The CYFIRMA Industries Report provides cutting-edge cybersecurity insights and telemetry-driven statistics on global industries. Spanning the last 365 days and highlighting year-over-year changes between 2023 and 2024, this report covers 13 key industries and presents critical trends and data in a compelling infographic format.
This is Part 2 of the report covering only the first half of individual industry breakdowns. If you would like to access the full report, it is available exclusively on our website.
Welcome to the CYFIRMA Infographic Industry Report, where we examine the external threat landscape across 13 industries over the past year. Through clear, data-driven visuals and expert insights, we present concise analyses of attack campaigns, phishing telemetry, and ransomware incidents affecting organizations worldwide.
Leveraging our cutting-edge platform telemetry and the deep expertise of our analysts, this report covers detailed industry-specific breakdowns along with cross-industry trends and year-over-year changes published in Part 1.
Our goal is to equip you with actionable intelligence that helps you stay ahead in the ever-evolving cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by hands-on CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates is 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
The following section delves into the Advanced Persistent Threat (APT) campaigns and ransomware victimology of 2024, offering an in-depth analysis of 13 industry categories. Each industry’s unique characteristics, vulnerabilities, and operational priorities have shaped how threat actors target and exploit them, providing valuable insights into the evolving cyber threat landscape.
This comprehensive overview highlights key trends, shifts in attacker focus, and the tactics, techniques, and procedures (TTPs) observed across sectors. The industries covered include:
(The below coming in Part 3)
By examining the APT campaigns and ransomware victimology, this section delivers a granular view of the threats impacting these industries. It highlights both the overarching trends influencing the global threat landscape and the distinct challenges faced by each industry, providing stakeholders with critical insights to navigate the evolving cyber threat landscape heading into 2025.
Year-to-Year Elevation: Moderate
In 2023, our DeCYFIR platform recorded a total of 27 campaigns. During 2024, it recorded 31, representing a 14.8% increase year-over-year.
The threat landscape shifted in 2024, with IT, Finance, and Manufacturing becoming the most targeted industries likely due to increasing global tensions and armed conflicts.
In total, 9 out of the 13 industries recorded fewer APT campaigns.
20 countries saw an increase in recorded APT campaigns, while 13 countries saw a decrease.
Year-to-Year Elevation: High
In 2023, CYFIRMA recorded 4,679 verified ransomware victims, while in 2024, the number increased to 5,219, representing an 11.5% year-over-year growth across all industries.
The Finance industry experienced the most notable decline, while Government & Civic saw a dramatic increase, indicating a sharp rise in targeting, correlated with heating geopolitical tension across the globe. Healthcare and Real Estate & Construction also witnessed increases. On the other hand, Logistics, and Telecommunications & Media saw significant decreases.
In total, half, 7 out of the 14, industries recorded more ransomware victims.
125 countries recorded ransomware victims in 2024. Below are the top 35 and their respective elevations.
Over the past 12 months, financial organizations recorded victims across 30 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 94%.
These victims spanned multiple segments within the financial industry as shown below.
The finance industry faces threats from both financially motivated cybercrime groups and nation-state actors. Groups like Lazarus, FIN7, and TA505 focus on direct monetary exploitation, often through data theft and ransomware, while nation-state entities such as Mustang Panda, Cozy Bear, and Gamaredon target financial institutions for espionage or geopolitical purposes. Emerging and lesser-known groups, including regionally focused actors like unknown Thai- and Vietnamese-speaking TAs, add complexity to the landscape, underscoring the diverse and evolving nature of threats in the sector.
The chart shows APT campaigns targeting the finance sector across 30 countries, with a clear focus on North America, East Asia, and Southeast Asia. The United States, Japan, and the United Kingdom lead in incidents, while countries like Taiwan, Thailand, and India highlight regional emphasis. Emerging economies, including Saudi Arabia and the Philippines, further demonstrate the expanding reach of these threats.
The chart highlights the top technologies targeted in attacks, with web applications standing out as the primary focus, emphasizing their vulnerability as internet-facing systems. Operating systems follow, reflecting their ubiquity across devices and critical role in operations. While VPN solutions, routers, and infrastructure-as-a-service solutions have lower incident counts, they remain vital targets.
