Consequential OT Breaches Dropped in 2025 – What Happened?
In 2025, 57 cyber attacks caused real-world damage in heavy industry, world-wide. This is a 25% drop from 2024, and the first drop in this statistic in six years. What happened?
Andrew Ginter
The OT Data Set
The data set in the Waterfall / ICS STRIVE 2026 OT Cyber Threat Report shows 57 OT attacks with physical consequences world-wide in the industries the report tracks. Most of these attacks were ransomware, and this has been the case since the turn of the decade. Nation-state and hacktivist attacks nearly doubled, but that increase was not enough to make up for the reduction in ransomware attacks. The question of “what happened?” is really “what happened to ransomware attacks?” A definitive answer is not possible – there are a lot of ransomware groups out there, each with different MODUS OPERANDI, motives and circumstances. Speculation is possible however, and there is secondary data available, so let’s speculate a bit.
The Ransomware Data
Ransomware attacks overall seem to have flat-lined or maybe even dropped a little in 2025. There is no such thing as a repository or reliable count of all ransomware world-wide, but there are some indications:
- FBI data for ransomware incidents reported to them in 2025 is not yet available, but the 2018-2024 data set shows ransomware increasing overall, but having “ups and downs.” 2021 was an “up” year, 2022 was smaller, and then started increasing again.
- The NCC Group tracks ransomware sites where the criminals list the organizations they claim to have victimized. These are criminals though, should we believe them? Reliable or not, the NCC data shows a spike in February, a sharp reduction through most of the rest of the year, with a bit of an uptick in the last two months, with only a small increase in overall claims since 2024.
- The German BSI has access to legally-required (confidential) incident disclosures in Germany. Their data shows 2025 nearly flat over 2024.
- The Microsoft Threat Report claims that ransomware attacks that reached the encryption stage increased only 7% in 2025 over 2024.
Reasons for this phenomenon are varied – the best speculation world-wide seems to include:
- Recent law-enforcement activity took down a number of prominent ransomware C2’s, impairing attack capabilities,
- Recent sanctions and arrests of ransomware criminals may have a deterrent effect on individuals not yet fully committed to a criminal lifestyle, and
- Mid-2025 saw a major provider in the criminal ecosystem vanish, and other providers jostled and competed to fill the void.
What else might be going on?
Analysis
In the report, the authors look at other hypotheses as well:
- Are fewer attacks being reported in public? The data suggests there might be a some this happening. Owners and operators may have become “gun-shy” about disclosing too much information and being sued if any of that information is later shown to be incorrect. Less disclosure is safer and disclosing the minimum the law requires seems to have become the norm.
- Have cyber defenses become more capable? But some of the breaches still showed shockingly poor cyber hygiene. Others showed a high degree of sophistication, taking down what we would expect to be well-defended targets.
In addition, the number of zero-days exploited in the wild dropped only a little 2024-2025, and AI-automated attacks started being observed. In short, it seems likely that all of this is in play, with the result that we’ve observed.
Conclusion
None of the effects looked at in the report seem likely to hold attacks constant or declining for any material amount of time:
- Law-enforcement actions have not eliminated profitable drug-running or other criminal enterprises, and seem unlikely to be able to eliminate ransomware.
- Ransomware criminals have re-organized to recover from their losses, and seem poised to resume their “normal” attack patterns in 2026.
- Public disclosures of “material” incidents are increasingly required in many jurisdictions, which should increase disclosure rates. Less than material incidents may no longer be disclosed. But if incidents overall increase in 2026, one would expect to see material incidents and disclosures increase as well. And – in a world interested in cyber attacks, it is increasingly difficult to hide the fact that a factory shut down and laid off the workforce due to a cyber attack.
In short, it is reasonable to believe that the cyber attacks with physical consequences will continue to rise in the years ahead. And it is worth studying the attacks and trends we observe today, because anything that has happened in the past is a credible threat in the years ahead.
Digging Deeper: The authors of the threat report will be discussing these and many other findings in a webinar March 25th. Please join us.
About the author
Andrew Ginter
Share
Trending posts
How to Apply the NCSC/CISA 2026 Guidance
Webinar: 2026 OT Cyber Threat Report
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
