Manufacturing sector faces 24% rise in ransomware attacks

ReliaQuest has released a report examining cyber threats to the manufacturing sector, identifying a rise in ransomware attacks and remote service abuse over a six-month period between August 2024 and January 2025.

Data from the report indicates a 24% increase in ransomware groups targeting manufacturing, with 624 companies appearing on data leak sites as claimed victims. The exploitation of external remote services by threat actors has surged by 130%, posing a significant challenge to the sector's cybersecurity.

Spearphishing continues to be a prevalent tactic among cybercriminals targeting manufacturing firms. These attacks exploit the routine nature of business operations, as exemplified by a chemical company losing USD $60 million following a business email compromise scam. David Bell from ReliaQuest stated: "It preys on the everyday flow of business; attackers send spearphishing emails that look routine - like a supplier requesting payment - and wait for a misstep. And when that happens, the consequences are stark." Bell advises empowering employees to report suspicious emails and using analysis tools to mitigate risks from such threats.

An increase in external remote service abuse in the manufacturing industry correlates with the sector's shift towards smart factory models. The connectivity required for automation and real-time monitoring through virtual private networks (VPNs) and remote desktop protocols (RDPs) has introduced vulnerabilities. "Manufacturing has embraced smart factories... Remote services like virtual private networks (VPNs) and remote desktop protocol (RDP), meant for real-time monitoring, have become the perfect entry points for cybercriminals," Bell explained. Measures such as deceptive remote-access points and dynamic access policies are recommended to counter such threats.

The use of impersonating domains also remains a threat, facilitated by phishing kits that enable attackers to deploy fake domains quickly. These attacks saw a 136% increase in discussions on dark-web forums since 2023, underscoring the growing threat.

Open port exploitation poses another significant risk, with alerts in the manufacturing sector rising by 12% in the current period compared to prior figures. Open ports, necessary for operational technology (OT) systems, though often left unsecured, become targets for attackers scanning for entry points into networks.

Ransomware attacks across all sectors have increased by 33%, with the manufacturing industry seeing a rise in active groups from 46 to 57. Manufacturing, with its narrower operational scope compared to sectors like professional services, remains a prime target due to its potential for large-scale disruption. The report notes the growing integration of Industrial Internet of Things (IIoT) devices in manufacturing, increasing risk exposure.

The report highlights the dangers posed by the "Play" ransomware group, which discreetly causes significant disruption in the manufacturing sector. Play's strategic targeting of legacy systems and reliance on business continuity make it particularly effective in causing operational disruption.

ReliaQuest advises several tactical steps for manufacturing firms to enhance their cybersecurity posture. Their approach includes proactive threat hunting, the deployment of data loss prevention software, and implementing strict access control measures. David Bell notes: "This is especially critical in environments with interconnected IT and OT systems to contain threats before they cascade across the network."

Looking forward, ReliaQuest predicts that the manufacturing sector will remain a focus for cybercriminals. OT intrusions are expected to outpace detections by 40% in 2025, and state-sponsored cyber spying on smart factories is likely to increase. Additionally, spearphishing attacks could double in the coming year as phishing kits gain traction.