The Numbers
The Dragos 2026 OT Cybersecurity Year in Review reports the following on ransomware targeting industrial organizations:
- The number of ransomware groups going after industrial sectors jumped 49% year-over-year
- 119 distinct groups are now actively hitting industrial targets
- Together they produced more than 3,300 confirmed victims during the reporting period
- Manufacturing bore over two-thirds of those attacks — the single largest share by far
- 26 OT-focused threat groups now tracked by Dragos, with 11 active in 2025
These are not projections. This is observed incident data from the largest OT-focused threat intelligence organization in the industry.
Why Manufacturing Is the #1 Target
Ransomware operators are rational economic actors. They target organizations most likely to pay, most quickly. Manufacturing fits that profile perfectly.
| Factor | Why It Helps Attackers | Impact on Payment Likelihood |
|---|---|---|
| Low downtime tolerance | Production lines generate revenue per hour. Every hour down is direct financial loss. | High — cost of downtime often exceeds ransom demand within days |
| Flat OT networks | Most factory networks have minimal segmentation between IT and OT, or between OT zones | High — single point of entry leads to full-network encryption |
| Legacy systems | PLCs, HMIs, and SCADA systems running Windows XP/7 or proprietary OS cannot be patched | High — known vulnerabilities remain permanently exploitable |
| Vendor remote access | Maintenance vendors need regular access, often through persistent VPN tunnels or TeamViewer | High — provides ready-made lateral movement paths |
| Weak backup practices | OT configurations, PLC logic, and HMI projects are rarely backed up systematically | High — recovery without paying is slow or impossible |
| Insurance coverage | Many manufacturers carry cyber insurance that covers ransom payments | High — reduces perceived cost of paying |
The Attack Pattern
Ransomware targeting manufacturing follows a consistent pattern, regardless of the specific group:
Phase 1: IT Compromise (Day 0)
- Phishing email with malicious attachment or link
- Exploitation of internet-facing VPN or remote access appliance
- Purchased access from an initial access broker (Dragos 2026 identifies SYLVANITE as an OT-focused initial access broker)
Phase 2: IT Lateral Movement (Days 1-7)
- Credential harvesting (Mimikatz, LSASS dump)
- Domain controller compromise
- Identification of IT-to-OT network paths
- Deployment of persistence mechanisms
Phase 3: OT Impact (Day 7+)
This is where manufacturing-targeted ransomware diverges from standard IT ransomware. The impact takes one or more of these forms:
- Direct OT encryption — Ransomware encrypts HMI workstations, engineering stations, and historian servers, blinding operators
- Process disruption — Encryption of IT systems that OT depends on (DNS, Active Directory, MES) causes cascading OT failures
- Safety system compromise — In the worst case, ransomware or associated tooling disables safety instrumented systems
Ransomware Impact by Industrial Sector
| Sector | Share of Industrial Ransomware Victims | Primary Attack Vector | Average Recovery Time |
|---|---|---|---|
| Manufacturing | 65%+ | Phishing, VPN exploit, initial access broker | 5-14 days |
| Energy | ~10% | Remote access compromise, supply chain | 7-21 days |
| Water/Wastewater | ~5% | Exposed remote access, weak credentials | 3-10 days |
| Transportation | ~5% | IT compromise with OT spillover | 7-14 days |
| Other Industrial | ~15% | Mixed | Varies |
Source: Derived from Dragos 2026 OT Cybersecurity Year in Review incident data
Manufacturing's dominance as a target is not accidental. It is the sector where the economics of ransomware work best for the attacker.
What Actually Stops Ransomware from Reaching OT
Not every security control is equal. Here are the controls that matter most, ranked by their effectiveness at preventing ransomware from impacting OT operations.
| Rank | Control | What It Does | Why It Matters |
|---|---|---|---|
| 1 | IT/OT network segmentation | Prevents ransomware from crossing from IT networks into OT networks | Blocks the Phase 2 → Phase 3 transition entirely |
| 2 | Microsegmentation within OT | Limits lateral movement within OT zones so a single compromised device cannot reach all others | Contains blast radius even if OT is breached |
| 3 | Controlled vendor access | Replaces persistent VPN tunnels with per-session, authenticated, least-privilege access | Eliminates the most common lateral movement path into OT |
| 4 | Offline OT backups | Maintains tested, air-gapped backups of PLC logic, HMI projects, and SCADA configurations | Enables recovery without paying ransom |
| 5 | Continuous OT monitoring | Baselines normal OT network traffic and alerts on anomalies | Detects attacker activity during the reconnaissance phase before encryption |
| 6 | MFA on all remote access | Requires multi-factor authentication for every remote session | Blocks credential-based initial access |
| 7 | Endpoint hardening on OT workstations | Application allowlisting, USB restrictions, local admin removal on HMIs and engineering stations | Prevents ransomware execution on the devices operators use daily |
Controls 1-3 are architectural. They require network changes, not just software deployment. They are also the controls that make the largest difference, because they address the structural reasons ransomware spreads so effectively in manufacturing environments.
Five Things to Do This Week
1. Map Your IT-to-OT Network Paths
You cannot segment what you have not mapped. Identify every network path between IT and OT: firewalls, dual-homed workstations, shared VLANs, vendor VPN tunnels, and any "temporary" connections that became permanent.
2. Enforce Segmentation at the IT/OT Boundary
At minimum, deploy a firewall or network access control appliance between IT and OT with a default-deny policy. Only allow traffic that is explicitly required and documented.
3. Replace Persistent Vendor Access with Per-Session Access
Every persistent VPN tunnel to a vendor is a standing invitation. Replace them with zero-trust access that authenticates each session, limits the scope of access, and terminates automatically.
4. Back Up OT Configurations Offline
Export PLC logic, HMI projects, historian configurations, and SCADA setups to offline storage. Test restoration. Do this weekly. If ransomware encrypts your engineering workstations, these backups are the difference between a week of recovery and a month.
5. Run a Tabletop Exercise
Simulate a ransomware attack that crosses from IT to OT. Identify who makes the decisions, what information they need, and where the gaps are. Do this before the real event forces you to discover the gaps under pressure.
A 49% surge in ransomware groups focused on industrial targets is not a trend that will reverse on its own. Manufacturing is the top target because the economics favor the attacker. Change the economics: segment your networks so ransomware cannot spread, control access so attackers cannot enter, and maintain backups so you never have to consider paying. For a framework to justify the investment internally, see our guide to building the business case for OT network segmentation.
