Industrial Ransomware Held Steady in Q1 2026, That's the Problem

Ransomware pressure against industrial organizations didn't spike in the first quarter of 2026.

That's good news, right? Not exactly.

According to Dragos' quarterly ransomware analysis, 1,020 incidents impacted industrial organizations worldwide during that period. That figure is consistent with the elevated baseline established in late 2025.

For security leaders in critical infrastructure, consistency at that volume isn't a sign of stability; it's a sign of normalization, and it is the enemy of the OT Golden Rule: 

“In OT, the golden rule is absolute: Availability is King,” said Brendan Clemmer, principal OT engineer at cyber exposure management company, Armis, during his OT.SEC.CON session: Best Practices for Implementing IEC 62443 Within Existing Frameworks. You can watch the full talk here:

Best Practices for Implementing IEC 62443 within Existing OT Security Frameworks

Presenter: Brendan Clemmer This talk focuses on applying IEC 62443 in real-world OT environments, making the point that most organizations struggle not with the framework itself—but with integrating it into messy, existing systems. Subscribe to the CYBR.SEC.Media newsletter Key takeaways * Frameworks don’t fail—implementation does * IEC

CYBR.SEC.Media, and CYBR.SEC.Media

More video from OT.SEC.CON:

video - CYBR.SEC.Media

CYBR.SEC.Media, and CYBR.SEC.Media

The tension between ransomware normalization and an operating culture that treats downtime as unacceptable was a recurring theme across OT.SEC.Con sessions on OT resilience and cyber‑physical risk. 

Of the attacks Dragos evaluated, manufacturing bore the brunt, accounting for 62% of all observed victims of industrial ransomware. That’s 633 incidents spanning construction, industrial equipment, food and beverage, electronics, metals, and automotive sub-sectors, among others, in the first quarter of the year. ICS-adjacent organizations, including engineering firms, system integrators, and equipment manufacturers, accounted for another 139 incidents. Transportation and logistics followed with 87.

The logical outcome

Speakers at OT.SEC.CON described that pattern as the logical outcome of attacker economics: in OT, a few hours of disruption can translate into outsized financial pressure, making sectors with near‑zero tolerance for downtime disproportionately attractive to ransomware crews. 

North America led all regions with 480 incidents, followed by Europe with 252 and Asia with 137. The geographic concentration reflects more than target availability. Dragos notes that most large ransomware ecosystems cluster in jurisdictions with constrained law-enforcement activity, particularly when victims are foreign to the ransomware operator's home country. That alignment, geopolitical convenience shaping criminal targeting, is a dynamic security team can't ignore.

Qilin led all groups with 198 incidents, holding its position as the top ransomware brand impacting industrial organizations for more than a year. Akira followed with 100 incidents. The Gentleman, a relatively new RaaS operation that emerged around mid-2025, accounted for 83 incidents. That’s a sharp increase from 18 in Q4 2025 — and warrants close attention. LockBit 5.0 and PLAY rounded out the top five. The ecosystem is consolidating, not fragmenting. A small number of mature, affiliate-supported RaaS operations are generating most of the damage.

Two shifts deserve attention. First, data theft has overtaken encryption as the primary extortion lever. Dragos' analysis cites Mandiant data indicating that 77% of ransomware intrusions in 2025 involved suspected data exfiltration, up from 57% in 2024. Backups mitigate encryption. They do nothing to contain regulatory exposure, litigation risk, or the operational consequences of stolen engineering data. For utilities, the implications compound: third-party engineering firms serving multiple utilities are high-leverage targets. The alleged breach at Pickett and Associates, which held extensive transmission, distribution, and substation design data for three major U.S. electric utilities, clearly illustrates the supply chain dimension of this risk.

More from OT.SEC.CON:

OT Security Starts with Understanding the Plant: Inside Mike Holcomb’s OT.SEC.CON Training

Mike Holcomb’s OT security training cuts through theory and brings IT and OT professionals together around one goal: understanding how industrial environments actually work and how to secure them before failure becomes physical.

CYBR.SEC.MediaBill Brenner

OT.SEC.CON: Where Cyber Meets the Physical World, and Failure Is No Longer an Option

Cybersecurity has outgrown the SOC. As attacks spill into water systems, hospitals, and critical infrastructure, OT.SEC.CON will bring together the practitioners, policymakers, and operators redefining what defense looks like when cyber risk becomes physical risk.

CYBR.SEC.MediaBill Brenner

Geopolitics shapes the hit lists

Geopolitical dynamics are actively shaping ransomware targeting. The series of incidents affecting Romanian critical infrastructure, including the Gentlemen attack on the Oltenia Energy Complex, the BitLocker-based intrusion against Romanian Waters, and Qilin's claimed intrusion at Conpet, the country's national oil pipeline operator, reflects an alignment between ransomware activity and geopolitical tension that goes beyond opportunism. Romanian government officials publicly attributed the pattern to actors with ties to Moscow. Similarly, Pay2Key, an Iranian-backed RaaS operation, intensified activity following the Israel-Iran conflict in early 2026, adjusting its affiliate incentive structure to prioritize attacks against Israeli and U.S. entities. Financial motivation and geopolitical motivation are no longer cleanly separable.

Dragos observed no ransomware variants specifically engineered to manipulate industrial control protocols during Q1 2026. However, the report's framing on this point is important context rather than reassurance. Attacks on ERP systems, virtualization infrastructure, identity services, and remote access gateways routinely cascade into OT disruptions, production halts, and extended downtime without any ICS-specific malware in the chain. The convergence of IT and OT environments has effectively extended ransomware's operational reach without requiring adversaries to develop new ICS capabilities.

The tactical picture is similarly familiar. Initial access continues to flow through credential theft, exploitation of internet-facing services, and access purchased from initial access brokers. Post-compromise activity relies heavily on remote management tools: AnyDesk, TeamViewer, SimpleHelp, ConnectWise ScreenConnect, and others. EDR evasion and ESXi encryption remain normalized, not novel. Medusa affiliates exploited CVE-2025-31324, a critical SAP NetWeaver vulnerability, within a single day of disclosure — a reminder that vulnerability management timelines remain one of the sector's most consequential operational gaps.

The Dragos Q1 2026 report doesn't make a case for alarm. It makes a case for sustained operational discipline: external attack surface management, credential hygiene, MFA enforcement across all remote-access vectors, strict tooling policies, and security governance spanning both IT and OT domains. The ransomware ecosystem targeting industrial organizations has certainly matured, but how long can industry allow the threat environment to outpace the maturity of their defenses?