The latest data analyzed by NordStellar, a threat exposure management platform, reveals that the number of ransomware incidents in 2025 is continuing to grow in the manufacturing sector. "So far this year's results are highlighting a worrying trend," says Vakaris Noreika, cybersecurity expert at NordStellar. "The majority of the growth we're witnessing right now is most likely a direct result of the increase in ransomware-as-a-service (RaaS) that allows cybercriminals to scale their attacks and has lowered the entry barrier for bad actors.
"Another key factor is the significant increase in the number of active ransomware groups, which has reached an all-time high." Noreika explains that the number of active ransomware groups has been consistently increasing over the past five years. In September alone, NordStellar traced back the ransomware incidents to 66 different groups.
In July-September 2025, 31 percent more cases were exposed on the dark web. Additionally, manufacturing was the most affected by ransomware. "Companies operating in the manufacturing industry experience high operational downtime costs, making them more inclined to give in to ransomware demands to resolve the incident as soon as possible. They also often rely on outdated or unpatched software and systems and are more likely to experience supply chain vulnerabilities due to reliance on third-party vendors, partners, and logistics providers," says Noreika.
He explains that companies operating in the professional, scientific, and technical services industry often work with confidential customer data, intellectual property, and critical business tools, making them an attractive target for ransomware actors. Small and medium-sized businesses (SMBs) were the most affected. The data revealed that organizations with up to 200 employees and revenues of up to $25 million experienced the most attacks.
"As in the first half of 2025, SMBs continue to remain the primary targets for ransomware. Ransomware actors usually perceive smaller businesses as lower-risk targets because they might lack a sophisticated IT infrastructure, operate on low cybersecurity budgets, and not have the means to investigate or report attacks to authorities," says Noreika.
He adds that smaller revenue companies may also be more likely to meet attackers' demands since the cost of downtime, data loss, or reputational damage from a full-blown ransomware attack could devastate the business financially. As a result, many of them could view paying the ransom as the only option, making them a higher success target for ransomware attackers.
Familiar Faces Take the Lead
The ransomware group Qilin was responsible for the most attacks in Q3 2025, and continues to hold the number one spot from the previous quarter. It's followed by Akira (190), INC Ransom (146), Play (102), and Safepay (92).
According to Noreika, ransomware groups are highly organized. He explains that business leaders are not always fully aware of the danger they pose — for example, that they often seek out top talent in cybersecurity or might even recruit insiders to carry out a targeted attack against an organization, making them a threat that companies cannot afford to underestimate.
He also offers that the first step in making a company ransomware-resistant is prevention. He highlights cybersecurity hygiene as the primary foundation. "Most attacks happen due to user error. As a result, raising cybersecurity awareness and increasing training, as well as promoting good cybersecurity hygiene, is the basic first step," says Noreika.
He continues by saying that employees who can recognize phishing scams, understand the importance of proper password management, and recognize the necessity and importance of utilizing tools like multi-factor authentication or a VPN are less likely to open the company's network to cyber intruders.
"Another important factor is monitoring and addressing unknown cybersecurity gaps. With more businesses embracing hybrid or remote work models, introducing unmanaged devices and relying on third-party vendors, the attack surface is expanding, and any endpoint can be exploited," says Noreika.