The chart highlights the top malware used in attacks, with custom TTPs and commodity malware leading the list. Together with Cobalt Strike, they emphasize attackers’ adaptability in leveraging both custom and widely available malware.
Notable strains like NukeSped RAT and Winnti reflect their continued evolution and use by respective threat actors.
In the past 12 months, CYFIRMA has identified 253 verified finance organization ransomware victims. This accounts for 4.85% of the overall total of 5,219 ransomware victims during the same period.
The finance industry recorded a significant decline of -40.19% in recorded victims from the previous year. Placing 7th overall in the combined years of 2023 and 2024, it moved down from 5th to 8th most frequent victim in respective years.
First and especially second quarters were significantly lower, and the number of victims grew substantially towards the end of the year.
Monthly activity in finance mostly follows the scaled-down global trendline. August and November recorded significant spikes, implying a growing trend into 2025.
A total of 54 out of 97 ransomware gangs, representing 56%, targeted the finance industry.
A breakdown of the top 30 gangs’ monthly activity offers insights into their operational patterns throughout the year.
LockBit3 was the most active ransomware gang, impacting 28 victims, with peaks in December (7 victims). RansomHub followed with 17 victims, focusing on late-year attacks, particularly in August, September, and November. Play and Bianlian each targeted 16 victims, with Play peaking in September-October and Bianlian active in December, March, and mid-year months.
Hunters impacted 15 victims, with notable activity in March, September, and November. Akira targeted 13 victims, with most activity occurring late in the year, especially in November. Blackbasta and Killsec (10 victims each) were active early and late in the year, respectively, with Killsec peaking in September-November.
Medusa and Meow each had 10 victims, with Medusa active in March and July, and Meow peaking between August and November. Smaller gangs like Cactus (7 victims), Incransom, Qilin, and Rhysida (6 each) had sporadic but focused campaigns.
Emerging groups like Blacksuit, Eldorado, and Alphv (4-5 victims each) had limited activity, while Safepay concentrated its attacks on three victims in November.
Analyzing the top 35 active gangs, LockBit3 leads in activity within the finance sector, with 28 victims (4.67%), reflecting significant activity but broad targeting across industries. RansomHub (17 victims, 3.58%) and Play (16 victims, 4.35%) also exhibit moderate activity in this sector. Other active gangs include Bianlian (16 victims, 9.47%) and Medusa (10 victims, 9.43%), which show higher focus relative to their activity levels.
Several gangs exhibit a significant focus on the finance industry:
Some gangs exhibit disproportionately high percentages due to low victim counts:
The USA accounts for 49.4% of ransomware victims in the finance industry in 2024. The next most affected countries are the UK with 14 victims, Canada with 11, Spain with 8, and Italy with 7.
In total, 54 countries reported victims, and 27 of these countries had only one victim each.
Risk Level Indicator: High
APT Campaigns
Financial organizations experienced a 94% incidence rate across observed APT campaigns, targeting both monetary assets and sensitive data. Threat actors range from financially motivated groups (e.g., Lazarus, FIN7) to nation-state entities (e.g., Mustang Panda, Cozy Bear). Emerging regional threats add complexity. Key focus areas include North America, East Asia, and Southeast Asia, with critical vulnerabilities in web applications and operating systems.
Actors: Lazarus, FIN7, TA505; Mustang Panda, Cozy Bear, Gamaredon; regional groups.
Geographic Focus: U.S., Japan, U.K., Taiwan, Thailand, India; emerging economies like Saudi Arabia.
Targets: Web apps, operating systems, VPNs, IaaS solutions.
Malware: Cobalt Strike, NukeSped RAT, Winnti.
Ransomware
The finance industry recorded 253 ransomware victims in the past year (4.85% of the global total), with a significant -40.19% decline from the previous year. LockBit 3 led attacks, followed by BianLian and Medusa, with emerging groups like RansomHub and Madliberator also targeting finance. Spikes in activity during August and November hint at a growing trend into 2025.
Victim Trends: Lower activity early in 2024, spikes in August/November.
Key Actors: LockBit 3, BianLian, Medusa, RansomHub, Madliberator.
Ranking: Finance ranked 8th most targeted sector globally in 2024.
