHub (82 incidents) among the most active operators. Cl0p led through targeting Cleo MFT vulnerabilities, while Akira focused on double extortion and cross-platform attacks. Other notable groups included Lynx, Babuk 2, Cactus, Play, Qilin, Fog, Sarcoma, Frag, MedusaLocker, and FunkSec, each targeting various industrial verticals and employing a mix of emerging and persistent TTPs.

The report outlines several impactful incidents in Q1 2025. The South African Weather Service sustained severe disruption to weather forecasting, affecting aviation, marine, and agricultural sectors. National Presto Industries experienced a system outage that impacted manufacturing, shipping, and back-office operations. Lee Enterprises' February 2024 incident disrupted newspaper production and distribution for several weeks, with delayed or cancelled print editions as a result.

Regarding mitigation, Graham White, Founder & Director, commented: "Organisations must urgently enhance cybersecurity defences through the implementation of robust multi-factor authentication (MFA), stringent monitoring of critical network points, secure offline backups, and strengthened remote access management protocols. Comprehensive training programs, regular reviews of network architectures, and adoption of AI-driven detection solutions are essential to counter advanced threats such as AI-crafted phishing, encryption-less extortion, and nation-state ransomware convergence observed with actors like Qilin. Furthermore, organisations must rigorously validate threat intelligence to effectively manage deceptive practices, such as the unverified claims seen from Babuk 2."

Dragos emphasises that proactive defence strategies, intelligence sharing, and collaborative mitigation are necessary to address the evolving ransomware landscape, particularly as threat actors increasingly exploit gaps created by IT-OT convergence and supply chain vulnerabilities.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Google unveils SynthID Detector to verify AI-generated content
Google DeepMind reveals new strategy to defend Gemini 2.5 AI
Google enhances agent toolkit & unveils updates for secure AI
Google unveils Gemini 2.5 upgrades for reasoning & security
Synology unveils cloud surveillance service with easy deployment
Top stories
SonicWall unveils cyber suite for MSPs with USD $2 million warranty
Silent Push unveils Chrome tool for real-time threat response
AI-driven threats prompt IT leaders to rethink hybrid cloud security
Malicious memes: How cybercriminals use humour to spread malware
Cohesity unveils AI-driven RecoveryAgent to automate cyber recovery