The global manufacturing sector entered 2025 facing one of the most aggressive cyber threat environments in its history. Digital transformation, smart factories, and interconnected supply chains have expanded operational efficiency to places 50 years ago we wouldn’t have thought possible. But this comes with unprecedented cyber risk. According to the Manufacturing Threat Landscape 2025 report, cyber incidents targeting manufacturing increased sharply year over year, placing the industry at the center of global ransomware activity.
Manufacturing Becomes the Primary Ransomware Target
In 2025, global ransomware incidents reached 7,419 documented cases, representing a 32 percent increase year over year. Manufacturing was the most targeted industry sector. Attacks against manufacturers rose 56 percent, increasing from 937 incidents in 2024 to 1,466 in 2025.
The financial reasoning of attacking manufacturers is the fact that downtime can cost millions per day, disrupt safety of critical operations, and cascade across global supply chains. Threat actors increasingly view production disruption as leverage rather than collateral damage.
The United States led globally with 713 manufacturing ransomware incidents, followed by India (201), Germany (79), the United Kingdom (65), and Canada (62). These figures show that both mature and emerging industrial economies face similar exposure levels.
Why Manufacturers Are So Vulnerable
Three structural weaknesses continue to drive manufacturing cyber risk.
- First, legacy operational technology systems remain deeply embedded in industrial environments. Many programmable logic controllers, SCADA systems, and industrial IoT devices were never designed with modern security controls. In Europe, 80 percent of manufacturers still operate critical OT systems with known vulnerabilities, making exploitation both feasible and repeatable.
- Second, supply chain complexity has expanded the attack surface. In 2025, supply chain attacks nearly doubled, rising from 154 incidents in 2024 to 297 in 2025. Threat actors increasingly compromise smaller vendors, managed service providers, or SaaS platforms to gain indirect access to large industrial targets.
- Third, ransomware-as-a-service operations have matured. Affiliate-based models allow threat groups to scale attacks rapidly, reuse proven tooling, and localize campaigns by geography and industry.
The Threat Actors Driving Industrial Attacks
Several ransomware groups dominated manufacturing attacks in 2025.
Akira, active since 2023, emerged as one of the most financially successful groups, generating an estimated $244 million in proceeds by late 2025. Akira commonly gains access through VPNs without multifactor authentication, exploited vulnerabilities, and spear phishing. A notable 2025 incident involved a German cable manufacturer, where 27 GB of sensitive data was exfiltrated before encryption.
Qilin, a Russia-based ransomware-as-a-service operation, focused heavily on manufacturing and logistics. In one 2025 attack, Qilin stole 29,843 internal files from a manufacturing and logistics firm, creating downstream supply chain risk beyond the initial victim.
Play ransomware continued to impact U.S. manufacturers, with the FBI reporting approximately 900 affected entities by mid2025. Play is known for abusing valid credentials and disabling security controls prior to encryption, increasing operational impact.
Alongside ransomware groups, hacktivist and geopolitical actors such as NoName057(16) and Chinese – aligned defacement groups targeted industrial entities with denial-o-fservice attacks, OT reconnaissance, and public website defacement, particularly during periods of geopolitical tension.
The Most Common Attack Paths Into Manufacturing Networks
Ransomware remained the dominant threat vector, responsible for 890 manufacturing incidents in 2025. However, attackers used multiple entry points to gain access.
- Exploited vulnerabilities accounted for 32 percent of attacks, frequently targeting legacy OT systems and public facing applications.
- Phishing and malicious email campaigns represented 23 percent of incidents, increasingly enhanced with AI-generated lures.
- Compromised credentials became more valuable, with industrial access credentials selling for $4,000 to $70,000 on dark web marketplaces.
- Supply chain compromise and remote access abuse enabled attackers to move laterally between IT and OT environments with limited detection.
Beyond encryption, attackers also deployed data theft, extortion-only tactics, and information system disruption, reflecting a broader shift away from single vector attacks.
Regional Impact Highlights
In Europe, manufacturing represented 72 percent of industrial ransomware attacks in Q3 2025. Average ransom demands reached $1.16 million, more than double the previous year. High profile incidents disrupted automotive, aerospace, and transportation supply chains across multiple countries.
In the United States, manufacturing was the most attacked sector for the fourth consecutive year, with ransomware comprising nearly half of all industrial breaches. Median attack costs reached $500,000, excluding long-term operational losses.
India emerged as the APAC ransomware epicenter, with 65 percent of affected companies paying ransoms and average payments reaching $1.35 million, particularly within manufacturing and critical IT services.
A Manufacturing Cyber Security Reprioritization is Needed
A manufacturing cyber security shift is needed to reprioritize the following things:
- Manufacturers must implement Zero Trust architectures across both IT and OT environments, enforcing strict identity validation, least privilege access, and network segmentation.
- Vulnerability management and patching remain critical, particularly for VPNs, internet-facing applications, and OT gateways. Patching and compensating controls, must be implemented in hours and not days/weeks, per the CTEM framework.
- Credential management must be significantly improved, from detecting leaked credentials, to implementing SSO/MFA.
- Immutable, offline backups are essential, as attackers increasingly target backup infrastructure.
- Employee training also requires renewed focus, as AI-assisted phishing continues to evolve.
- Finally, third-party risk management has become a core security function. Vendor access, SaaS integrations, and managed services now represent primary attack vectors rather than secondary concerns.
2026 Manufacturing Security Forecast
Cyber threats targeting manufacturers are expected to intensify further in 2026. AI-enabled ransomware, faster attack execution, reduced dwell time, and a continued shift toward data extortion are projected to define the next phase of industrial cyber risk. Read the manufacturing threat landscape to see what else shaped 2025 and what needs to be shifter in 2026