Over the past 12 months, energy & utilities organizations recorded victims across 7 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 21%.
These victims spanned multiple segments within the energy & utilities industry as shown below.
The energy and utilities industry faces threats from both nation-state and financially motivated groups. Mustang Panda and MISSION2025 (China) target the sector for espionage, while Russian actors like Cozy Bear, Fancy Bear, and Sandworm focus on both intelligence and disruption. Lazarus Group (North Korea) and TA505 highlight the financial motivations, targeting resources for state funding and profit.
The geographic targeting of the energy and utilities sector highlights its global significance, with a strong focus on advanced economies like Japan, the United States, and the United Kingdom, alongside growing activity in Asia-Pacific regions such as Vietnam, Taiwan, and Thailand.
Emerging markets, including India and the Philippines, are also increasingly targeted, while smaller nations like Saudi Arabia and Norway with significant energy resources also attract attention.
Web applications are the primary target, highlighting their vulnerability as internet-facing systems. Operating systems and infrastructure-as-a-service solutions are also key targets, emphasizing the attackers’ aim to exploit foundational technologies critical to operational continuity.
The malware targeting the energy and utilities sector demonstrates a mix of unique, custom TTPs and well-known strains. Custom TTPs lead, reflecting attackers’ tailored approaches to compromising critical infrastructure. Notable malware such as BlackEnergy, NukeSped RAT, and PlugX highlight a focus on espionage and operational disruption, while tools like Winnti and Korplug emphasize long-term persistence and data theft.
In the past 12 months, CYFIRMA has identified 149 verified energy & utilities organization ransomware victims. This accounts for 2.85% of the overall total of 5,219 ransomware victims during the same period.
The industry recorded a minor decline of -1.97% in recorded victims from the previous year. Although bumped down one position in the combined 2023 and 2024 number of victims, it retained the 12th position as the third least frequent victim for the respective years.
Energy & utilities show sustained numbers of victims. The start of the year was a little slower, but the number of victims started to pick up in the second half.
Monthly activity diverged in the middle months from a scaled-down global trendline. The start of the year was slow in line with the global trend, then February recorded a significant spike and then another during July. In October and November, we see an upward trend, implying an increase in activity into 2025.
In total 32 out of 97 gangs recorded victims in the healthcare industry, with a 33% participation.
A breakdown of the top 30 gangs’ monthly activity provides insights into which gangs were active each month.
Play was the most active gang, targeting 20 victims throughout the year, with notable spikes in February (4 victims) and steady activity across multiple months, including March, April, and November. Ransomhub followed with 16 victims, focusing its efforts on the latter half of the year, particularly in July, September, October, and November.
Lockbit3 impacted 14 victims, with most activity concentrated in December. Akira and Hunters each targeted 12 victims. Akira was especially active in July and November, while Hunters maintained steady activity, peaking in February, March, and late in the year.
Smaller groups like Bianlian and Dragonforce targeted seven victims each, with Dragonforce peaking in May and June. Blacksuit (6 victims) and Alphv, Meow, and Qilin (5 each) had sporadic activity, with Alphv active early in the year and Qilin showing later-year spikes.
Cactus impacted four victims, primarily mid-year. Several smaller groups, such as Blackbasta, Killsec, and Incransom (3 victims each), displayed limited and scattered campaigns. Minor actors like Toufan, Medusa, and Handala targeted one or two victims during specific months, reflecting isolated operations.
Play is the most active gang in this sector, with 20 victims (5.43%), followed by RansomHub, with 16 victims (3.37%), and LockBit3, with 14 victims (2.34%). These gangs exhibit broad targeting strategies across multiple industries, as reflected by their relatively low percentages in this sector. Akira and Hunters, with 12 victims each (4.27% and 5.53% respectively), also demonstrate moderate activity within energy and utilities.
No gangs exceed the 10% benchmark here, but some demonstrate noticeable focus with percentages above 5% and moderate victim counts. Dragonforce, with 7 victims (6.60%), and Alphv, with 5 victims (6.49%), stand out for their heightened attention to the energy sector. Lynx (3 victims, 5.08%) and Hunters (12 victims, 5.53%) also show signs of meaningful targeting in this sector.
