New data from the Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) shows ransomware activity escalated in 2025, with Qilin, Akira, CL0P, Play, and Lynx leading attacks against the food and agriculture sector. In partnership with the IT-ISAC, the organization recorded approximately 6,377 ransomware incidents across sectors, an 82% increase from the 3,508 cases tracked in 2024. Since launching its monitoring effort in 2020, the joint initiative has documented more than 15,265 ransomware attacks using automated tools that collect data from public breach disclosures, RSS feeds, dark web leak sites, and internal threat intelligence sources.
The resulting ransomware tracker database, available to Food and Ag-ISAC members, serves as a centralized and queryable resource for analyzing trends, identifying emerging groups, and assessing sector-wide exposure. When significant or fast-evolving threats are identified, the ISACs develop detailed adversary attack playbooks, now numbering more than 330, outlining TTPs (tactics, techniques and procedures) to help organizations strengthen detection, response, and resilience across critical infrastructure environments.
“The food and agriculture sector was targeted by 265 attacks in 2025, which represented (4.2%) of the total ransomware volume across all critical sectors. While the attack rate was lower than in other sectors, the number of victims increased,” Food and Ag-ISAC detailed in its ‘Farm-to-Table Ransomware Realities: Exploring the 2025 Ransomware Landscape and Insights for 2026’ report. “Due to the sector’s robust supply chain of many partners and suppliers, and the ‘just-in-time’ delivery of products to consumers, ransomware attacks can be particularly damaging to the sector. The number of ransomware attacks per month in 2024 and 2025 remained fairly consistent, with three notable exceptions.”
It also revealed that attacks surged in January, February, and December 2025, the early-year spike driven primarily by CL0P’s exploitation of a Cleo Managed File Transfer vulnerability. This campaign, which began in late 2024 and peaked in early 2025, affected multiple sectors beyond food and agriculture.
It also detailed a comparison of ransomware activity across sectors in 2025, showing that critical manufacturing was the most targeted, with 1,440 attacks, accounting for 22.7% of all tracked incidents. The commercial facilities sector followed with 1,107 attacks, representing 17.5% of the total. The information technology sector recorded 746 attacks, or 11.8%, while healthcare and public health experienced 580 incidents, accounting for 9.2%. The financial services sector saw 463 attacks, representing 7.3%. Although not classified as critical infrastructure, the legal sector also stood out, with 313 attacks, or 4.9% of all recorded incidents.
The report revealed that ransomware activity remained heavily concentrated in the U.S., which recorded 3,311 attacks in 2025, accounting for 52.13% of all global incidents. No other country reported more than 300 attacks, and each represented less than 5% of the total. This disparity underscores the position of the U.S. as a primary economic and technological target. Its scale, digital maturity, and concentration of critical corporate and public infrastructure make it uniquely attractive to threat actors seeking high-value payouts and broad operational disruption.
Food and Ag-ISAC found that five ransomware groups, Qilin, Akira, CL0P, Play, and Lynx, led attacks against the food and agriculture sector in 2025, accounting for nearly 50% of all recorded incidents. Three of these actors also ranked among the top five targeting all critical infrastructure sectors, alongside INC Ransom and SafePay, underscoring their broader operational reach.
The pattern suggests most groups pursue victims opportunistically rather than singling out the sector. Campaigns typically scan for exposed systems, acquire access from brokers, and rely on phishing and social engineering to exploit any vulnerable organization. Food and agriculture entities are therefore swept up in high-volume, indiscriminate activity. CL0P stands out as a partial exception, with 9.3% of its 2025 attacks directed at the sector, more than double the 4.2% average observed across all groups.
The Food and Ag-ISAC’s 2026 outlook assesses that the ransomware threat targeting food and agriculture will continue to evolve through fragmentation, technical adaptation, and more calculated pressure tactics, intensifying risks across an already complex operational environment.
One defining shift is the move away from dominant ransomware-as-a-service brands toward smaller, more specialized operations. The number of distinct ransomware groups rose by nearly 50% in 2025 compared with the previous year, and further growth is expected in 2026 as affiliates gravitate toward smaller collectives that are harder for authorities to track. These groups increasingly operate with short lifespans, launching targeted campaigns against specific sectors such as manufacturing before dissolving or rebranding within months to evade sanctions and law enforcement scrutiny.
Distributed denial-of-service attacks are also reemerging as a coercive tool. Ransomware operators have resumed bundling DDoS capabilities into their offerings, using sustained attacks to compound disruption after an initial breach. Even when victims restore systems from backups, DDoS activity can keep websites, customer portals, and application programming interfaces offline. In some cases, attackers exfiltrate limited data and then deploy DDoS attacks to intensify negotiations or retaliate against recovery efforts.
Another persistent trend is the targeting of underlying infrastructure. Attacks against hypervisors such as VMware ESXi remain a priority because compromising a single host can disrupt hundreds of virtual machines simultaneously. At the same time, ransomware actors are increasingly focusing on software-as-a-service providers and managed service providers. A breach at this level can provide automated, downstream access to numerous organizations, amplifying impact across interconnected food and agriculture supply chains.
Last September, Comparitech disclosed that out of the 18 confirmed ransomware attacks recorded in August, two struck the food and beverage sector. Sunrise Co. Ltd. in Japan and Blenders in the Grass in the U.S. both reported confirmed ransomware incidents, though no attribution was made in either case. Meanwhile, the American Farm Bureau Federation joined the Food and Ag-ISAC’s industry partner program to strengthen cyber defenses for farmers and ranchers by expanding access to threat reports, alerts, and best-practice guidance across the agriculture sector.
