There has been a sharp rise in the number of ransomware groups targeting industrial organizations as cybercriminals continue to exploit vulnerabilities in operational technology (OT) and industrial control systems (ICS), researchers at Dragos have warned.

A total of 119 ransomware groups targeting industrial organizations were tracked during 2025 according to the Dragos Annual OT Cybersecurity Year in Review for 2026, published on February 17. That figure represents a 49% increase from the 80 which were tracked in 2024.

According to Dragos, 2025 saw 3300 industrial organizations around the world hit by ransomware, compared with 1693 in 2024. The most targeted sector was manufacturing, followed by transportation.  

Oil and gas, electricity and communications were also among the most targeted critical and industrial systems.

Legitimate Login Credentials Abused

The most common cause of network compromise during observed attacks was via remote-access portals and virtualization services, including VPN portals, firewall interfaces or vendor tunnels. Attackers often leveraged legitimate login credentials of a real user to avoid detection.

“Identity abuse allowed adversaries to move rapidly and quietly through enterprise environments,” said Dragos.

These credentials were stolen via phishing attacks, successful execution of infostealer malware or bought on the dark web via initial access brokers. Cybercriminals then exploited this access to cross IT and OT boundaries and gain entry to industrial and operational systems.

The report details how one ransomware affiliate used compromised VPN access to reach an OT-adjacent ESXi hypervisor and deploy ransomware on SCADA supporting virtual machines.

Although no devices directly controlling industrial equipment were touched, the loss of the virtualization layer removed operator visibility and control. This resulted in operational delays until the systems were rebuilt.

Ransomware groups were also able to maintain stealthy persistence on industrial networks. Industry-wide, the average dwell time - time in the network without being spotted or disrupted before a ransomware attack is triggered - for ransomware in OT environments was 42 days

“Ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery,” said Robert M. Lee, CEO and co-founder of Dragos. 

“Establishing comprehensive OT visibility now is critical. If organizations cannot monitor their systems today, they’ll find that future adoption of technologies like AI, battery storage, and distributed energy resources creates exponentially greater blind spots,” he added.

The report also detailed three new threat groups with Dragos identified during the last year.

These were Sylvanite, an initial access broker, observed targeting US electric and water utilities, Azurite, a group focused on long-term access to OT systems which targeted organizations around the world and Pyroxene, a group which engages in supply chain compromise attacks via social engineering to gain access to industrial IT and OT networks.