Ransomware’s Critical Infrastructure Crisis Deepens in 2025

According to Manufacturing.net, KELA’s recently released “Escalating Ransomware Threats to National Security” report reveals a 34 percent year-over-year increase in ransomware attacks targeting critical industries between January and September 2025. Nearly half of all global ransomware incidents struck sectors essential to national resilience, with manufacturing experiencing the sharpest growth at 61 percent. The United States bore the brunt of these attacks, accounting for approximately 21 percent of global ransomware activity, followed by Canada, Germany, the U.K., and Italy. Out of 103 active ransomware groups, just five—Qilin, Clop, Akira, Play, and SafePay—were responsible for nearly one-quarter of all incidents. This alarming trend suggests we’re witnessing a fundamental shift in how cybercriminals approach critical infrastructure.

Why Manufacturing Became the Primary Target

The manufacturing sector’s 61 percent surge in ransomware attacks reflects several systemic vulnerabilities that have developed over the past decade. Unlike financial services or healthcare, many manufacturing operations still rely on legacy industrial control systems that were never designed with modern cybersecurity in mind. The convergence of IT and OT (operational technology) networks has created numerous attack vectors that sophisticated ransomware groups can exploit. Additionally, manufacturing supply chains are exceptionally complex, often spanning multiple countries and involving numerous third-party vendors, each representing a potential entry point for attackers. The industry’s just-in-time production models mean that even brief disruptions can cascade through entire supply chains, making manufacturers more likely to pay ransoms quickly—exactly what attackers count on.

The Geopolitical Dimensions of Infrastructure Targeting

While the report frames these attacks as financially motivated, the concentration on critical infrastructure suggests deeper geopolitical implications. When ransomware groups target energy grids, transportation networks, and manufacturing plants, the effects extend far beyond individual companies to impact national economic stability and security. What’s particularly concerning is how these attacks align with state-level strategic interests, even if conducted by ostensibly independent criminal groups. The disproportionate targeting of Western nations—with the U.S., Canada, and European countries accounting for the majority of incidents—raises questions about whether we’re seeing economic warfare conducted through proxy criminal networks. This blurring of lines between criminal activity and state-sponsored attacks creates significant challenges for both attribution and response.

The Dangerous Consolidation of Ransomware Operations

The finding that just five groups account for 25 percent of all incidents indicates a worrying consolidation within the ransomware ecosystem. This concentration of capability among a handful of sophisticated operators suggests we’re moving beyond the era of scattered, opportunistic attacks toward more organized, business-like criminal enterprises. Groups like Qilin, Clop, and Akira have developed specialized capabilities for penetrating critical infrastructure networks, suggesting they may be operating with resources and intelligence beyond typical criminal organizations. This consolidation also means that taking down even one or two major groups could significantly impact the overall threat landscape, but it equally means that those remaining become more powerful and potentially more dangerous.

Evolving Defense Strategies for Critical Sectors

Traditional cybersecurity approaches are proving inadequate against these sophisticated attacks. Critical infrastructure operators need to adopt a business continuity planning mindset that assumes breaches will occur and focuses on maintaining essential operations even during cyber incidents. This requires segmenting networks to prevent lateral movement, maintaining comprehensive offline backups, and developing manual operation procedures for critical systems. The manufacturing sector specifically needs to accelerate the modernization of legacy industrial control systems and implement robust third-party risk management programs. Perhaps most importantly, organizations must move beyond viewing ransomware as solely an IT problem and recognize it as an existential threat to their core operations.

The Coming Regulatory Response

These findings from KELA will likely accelerate regulatory efforts to mandate stronger cybersecurity standards for critical infrastructure operators. We can expect to see more stringent reporting requirements, mandatory security controls, and potentially liability protections for organizations that adopt approved security frameworks. The challenge will be balancing the need for robust security with the practical realities of operating complex industrial systems. Regulations that fail to account for the unique characteristics of manufacturing environments or the lengthy modernization cycles of critical infrastructure could do more harm than good by forcing compliance over actual security improvement.

The Escalating Threat Landscape

Looking ahead, the trends identified in the full report suggest we’re entering a new phase of ransomware evolution where attacks become more targeted, more destructive, and more strategically significant. The convergence of criminal ransomware tactics with potential state-level objectives creates a threat landscape that existing defense and response frameworks are poorly equipped to handle. Critical infrastructure operators must recognize that they’re no longer just protecting corporate assets but potentially national security interests, requiring a fundamental rethinking of their cybersecurity posture, incident response capabilities, and collaboration with government agencies.