Ransomware attacks set new records in 2025, hitting manufacturing the hardest

GuidePoint Security has reported record-high spikes in ransomware attacks in 2025, with a 58% year-over-year increase in victims of that popular kind of cyberattack, which still hits manufacturing the hardest. And most of the incidents occurred at the end of the year, in the fourth quarter, the company found. 

Many of the findings from GuidePoint, which provides cybersecurity services, solutions, and consulting, were reinforced by another study conducted by NordStellar, vendor of a threat exposure management platform.

See also: Leading cyberattack against manufacturing sets Q1 record 

On Jan. 15, GuidePoint released its annual Ransomware & Cyber Threat Report, revealing that ransomware activity hit an all-time high last year and that reaching record activity has become the new normal for this type of cyberattack.

Not only did this report reveal a 58% YoY increase in ransomware victims, it also said that 124 distinct ransomware groups were active in 2025, the highest ever recorded and a 46% YoY increase.    

GuidePoint found that manufacturing, specifically in the U.S., was the sector most heavily impacted by ransomware, accounting for 14% of attacks. Technology and retail/wholesale followed closely behind. 

See also: Crystal Ballers predict plenty about cybersecurity in 2026

The U.S. also remained a top geographic target for ransomware attacks in 2025, with GuidePoint finding that more than 55% of victims were headquartered there. The next-highest targets were located in Canada, with 4.48%, and in Germany at 4.1%.  

According to GuidePoint’s report, manufacturing is consistently a "most impacted" industry in terms of both attack victim count and percent increase.

Manufacturing had the most ransomware victims in terms of volume, accounting for 1,060—or 14%—of all observed targets of that kind of cyberattack. The most prominent groups perpetrating the attacks were Qilin, Akira and Play, GuidePoint found. 

The four most impacted industries in terms of volume—manufacturing, technology, retail and wholesale and health care—were the same from 2024 to 2025. 

See also: Spearphishing, ransomware remain top cybersecurity threats to manufacturing

GuidePoint cautioned that ransomware activity levels are likely to grow even higher in 2026.  

December 2025 was the most active month for claimed ransomware victims on record with 814 successful attacks, a 42% year-over-year increase. Over 2,000 ransomware victims were posted in Q4 alone.

NordStellar findings also raise alarms 

GuidePoint isn’t the only organization that found concerning prevalence in attacks within manufacturing coming out of 2025.

Threat exposure management platform NordStellar found in its data that last year, 9,251 ransomware cases were exposed on the dark web, a 45% increase since 2024.

Small- and medium-size manufacturers in the U.S. bore the brunt of those attacks, according to NordStellar, especially those operating in the general manufacturing industry as well as machinery manufacturers and companies operating in the appliances, electrical and electronics manufacturing industries.

Most of these occurred in the last quarter of 2025, echoing GuidePoint’s finding, which NordStellar said exposes attackers exploiting end‑of‑year vulnerabilities. 

See also: Industries need cyber insurance more than ever, but the rules are tightening

"In the last quarter of 2025, ransomware groups deliberately exploited end-of-year cybersecurity gaps caused by reduced staffing and monitoring," NordStellar cybersecurity expert Vakaris Noreika said in a press release.

"However, there has been an upward trajectory the whole year. Ransomware actors are growing increasingly aggressive—given the surge in 2025, the number of ransomware incidents in 2026 is likely to exceed 12,000." 

Aftershocks from Clorox and other cyberattacks 

These incidents are especially concerning given the spike in attacks and potential for expensive consequences.

In 2023, for example, a successful cyberattack on bleach maker Clorox cost the company around $380 million, according to independent assessments. Shortly after the attack, Clorox had estimated the cost could climb to $593 million.

Shockwaves from the Clorox incident have reverberated, and it’s since been recognized as a significant wake-up call for third-party IT risk. 

See also: Cybersecurity the ‘largest obstacle to adoption of smart manufacturing technologies’

Despite the aftershocks from the Clorox and other attacks since 2023, another cybersecurity organization, CrowdStrike, found that most organizations still overestimate preparedness for such attacks.

CrowdStrike said that while more than half of its respondents claimed to be prepared for ransomware attacks, 78% experienced those incidents last year and less than 25% recovered within a day. Often the financial and operational impacts of such cyberattacks last weeks or even months.