Certain gangs exhibit disproportionately high percentages due to small victim counts. Apos, with only 1 victim but a striking 25.00%, reflects an extreme example of this skew. Similarly, Termite (1 victim, 16.67%) and Ciphbit (1 victim, 8.33%) show high percentages that do not indicate significant activity in the sector. Handala (2 victims, 5.26%) and Abyss (2 victims, 5.13%) also exhibit skewed percentages driven by their low absolute numbers of victims.
The USA accounts for 51.0% of ransomware victims in the Energy & Utilities industry in 2024. The next most affected countries are the UK with 8 victims, Canada with 7, and France and Germany each with 5 victims.
A total of 34 countries reported victims, with 19 of them having only one victim each.
Risk Level Indicator: Low
APT Campaigns
Energy & utilities organizations experienced a 21% incidence rate across observed APT campaigns, with threats driven by both nation-state and financially motivated actors. Espionage-focused groups (e.g., Mustang Panda, Cozy Bear) target critical infrastructure, while others (e.g., Lazarus, TA505) exploit resources for financial gain. Advanced economies like the U.S., U.K., and Japan remain primary targets, with increasing activity in Asia-Pacific and emerging markets.
Actors: Mustang Panda, Cozy Bear, Sandworm; Lazarus Group, TA505.
Geographic Focus: U.S., U.K., Japan; rising activity in Vietnam, Taiwan, India, and the Philippines.
Targets: Web applications, operating systems, and IaaS solutions.
Malware: BlackEnergy, NukeSped RAT, PlugX; persistent tools like Winnti, and Korplug.
Ransomware
The energy & utilities sector accounted for 149 ransomware victims in the past year (2.85% of the global total), with a minor decline of -1.97% from 2023. Activity spiked in February and July, with rising trends in October and November, suggesting increased targeting into 2025. Play ransomware was the most active group, but no gang showed a consistent focus on this industry.
Victim Trends: Slow start, spikes in February and July, upward trends in late 2024.
Key Actors: Play led activity, with RansomHub rising later in the year.
Geography: U.S. accounted for 51% of geographically identified victims.
Ranking: Energy & utilities ranked 12th globally for ransomware targeting.
Over the past 12 months, healthcare organizations recorded victims across 2 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 6%.
These victims spanned multiple segments within the healthcare industry as shown below:
The healthcare industry faces targeted threats from both nation-state and financially motivated actors. Fancy Bear (Russia) likely targets the sector for espionage and intelligence gathering, while Mustang Panda (China) focuses on geopolitical objectives. Lazarus Group (North Korea) represents a blend of financial motivation and state funding, while TA505 highlights the profit-driven cybercrime targeting healthcare’s sensitive data. This mix of motivations underscores the sector’s dual vulnerability to both espionage and financial exploitation.
Nations like South Korea, Japan, Taiwan, and the United States are primary targets, highlighting their advanced healthcare infrastructure and valuable data. Meanwhile, countries such as Vietnam, Singapore, and India indicate a growing interest in the Asia-Pacific region. The inclusion of smaller nations like Norway, Qatar, and Saudi Arabia demonstrates the global nature of healthcare threats.
The healthcare industry’s top targeted technology is web applications, reflecting their critical role in modern healthcare operations. As internet-facing systems, they are particularly vulnerable to exploitation, offering attackers access to sensitive patient data and operational systems.
The malware targeting the healthcare industry highlights a mix of custom tools and well-known strains. Unique/Custom TTPs reflect attackers’ tailored approaches to compromising healthcare systems.
Korplug, NukeSped RAT, and Sogu emphasize espionage and data theft, aligning with the attackers’ goals of accessing sensitive patient records and critical operational information.
In the past 12 months, CYFIRMA has identified 556 verified healthcare organization ransomware victims. This accounts for 10.65% of the overall total of 5,219 ransomware victims during the same period.
The industry recorded a substantial increase of 9.66% in recorded victims from the previous year. And ranked 4th place for combined victims in both years as well as retained 4th place in both respective years. Underlying the continued and sustained risk.
Healthcare shows sustained numbers of victims. Curiously alternating nearly the same numbers of victims between quarters.
