Which sector are cybercriminals targeting the most – and how can would-be victims avoid falling foul of attacks?
Ransomware crews have a clear favorite target in 2025: factories. New data shows manufacturing soaking up the lion’s share of industrial attacks this year, as criminals pivot between software flaws and stolen logins to break in – and as schools and local governments shoulder increasingly visible collateral damage.
Industrial security firm Dragos says manufacturing accounted for around two in every three known industrial ransomware incidents in Q2 2025, far outpacing transport and other sectors.
Within manufacturing, construction has emerged as an unexpected hot spot, reflecting how sprawling contractor ecosystems and aging edge equipment create broad attack surfaces. IBM’s X-Force Threat Intelligence Index 2025 again ranks manufacturing as the most attacked industry globally, the fourth consecutive year it has topped the table.
How attackers get in is shifting – but not as fast as defenders might hope. The State of Ransomware 2025 report from Sophos finds exploited software vulnerabilities remain the single most common technical root cause for victims, ahead of compromised credentials and malicious email.
At the same time, CrowdStrike’s Global Threat Report 2025 flags a sharp rise in “malware-free, identity-based” intrusions, with adversaries increasingly logging in rather than hacking in. As with all things to do with cybersecurity, humans are the problem in the loop. Abusing valid accounts, remote management tools, and legacy authentication are all exploited by criminals.
Other major targets
Although education isn’t the top target by volume of attacks, the disruption they can face is significant, with attacks on the rise. Comparitech’s mid-year tally, reported by K-12 Dive, saw a 23% year-over-year increase in ransomware incidents across schools, colleges, and universities in H1 2025, with average ransoms in the mid-six figures.
When educational organisations are targeted, it causes issues. The Uvalde school district in Texas cancelled a full week of classes after a ransomware incident crippled phones, HVAC, and other systems.
All isn’t lost, however. Defenders can still try to prevent falling victim. Public guidance from the US Cybersecurity and Infrastructure Security Agency’s StopRansomware Guide says it’s important for organisations to shore up their two major risk points: vulnerabilities and identity.
In practice, that means keeping up with patches on VPNs, firewalls, and remote access tools, while maintaining strict control over remote access software, and using phishing-resistant multi-factor authentication.
Plan for the worst, hope for the best
It’s also important to think about ‘when’, not ‘if’, you fall victim. Preparing for the worst and hoping for the best is the right course of action. Recovery planning is crucial, particularly for industries or sectors where downtime can cause harm not just to a business, but to wider society.
Sophos’ survey shows victims still struggle to restore normal activity. Keeping routinely tested backups offline can mean the difference between being crippled by an attack and being hampered.
One method that’s often presented as best practice is the 3-2-1-1-0 approach, where businesses hold multiple copies on different media, one off-site, one immutable, with zero-error restore testing.
Of course, that’s often easier said than done. Attackers always needle at the edges and look for where they can find the easiest way in. Factories with fragile IT and schools with limited staffing to try and keep their defences resilient will always be obvious targets.
Cybercriminals also always pick the easiest doors to open, whether that’s an unpatched edge box or a reused admin password. So being aware of where ransomware attackers like to strike, and taking as much action as you can to prevent them from doing so, is one way to try to avoid falling foul.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked