OT Ransomware Attacks Surge in Q1 2025

share
Header image

OT Ransomware Attacks Surge in Q1 2025

share

Attackers in Q1 2025 demonstrated a mix of emerging and persistent tactics, techniques, and procedures.

There was a sharp rise in ransomware incidents targeting industrial entities in the first quarter of 2025, with 708 documented attacks.


According to a Q1 ransomware analysis by Dragos, while no new ransomware strains specifically designed for industrial control systems (ICS) were identified, attackers in Q1 2025 demonstrated a mix of emerging and persistent tactics, techniques, and procedures.


These included AI-powered malware by the FunkSec group, encryption-less extortion strategies, and nation-state-backed operations such as Moonstone Sleet’s use of Qilin ransomware.


Tools like RansomHub’s EDRKillshifter showcased the increasing sophistication of endpoint evasion techniques, making detection and mitigation more difficult for defenders.


The growing integration of IT and operational technology environments intensified the fallout of attacks, as seen with production delays at National Presto Industries.


Meanwhile, groups like Babuk Locker further complicated incident response by issuing deceptive breach claims, using recycled or falsified data to pressure victims and hinder verification efforts.


Abdul Alamri, principal threat intelligence analyst at Dragos, said: “Effectively addressing these dynamic threats requires proactive defensive measures complemented by timely detection capabilities. Leveraging detection rules built on robust threat intelligence enables security teams to identify ransomware-related activities early in the attack cycle, mitigating potential operational disruption before threats escalate into significant breaches.


“Addressing IT-OT convergence risks, securing vulnerable supply chains, and improving threat reporting practices in critical infrastructure sectors will significantly enhance resilience against the persistent threat posed by ransomware groups.”


Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Critical Infrastructure Published: 22 May Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Report: UK cyberattacks grow faster than global rate

Report: UK cyberattacks grow faster than global rate

 Novel CyberStrikeAI tool exploited in attacks

Novel CyberStrikeAI tool exploited in attacks

 Industry urges reform to retain women in tech

Industry urges reform to retain women in tech
NCSC flags heightened threat in Middle East

NCSC flags heightened threat in Middle East

 Europe moves toward teen social media limits

Europe moves toward teen social media limits

 EU flags TikTok, alleging addictive app design

EU flags TikTok, alleging addictive app design
Russia-linked botnet found on UK firm's server

Russia-linked botnet found on UK firm's server