Monthly activity mostly follows the scaled-down global trendline. With the exception between January to March when we observed above-average numbers. In October and November, we see an upward trend, implying an increase in activity into 2025.
In total, 77 out of 97 gangs recorded victims in the healthcare industry, with a 79% participation rate.
A breakdown of the top 30 gangs’ monthly activity provides insights into which gangs were active each month.
LockBit3 led ransomware activity, targeting 56 victims early in the year, with significant peaks in February (11 victims) and its activity waned in later months. RansomHub followed closely with 45 victims, maintaining a steady increase in attacks from May onwards, peaking in September and October (9 and 11 victims, respectively).
Incransom impacted 34 victims, with consistent activity peaking in May (7 victims) and sporadic surges across the year. Bianlian targeted 27 victims, with steady activity across all months and minor peaks in early and late months. Hunters and Play each accounted for 26 victims. Hunters showed even distribution throughout the year, while Play peaked in March (5 victims) and remained moderately active.
Akira targeted 25 victims, with notable spikes in January and July. Medusa, with 24 victims, concentrated its attacks in March, May, and June. Blackbasta (22 victims) was active early in the year, peaking in March and April. Qilin followed closely, targeting 21 victims with a strong presence in July and October.
Smaller groups like Blacksuit (18 victims), Killsec, and Meow (15 each) displayed periodic activity, with Killsec peaking late in the year. Alphv and Dragonforce (12 victims each) were more active early in the year, while others, like Cactus and 8Base (10 and 9 victims, respectively), had limited but consistent campaigns.
Lesser-known groups like Fog, Monti, and Everest each targeted fewer than 10 victims, showing sporadic spikes in specific months. Sarcoma, with just four victims, was active only in October and November, indicating isolated campaigns.
A closer analysis of the top 35 gangs and the percentage share of victims reveals the disturbing reality of how many gangs focus on the healthcare industry, exploiting its vulnerability to operational disruptions.
LockBit3 leads in activity within the healthcare sector, with 56 victims (9.35%). Its high number of victims suggests a deliberate but broad targeting strategy. RansomHub follows closely, with 45 victims (9.47%), indicating significant activity in the sector. Other active gangs include Incransom (34 victims, 21.52%) and Bianlian (27 victims, 15.98%), both of which demonstrate substantial focus on healthcare.
Several gangs exhibit a significant focus on the healthcare sector:
Some gangs show disproportionately high percentages due to low victim counts:
The USA accounts for 57.1% of ransomware victims in the Healthcare industry in 2024. The next most affected countries are the UK with 32 victims, Canada with 23, India with 16, and France with 14.
A total of 58 countries reported victims, with 27 of them having only one victim each.
Risk Level Indicator: Low/High
APT Campaigns
The healthcare industry experienced a low 6% incidence rate across observed APT campaigns, driven by both espionage and financially motivated actors. Groups like Fancy Bear and Mustang Panda focus on intelligence and geopolitical goals, while Lazarus and TA505 target financial gain and sensitive data. Key targets include nations with advanced healthcare systems and growing interest in Asia-Pacific regions.
Actors: Fancy Bear, Mustang Panda, Lazarus Group, TA505.
Geographic Focus: U.S., Japan, South Korea; emerging targets in Vietnam, Singapore, and India.
Targets: Web applications are primary, exposing patient data and operational systems.
Malware: Korplug, NukeSped RAT, Sogu, emphasizing espionage and data theft.
Ransomware
The healthcare sector accounted for 556 ransomware victims in the past year (10.65% of global total) an increase of 9.66%. With sustained activity and spikes in early 2024. LockBit 3 led in volume but faced setbacks, while RansomHub and other gangs exploited the sector’s critical vulnerabilities. Healthcare organizations remain a top target due to their susceptibility to operational disruptions.
Victim Trends: Alternating quarterly activity; spikes in Q1, October, and November.
Key Actors: LockBit 3, RansomHub, Inc Ransom (21.52% of victims), Alphv, and Killsec.
Geography: U.S. accounted for 57% of victims, with activity in 59 countries.
Ranking: Healthcare placed as 4th most frequent ransomware victim.
Over the past 12 months, logistics organizations recorded victims across 8 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 24%.
