New research from Honeywell points to sharp and growing ransomware threats against industrial operators and manufacturers. Ransomware attacks jumped by 46 percent in the first quarter of 2025, with the Cl0p ransomware group emerging as the most active threat actor. During that same quarter, the Honeywell 2025 Cyber Threat Report reported 2,472 new ransomware victims, adding to the 6,130 incidents documented in 2024. The OT (operational technology) layer remains a prime target. Of the 55 cybersecurity incidents companies disclosed through SEC Form 8-K in 2024, more than half, 30 cases, were direct attacks on OT systems.
One of the most significant developments is the resurgence of the W32[dot]Worm[dot]Ramnit trojan, which has seen a 3,000 percent increase as attackers repurpose it to steal OT credentials from industrial operators. The 2025 Cyber Threat Report mentioned that USB-based threats remain a consistent weak point, with one in four of the top ten security incidents traced back to malicious activity triggered by USB plug-and-play devices.
The report mentioned that industrial organizations faced a significant rise in cyber threats, with ransomware attacks heavily targeting operational environments. Although no new ransomware strains were developed specifically for industrial control systems, existing threat actors were still able to cause major disruptions. Manufacturing sites, water treatment plants, and energy providers experienced shutdowns, manual failovers, and supply chain delays as a result.
Trojans remained persistent threats, with some showing increased activity, while USB devices continued to spread various worms, including a newly identified strain. High-profile breaches highlighted ongoing vulnerabilities across both public and private sectors, reinforcing the need for stronger cybersecurity defenses and more effective incident response planning.
“Industrial operations across critical sectors like energy and manufacturing must avoid unplanned downtime as much as possible – which is precisely why they are such attractive ransomware targets,” Paul Smith, director of Honeywell Operational Technology (OT) Cybersecurity Engineering, who authored the report, said in a Wednesday news statement. “These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving.”
Honeywell also noted that the European Union Agency for Cybersecurity’s (ENISA) inaugural report highlighted a substantial threat level within the EU2. The report emphasized the necessity for enhanced policy implementation, improved cyber crisis management, fortified supply chains, and the development of cybersecurity skills to address identified shortcomings.
The 2025 Cyber Threat Report also identified that cyberattacks are increasingly expanding across sectors, with agriculture and food production seeing a sharp and exponential rise in targeting. These industries, once considered peripheral to cyber threat actors, are now becoming critical entry points for disruption.
Government agencies have also reported a growing number of threats against public services. In the U.S., the Environmental Protection Agency warned that the nation’s drinking water infrastructure is highly vulnerable to cyberattacks. An estimated 193 million people rely on systems that could be compromised, posing serious risks to public health and safety. In 2024, a major water and wastewater utility company operating across 14 states was breached. The incident led to service disruptions that affected several key systems.
The Transportation Security Administration (TSA) responded to mounting risks by proposing new cybersecurity regulations for pipelines and railroads. These rules would require operators to report cyber incidents within 24 hours and conduct annual cybersecurity evaluations. That same year, a transit system in Pittsburgh, Pennsylvania, was hit by a ransomware attack that disrupted payment processing, creating operational setbacks for commuters.
Internationally, public transportation systems have also come under attack. A Japanese airline suffered a distributed denial-of-service attack that forced system shutdowns, delayed more than 40 flights, and disrupted critical services, including baggage handling and ticketing, underscoring the growing reach of cyber threats into sectors vital to daily life and economic stability.
“With increasingly significant threats and updated SEC reporting regulations requiring the disclosure of material cybersecurity incidents, industrial operators must act decisively to mitigate costly unplanned downtime and risks, including those linked to safety,” Smith said. “Leveraging Zero Trust architecture and AI for security analysis can speed detection and enable smarter decision making and proactive defense in an increasingly complex digital landscape.”
Looking into threat types, the 2025 Cyber Threat Report listed that user management and access control attackers continue to exploit loopholes in policy administration, by looking for high-privilege users, allowed applications, and other legitimate-appearing actions to maliciously enter OT networks. It also identified that ransomware attackers continue to exploit organizations for financial gain using phishing, social engineering, and other methods to deploy ransomware.
When it comes to attack targets, the report listed that security system attackers continue to target mechanisms and systems that are part of a company’s security infrastructure, including patch distribution processes and security update packages.
The Honeywell 2025 Cyber Threat Report outlines critical steps industrial organizations should take to strengthen cybersecurity. Key recommendations include developing and regularly reviewing cybersecurity policies, training employees on phishing and cyber hygiene, and protecting against USB-borne threats. The report emphasizes the need for multi-factor authentication, strong password practices, and network segmentation based on least privilege access.
Organizations are urged to adopt zero trust architecture, conduct regular software updates, and monitor systems continuously for abnormal behavior. Encrypting data, maintaining secure and tested backups, and performing vulnerability assessments are also essential. Labeling critical assets and complying with standards such as NIST 800-82 and IEC 62443 helps prioritize defenses.
Network segmentation is also important. Isolating systems can limit the spread of an attack. By applying the principle of least privilege, organizations can ensure users, devices, and applications only have the access they need to perform their specific tasks, reducing the overall attack surface and lowering the potential for a breach. They must also focus on secure IT and OT integration by using cloud services that isolate control systems and rely on secure gateways for telemetry. Leveraging cloud-native security tools for identity management, monitoring, encryption, and vulnerability scanning ensures a more resilient and proactive security posture.
Multi-factor authentication should be enabled across systems, and strong passwords must be enforced. The use of password vaults and identity verification tools helps ensure that access is granted only to the right individuals at the right time. Software updates must be conducted regularly to address known vulnerabilities. These updates should be integrated with a patch management system, and any issues during deployment should be addressed to maintain software integrity. Also, continuous monitoring and auditing of security measures using available tools can help identify abnormal network activity. Organizations should visualize communications and act on unauthorized operations or interactions.
