New research from Dragos observed that persistent mischaracterization of ransomware as solely an IT problem obscures growing risks to OT (operational technology) environments. While adversaries increasingly target industrial organizations, as attacks become more frequent and disruptive, they rely on basic tactics that exploit weak security practices rather than sophisticated techniques. Ransomware groups targeting industrial organizations surged 49% year-over-year, impacting 3,300 organizations globally and disrupting operations.
Additionally, Dragos has observed numerous instances in which a ransomware case was classified as IT only because the victim company or its security firm misclassified OT devices, such as engineering workstations and HMIs (Human-Machine Interface), as IT devices since they ran on Windows operating systems. While exact numbers are difficult to obtain, there are a considerable number of OT-specific ransomware incidents that are mischaracterized.
Dragos tracked 119 ransomware groups targeting industrial organizations in 2025, collectively impacting 3,300 industrial organizations, reflecting affiliate-driven volume and persistent targeting of industrial sectors. The actual number is likely higher, as many incidents go unreported or undetected.
In its ‘2026 OT Cybersecurity Report’ and 9th Annual Year in Review document published Tuesday, Dragos disclosed that ransomware groups and affiliates in 2025 continued to rely on remote-access and virtualization abuse. The Hanover, Maryland- headquartered company consistently observed affiliates using valid credentials, commodity infostealers, or initial access broker (IAB)-provided access to authenticate into VPN portals, firewall interfaces, or vendor tunnels before pivoting into OT boundary networks. Once inside, they leveraged RDP, SMB/PsExec, WinRM, WMI, and SSH to move laterally toward VMware ESXi hypervisors and OT-support servers hosting SCADA (supervisory control and data acquisition), HMI, historian, and engineering workloads.
The operational impact stemmed not from ICS-specific malware, but from the encryption or corruption of the virtualization infrastructure on which OT depends. These activities routinely resulted in Denial of View, Denial of Control, and multi-day Loss of Productivity and Revenue, even without any interaction with industrial protocols, i.e., a Fog affiliate that used compromised VPN access to reach an OT-adjacent ESXi hypervisor and deploy ransomware on SCADA supporting virtual machines. Although no PLCs or field devices were touched, the loss of the virtualization layer immediately removed operator visibility and control, resulting in operational delays until the systems were rebuilt.
Strong OT detection maturity, underpinned by comprehensive visibility, remains foundational to detecting ransomware in OT networks. This capability directly correlates with response success: organizations with solid OT detection contain faster, remediate more effectively, and minimize damage to critical operations. Manufacturing accounted for more than two-thirds of all observed victims, underscoring how deeply the sector depends on highly integrated IT–OT systems and how quickly ransomware-related outages can propagate into production and operational workflows.
“The threat landscape in 2025 reached a new level of maturity,” Robert M. Lee, CEO and co-founder of Dragos, said in a media statement. “Ransomware groups are causing more operational disruption and multi-day outages that require OT-specific recovery. Yet industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it’s just IT.”
“There were meaningful defensive gains in 2025 too,” continued Lee. “Organizations with comprehensive OT visibility detected and contained OT ransomware incidents in an average of 5 days compared to the industry-wide average of 42 days, proving that detection maturity directly correlates with response success. But the gaps that remain are serious.”
In 2025, ransomware affiliates continued targeting engineering firms, OT managed service providers, ICS equipment vendors, and system integrators, compromising 148, 124, and numerous related entities whose systems often store engineering documentation, configuration backups, remote access credentials, and privileged connections to multiple industrial sites.
The strategy reflects a broader cybercriminal focus on maximizing operational leverage by breaching organizations that provide access across an entire industrial ecosystem rather than a single operator. Exploitation campaigns by Cl0p targeting widely used platforms such as Cleo MFT, CrushFTP and Oracle E-Business Suite showed how a single vulnerability in file transfer or ERP software can expose operational documents, engineering data and vendor integrations across hundreds of industrial organizations, even without direct access to OT networks.
During 2025, affiliates increasingly relied on credential logs sourced from infostealers, password reuse across OT and IT systems, cloud-synchronized identities, and compromised vendor accounts sold through IAB marketplaces. This approach allowed adversaries to bypass perimeter detections entirely by authenticating legitimately into VPN portals, remote desktop infrastructure, and cloud identity providers used across IT–OT boundaries.
Identity abuse allowed adversaries to move rapidly and quietly through enterprise environments. These campaigns required no specialized exploits and often avoided detection entirely until critical enterprise systems underpinning OT continuity, such as ERP, virtualization, cloud SaaS platforms, or backup infrastructure, were degraded or unavailable.
In 2025, Dragos determined that most ICS-specific vulnerabilities exploited were used to gain initial access or facilitate reconnaissance in OT. Only about 4% of ICS-relevant vulnerabilities are exploited in the wild, and half of those (2%) are only relevant to ICS because they provide unauthorized access to ICS networks. Most of the exploitation identified in 2025 targeted applications and devices vulnerable to unauthenticated remote code execution, many of which have public Proof of Concepts (POC) available online.
Asset owners need to understand exposure, track vulnerabilities with public POCs, and monitor feeds, such as Known Exploited Vulnerabilities (KEV), to stay informed about active exploitation.
During the year, Dragos documented extensive exploitation of vulnerabilities in file transfer platforms, including Cleo MFT, CrushFTP and Wing FTP. These flaws enabled attackers to obtain administrator privileges or execute remote code, often without authentication, allowing them to steal sensitive files, deploy backdoors and move laterally into connected networks. Because such tools routinely manage operational documents, engineering data and credentials, they remain prime targets for ransomware groups and initial access brokers seeking extortion or resale opportunities.
Beginning in late 2024, the Cl0p group exploited Cleo MFT vulnerabilities and claimed more than 300 victims across transportation, manufacturing and food sectors. In 2025, CrushFTP was hit by major campaigns that allowed authentication bypass and full server compromise, while Wing FTP vulnerabilities enabled unauthenticated remote code execution with root or SYSTEM-level access.
Attackers frequently install remote access tools such as AnyDesk and ScreenConnect to maintain persistence. Thousands of exposed, unpatched systems remain online, reflecting a continued pattern seen in earlier campaigns targeting platforms like MOVEit, GoAnywhere, and Accellion, where widely used file transfer solutions are exploited for initial access and large-scale extortion.
Across 2024 and 2025, adversaries aggressively exploited vulnerabilities in internet-facing perimeter technologies, including VPNs, firewalls and edge appliances from vendors such as Ivanti, Palo Alto Networks, Fortinet, F5 and Cisco. Many of the flaws allowed unauthenticated attackers to bypass authentication, escalate privileges or execute remote code through exposed web interfaces and VPN services, often aided by publicly available proof-of-concept exploits and the widespread deployment of these products.
Dragos observed that Java-based platforms and complex edge appliances remain frequent targets due to broad dependency chains and configuration weaknesses, with misconfigurations and default credentials further compounding risk. Exploitation often occurred within hours of disclosure, reinforcing a persistent trend of perimeter devices being used as initial access points for ransomware, data theft and lateral movement into enterprise and OT environments, and underscoring the need for rapid patching, hardened configurations, and thorough compromise assessments.
The report highlighted that the company analyzed ICS-relevant vulnerabilities and uncovered systemic issues in advisories, scoring, and mitigations. “Discrepancies between CISA, vendor advisories, and the National Vulnerability Database (NVD) are still common, creating delays and confusion for asset owners.”
It added that NVD analysis alone can take up to two years, leaving organizations without timely guidance and exposing them to unnecessary risk. One of the most significant findings was inconsistency in CVSS scoring. Dragos determined that 15% of CISA and NVD CVEs had incorrect CVSS scores in 2025. Of these corrections, 64% were higher than originally reported, likely caused by vendors understating severity. 31% were lower than initially published, and the remaining 4% had incorrect attributes that did not affect the numeric score. These inaccuracies can lead to poor prioritization and misunderstanding of risk.
Dragos found persistent gaps in remediation guidance for industrial control system vulnerabilities, noting that 25% of advisories offered no patch or mitigation direction, leaving asset owners without a clear path to reduce risk. Its analysts supplemented 52% of those cases with tailored mitigation advice to help organizations sustain resilience despite vendor limitations.
In 2025, 4% of ICS-relevant vulnerabilities had a public proof of concept and were actively exploited, most earning a ‘Now’ remediation rating, particularly when exploitation could provide meaningful access or operational impact.
The firm also determined that 73% of affected assets were located deep within ICS environments near critical processes, compared with 22% at the enterprise boundary. While 72% of vulnerabilities would not cause immediate process disruption, 27% could affect both operator view and control if exploited, making them attractive targets for sophisticated actors. Dragos concluded that ICS vulnerability management must move beyond CVSS scores and delayed database updates, prioritizing operational impact, weaponization trends and asset placement risks to focus on threats that materially affect resilience.
This comes as 80% of service engagements identified gaps in OT vulnerability management. By contrast, only 5% of reports flagged end-of-life or unsupported assets, underscoring that obsolete systems are rarely the primary problem. Instead, limited asset visibility continues to constrain risk-based mitigation efforts, especially when patching is impractical or delayed.
Dragos noted that, as these trends show no sign of slowing, OT/ICS asset owners must implement ICS network visibility and monitoring, as well as proper segmentation. ICS-grade rigor should be applied to all OT access pathways and OT-support virtualization, treating VPNs, vendor tunnels, identity providers, and ESXi/vCenter environments that touch OT as critical ICS assets, so that even when ransomware compromises enterprise systems, it cannot easily escalate into industrial outages.
The Dragos report highlights the rise of specialized threat groups whose evolving tactics are lowering the barrier for established actors to generate real-world OT impact. It notes that control loop mapping now shows adversaries understand industrial processes at an operational level, marking a more advanced and dangerous stage of intrusion. Industrial threat actors are no longer content with network access alone; they are positioning themselves to manipulate and disrupt physical processes.
Dragos also detailed three new OT threat groups as adversaries push beyond reconnaissance and into attempted real-world disruption of industrial processes. The newly tracked actors, Azurite, Pyroxene, and Sylvanite, bring the total number of groups monitored globally to 26, with 11 active in 2025 alone.