These victims spanned multiple segments within the logistics industry as shown below:
The logistics industry is targeted by a mix of nation-state and financially motivated threat actors. Stone Panda, Mustang Panda, and MISSION2025, all linked to Chinese interests, focus on espionage and data theft, likely seeking supply chain intelligence.
Cozy Bear and Fancy Bear (Russia) reflect geopolitical motives, targeting logistics for strategic disruption or intelligence gathering. Lazarus Group (North Korea) blends financial objectives with state-sponsored motives, while TA505 represents profit-driven attacks, often aimed at ransomware and data extortion.
The geographic distribution of APT campaigns targeting the logistics industry reflects its global importance, with a strong focus on Asia and advanced economies. Japan and India lead, highlighting their role as major logistics hubs in the region, followed closely by the United States.
Vietnam, South Korea, and Taiwan further demonstrate the emphasis on Asia-Pacific, where logistics systems are vital to regional and global supply chains. Emerging economies like the Philippines and Thailand also show significant activity, while the inclusion of smaller nations like Nepal, Bangladesh, and Brunei underscores the expanding scope of attacks, targeting both major and developing logistics infrastructures worldwide.
The logistics industry’s most targeted technologies highlight attackers’ focus on critical systems. Web applications dominate, reflecting their vulnerability as internet-facing systems integral to logistics operations.
Operating systems are also key targets, emphasizing attackers’ focus on foundational technologies critical for system functionality. Additionally, infrastructure-as-a-service solutions appear as a target, underscoring the importance of cloud-based systems in modern logistics and the risks they pose if compromised.
Unique/Custom TTPs and Commodity Malware dominate, reflecting tailored approaches and accessible tools for exploiting logistics systems. Winnti highlights long-term persistence and espionage capabilities, aligning with nation-state objectives.
Other strains, such as Crimson RAT, PlugX, and NukeSped RAT, emphasize data theft and infiltration, while Lodeinfo and MiniDuke showcase attackers’ focus on intelligence gathering.
In the past 12 months, CYFIRMA has identified 171 verified logistics industry ransomware victims. This accounts for 3.28% of the overall total of 5,219 ransomware victims during the same period.
The industry recorded a significant decrease of -19.34% in recorded victims from the previous year. And ranked at 9th place for combined victims in both years. For year-to-year change it dropped down from 9th to 11th place as fourth least frequent victim.
The logistics industry shows sustained numbers of victims across all four quarters. Only minor dip occurring during 3rd quarter.
Monthly activity mostly follows the scaled-down global trendline. However, it started falling off in May, when the Logistics industry did not experience the global spike and has been the average line for the rest of the year. Though October and November recorded significant growth and imply an uptick into 2025.
In total 49 out of 97 gangs recorded victims in the logistics industry, with a 51% participation.
A breakdown of the top 30 gangs’ monthly activity provides insights into which gangs were active each month.
LockBit3 led ransomware activity, targeting 22 victims. Akira followed with 15 victims, showing concentrated activity in January, June, and July, and a spike in November (3 victims).
Killsec and Medusa each targeted 9 and 8 victims, respectively, with Killsec peaking in September and October, and Medusa active in March, May, and November. Ransomhub also impacted 8 victims, focusing primarily on later months like August, October, and November.
8Base targeted 6 victims, with the most activity in February and April. Several groups, including Bianlian, Cactus, Hunters, Incransom, Meow, and Play, each impacted 5 victims, with scattered campaigns throughout the year. Notably, Meow peaked in December with two attacks, and Play surged in October.
Smaller groups like Blackbasta, Blacksuit, Dragonforce, Qilin, and Rhysida each targeted 4 victims, with Qilin showing steady activity from July to October and Dragonforce active early in the year. Stormous also targeted 4 victims, focusing on early and mid-year months.
Emerging gangs such as Arcusmedia, Fog, Monti, Spacebears, and Toufan had minimal activity, each targeting 3 victims or fewer. Groups like Mydata, Ransomexx, and Safepay were the least active, with isolated campaigns primarily in the first half of the year.
