Key Takeaways
- Ransomware attacks on manufacturing jumped 56 % YoY in 2025, reaching 1,466 incidents and accounting for roughly half of all global ransomware cases (7,419 total).
- Legacy operational‑technology (OT) systems, expanding supply‑chain complexity, and the maturation of ransomware‑as‑a‑service (RaaS) are the three structural weaknesses driving the surge.
- The United States recorded the highest number of manufacturing ransomware events (713), followed by India (201), Germany (79), the U.K. (65), and Canada (62).
- Financial impact is severe: median ransom demands in manufacturing are around $500,000, with some attacks demanding $1 million + and causing downtime that can cost millions per day.
- Threat actors increasingly use double‑extortion, AI‑enhanced phishing, credential theft, and supply‑chain compromises, often bypassing encryption altogether.
- Notable incidents include ransomware hits on Volkswagen Group France, Collins Aerospace, JBS Foods, Luxshare Precision, and several Indian manufacturers, highlighting cross‑sector ripple effects.
- Defenses recommended by Check Point include zero‑trust architecture for IT/OT, rapid patching of known vulnerabilities, automated patch management, up‑to‑date asset inventories, and offline, immutable backups tested regularly.
- Despite limited reporting, China also experienced a 71 % rise in threat‑actor activity targeting manufacturing in 2025‑2026, with Luxshare Precision among the victims.
Overview of Ransomware Surge in Manufacturing
In 2025 the manufacturing sector experienced a dramatic escalation in ransomware activity, with incidents rising 56 % year‑over‑year to 1,466 attacks. This surge represented roughly half of all documented ransomware cases globally, which totaled 7,419 for the year. The severity of the trend underscores manufacturing’s high operational criticality: any disruption to production lines can incur costs in the millions per day, making the sector an attractive target for financially motivated cybercriminals. Check Point’s “Manufacturing Threat Landscape 2026” report highlights that the upward trajectory is expected to continue into 2026, driven by attackers’ adoption of AI‑driven tactics, faster execution timelines, and a shift toward data‑theft‑led extortion rather than pure encryption.
Drivers Behind the Increase
Three core weaknesses have been identified as the primary enablers of the ransomware boom. First, many manufacturers still rely on legacy OT environments—programmable logic controllers (PLCs), SCADA systems, and industrial IoT devices—that were never built with modern security controls in mind. In Europe, for example, 80 % of manufacturers continue to operate critical OT systems with known vulnerabilities, providing a ripe and repeatable attack surface. Second, supply‑chain complexity has expanded dramatically; in 2025, supply‑chain attacks nearly doubled from 154 incidents in 2024 to 297, as adversaries compromise smaller vendors, managed service providers, or SaaS platforms to gain indirect access to larger industrial targets. Third, the ransomware‑as‑a‑service ecosystem has matured into a highly scalable model, allowing affiliate‑driven groups to rapidly deploy proven tools, tailor attacks by geography and industry, and reuse successful infrastructure, thereby increasing both the pace and reach of campaigns.
Geographic Distribution of Attacks
The impact of ransomware is unevenly spread but pervasive across major industrial economies. The United States led with 713 manufacturing ransomware incidents, representing 21 % of the global total and marking manufacturing as the most attacked industry for the fourth consecutive year. India followed with 201 incidents, becoming the APAC ransomware epicenter, where 65 % of hit companies paid ransoms averaging $1.35 million. Europe contributed significantly, with Germany (79), the U.K. (65), and France (noted in specific cases) experiencing high volumes; in Q3 2025 Europe saw 162 industrial ransomware attacks, second only to North America. Brazil recorded 248 ransomware incidents in the 2024‑2025 period, with 166 directly targeting the country and manufacturing accounting for 20.56 % of those attacks—the highest sector share. Canada logged 62 incidents, illustrating that even smaller industrial economies face comparable exposure.
Impact of Notable Incidents
Several high‑profile attacks illustrate the tangible operational and financial damage wrought by ransomware. In May 2025 a large North American steel producer halted production after detecting unauthorized access to its systems. Earlier that year, a medical device manufacturer suffered network disruption that delayed manufacturing and shipments, with ransomware suspected as the cause. The long‑term fallout from previous incidents persists; for example, a 2022 Conti ransomware attack on an aerospace manufacturer resulted in a $1.75 million settlement after employee data was leaked. In October 2023 a building materials firm was forced offline for months in a likely ransomware episode, triggering a noticeable dip in its stock price. Internationally, Qilin ransomware exfiltrated 150 GB of data from Volkswagen Group France in October 2025, exposing sensitive vehicle‑owner information, while a ransomware strike on Collins Aerospace disrupted operations across multiple European airports, revealing critical supply‑chain weaknesses. In Brazil, the 2021 JBS Foods attack—where the world’s largest meat processor paid $11 million to restore plants in North America and Australia—continues to reverberate through global supply chains. More recently, in September 2025 KillSec ransomware targeted MedicSolution, compromising lab results and patient data and indirectly affecting industrial healthcare integrations.
