Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Industrial ransomware targeting surged in 2025 across OT-linked environments

Target Trend
First reported
Last updated
Happening score
H score 46
1 unique sources, 1 articles

Summary

Hide ▲

Industrial organizations saw a sharp rise in ransomware targeting in 2025, increasing the risk of OT disruption across critical sectors. The trend matters because attackers paired stolen credentials with remote-access and virtualization paths to expand from IT into OT-adjacent systems, while average OT dwell time reached 42 days.

Related Happenings

Municipal water and drainage utility provider in Mexico hit by network compromise

Incident
First: 07.05.2026 17:00 Last: 07.05.2026 17:00 Sources 1

About this happening: A **municipal water and drainage utility provider in Mexico** suffered a **significant IT compromise** that escalated into an attempted attack against **OT infrastructure**, raisi...

Open Happening

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

Poland's energy sector hit by network compromise

Incident
First: 17.02.2026 23:31 Last: 17.02.2026 23:31 Sources 1

About this happening: A **wiper attack** hit **Poland's energy sector** on **Dec. 29 and 30, 2025**, damaging OT visibility and firmware across **more than 30 renewable energy farms** and other facilit...

Open Happening

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First: 17.02.2026 22:15 Last: 17.02.2026 22:15 Sources 1

About this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...

Latest development: 19.02.2026 17:30

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

Open Happening

Sandworm misconfigured-network-edge-device campaign targeting critical infrastructure

Campaign
First: 16.12.2025 15:22 Last: 16.12.2025 15:22 Sources 1

About this happening: A **Sandworm-linked Russian campaign** has shifted in **2025** from exploiting flaws to abusing **misconfigured network edge devices**, increasing access risk for **critical infra...

Open Happening

Timeline

  1. 17.02.2026 14:50 2 articles · 3mo ago

    Dragos highlights a 2025 surge in industrial ransomware targeting

    Initial Disclosure

    Dragos reported that 119 ransomware groups targeted industrial organizations in 2025, a 49% increase from 2024, and said 3,300 industrial organizations worldwide were hit, with manufacturing as the most targeted sector and transportation, oil and gas, electricity, and communications also heavily targeted. The same findings describe common compromise paths through VPN portals, firewall interfaces, vendor tunnels, stolen credentials, and OT-adjacent virtualization systems such as an ESXi hypervisor supporting SCADA virtual machines.

    Show sources
    Open in new tab