Tactics and Techniques Used by Threat Actors
Attackers have refined their playbook to maximize leverage. Exploitation of known vulnerabilities remains the leading entry point, responsible for 32 % of manufacturing incidents, often targeting legacy OT systems or zero‑day flaws such as the Windows Common Log File System; campaigns like Cl0p have leveraged weaknesses in tools such as Cleo Managed File Transfer. Phishing and malicious emails account for 23 % of attacks and are increasingly enhanced by AI to craft convincing spear‑phishing messages, particularly aimed at supply‑chain partners in sectors like semiconductors. Compromised credentials and brute‑force attacks continue to play a critical role, with industrial access credentials selling for $4,000–$70,000 on dark‑web markets; credential‑stealing malware such as W32.Worm.Ramnit surged 3,000 % in early 2025. Supply‑chain attacks have nearly doubled, as adversaries abuse HR platforms, OAuth tokens, and third‑party services to reach larger targets. Double‑extortion or extortion‑only tactics are now common, combining data theft with encryption—or bypassing encryption entirely—while threatening public leaks. Defense‑evasion techniques, AI‑driven malware, and abuse of remote access pathways (including SSH tunneling in ESXi ransomware campaigns aimed at smart factories) further complicate detection. Nation‑state actors also contribute by launching denial‑of‑service attacks and data‑manipulation operations designed to disrupt industrial control systems and cause prolonged outages.
Regional Spotlights: Europe, Brazil, India, China
Europe’s industrial landscape remains especially vulnerable due to the persistence of legacy OT systems; 80 % of manufacturers still operate critical OT with known flaws. Ransomware demands in the region averaged $1.16 million in 2025, more than double the previous year’s figure, reflecting both higher extortion ambitions and the perceived willingness of victims to pay. ENISA has flagged ransomware as a prime threat, often leading to data breaches or extended system downtime. Brazil’s manufacturing sector bore the brunt of ransomware in Latin America, with 20.56 % of the country’s attacks targeting manufacturing; credentials for industrial firms fetch premium prices on underground markets, and supply‑chain compromises amplified risk, especially in food‑and‑beverage production. India emerged as the APAC ransomware hotspot, with Qilin leading assaults and a notable alleged attack in 2025 that targeted energy, railways, and gas infrastructure, wiping servers and databases. Although reporting on China is limited—since global narratives often frame China as a cyber aggressor—ransomware groups claimed 90 victims in China during 2025‑2026, including manufacturing firms such as Luxshare Precision Industry Co. Ltd., which suffered a December 2025 Ransomhouse incident that stole sensitive client data. Across these regions, a 71 % surge in threat‑actor activity targeting manufacturing was observed, underscoring the global nature of the menace.
Financial and Operational Consequences
The economic toll of manufacturing ransomware extends far beyond the ransom payment itself. Median demands sit around $500,000, but high‑profile cases have seen attackers request $1 million or more, and the cost of downtime—often measured in millions of dollars per day—can dwarf the ransom. Production halts disrupt just‑in‑time supply chains, cause missed delivery windows, and incur contractual penalties. Data theft can lead to regulatory fines, litigation, and reputational harm, particularly when personal or proprietary information is exposed. The indirect effects are also significant: attacks on a single supplier can cascade through downstream manufacturers, as seen with the JBS Foods incident that reverberated across North American and Australian markets. Moreover, the psychological toll on workforce morale and the strain on IT and OT teams tasked with incident response and recovery contribute to long‑term operational inefficiencies.
Recommendations for Mitigation
Check Point prescribes a multi‑layered defense strategy tailored to the unique IT/OT convergence in manufacturing. First, adopt a zero‑trust architecture that enforces strict identity verification and least‑privilege access across both corporate networks and industrial control environments. Second, prioritize rapid patching of known vulnerabilities, especially in public‑facing applications, VPNs, and OT components; implement automated patch management and maintain an accurate, up‑to‑date asset inventory to reduce exploitable gaps. Third, strengthen vulnerability management programs with continuous monitoring and threat‑intelligence feeds focused on industrial‑specific exploits. Fourth, ensure robust backup practices: keep offline, immutable, and regularly tested backups isolated from the production network, and verify that backup systems themselves are hardened against tampering, as attackers increasingly target backups to increase pressure on victims. Fifth, enhance email security with AI‑driven anti‑phishing solutions and conduct regular security awareness training to mitigate social‑engineering risks. Sixth, segment networks to limit lateral movement between IT and OT zones, and monitor remote‑access pathways (e.g., RDP, VPN, SSH) for anomalous activity. Finally, develop and rehearse incident‑response plans that include clear communication protocols, legal considerations, and decision‑making frameworks for ransom‑payment scenarios, ensuring that organizations can recover swiftly without necessarily succumbing to extortion.
By addressing the structural weaknesses of legacy OT, tightening supply‑chain security, and raising the maturity of defensive controls, manufacturers can reduce their appeal to ransomware operators and bolster resilience against the evolving threat landscape projected for 2026 and beyond.