Reviewing the top 35 active gangs, LockBit3 is the most active gang targeting logistics, with 22 victims (3.67%), demonstrating broad activity but not a specific focus on this sector. Akira, with 15 victims (5.34%), and Killsec, with 9 victims (8.49%), show moderate activity and a more concentrated effort within logistics. Other active gangs include Medusa (8 victims, 3.86%) and RansomHub (8 victims, 1.68%), both with modest targeting of the logistics industry.
Several gangs display significant focus on logistics, though with varying victim counts:
Some gangs show disproportionately high percentages due to low victim counts:
The USA accounts for 46.2% of ransomware victims in the Logistics industry in 2024. The next most affected countries are Canada with 11 victims, the UK with 8, Germany with 8, and France with 7.
A total of 37 countries reported victims, with 17 of them having only one victim each.
Risk Level Indicator: Moderate
APT Campaigns
The logistics industry recorded a 24% incidence rate across observed APT campaigns, driven by nation-state espionage and financially motivated attacks. Groups like Stone Panda and Mustang Panda (China) target supply chain intelligence, while Cozy Bear and Fancy Bear (Russia) pursue strategic disruption. Lazarus (North Korea) and TA505 blend financial motives with state-sponsored agendas. Key targets include Asia-Pacific logistics hubs and advanced economies.
Actors: Stone Panda, Mustang Panda, Cozy Bear, Fancy Bear, Lazarus, TA505.
Geographic Focus: Japan, India, the U.S.; activity in Vietnam, South Korea, Taiwan, and emerging markets like Thailand and the Philippines.
Targets: Web applications, operating systems, and IaaS solutions critical to logistics.
Malware: Winnti, Crimson RAT, PlugX, NukeSped RAT, Lodeinfo, MiniDuke.
Ransomware
The logistics sector accounted for 171 ransomware victims (3.28% of the global total), with a -19.34% year-over-year decrease. Activity was consistent across quarters, except for a slight Q3 dip. October and November showed significant growth, indicating potential escalation into 2025. Lockbit3 led in volume, but smaller gangs like Killsec and Cuba also demonstrated significant focus.
Victim Trends: Stable activity; growth in October/November.
Key Actors: LockBit 3, Akira, Killsec (8.49% of victims), RansomHub, Cuba (50% of its victims in logistics).
Geography: The U.S. accounted for 46% of victims; activity was recorded in 37 countries.
Ranking: Logistics ranks 11th globally for ransomware targeting.
Over the past 12 months, manufacturing organizations recorded victims across 16 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 47%.
These victims spanned multiple segments within the manufacturing industry as per below:
The manufacturing industry faces a mix of nation-state espionage and financially motivated threats. Groups like Lazarus Group (North Korea) and FIN7 target the sector for resource acquisition, focusing on financial gain. Nation-state actors such as MISSION2025, Mustang Panda, and Stone Panda (China) prioritize espionage and intellectual property theft, aiming to exploit advanced manufacturing technologies. Cozy Bear (Russia) and Transparent Tribe (Pakistan) align with broader geopolitical interests, incorporating manufacturing into larger intelligence-gathering efforts.
Meanwhile, emerging groups—like Unknown English-speaking TA and Unknown Vietnamese TA—highlight the sector’s growing appeal, underscoring its critical importance and vulnerability to a wide array of attackers.
The manufacturing sector faces global APT activity, with a strong focus on industrialized nations like the United States, Japan, and the United Kingdom. Asia-Pacific countries, including India, South Korea, Taiwan, and Vietnam, are heavily targeted due to their significance in global supply chains.
Emerging economies like the Philippines and Indonesia are also increasingly targeted, while smaller nations such as Bangladesh and Nepal reflect the widening scope of attacks across both established and developing manufacturing hubs.
The manufacturing sector’s most targeted technologies highlight attackers’ focus on foundational systems. Web applications dominate, reflecting their critical role in manufacturing operations and vulnerability as internet-facing systems. Operating systems also see significant targeting, emphasizing the attackers’ interest in exploiting core infrastructure to disrupt operations or gain deeper access to networks.
The malware targeting the manufacturing sector reflects a blend of custom tools, commodity malware, and well-known strains. Unique/Custom TTPs and Commodity Malware lead, highlighting both tailored approaches and the use of readily available tools.
Winnti and NukeSped RAT stand out for their focus on long-term infiltration and data theft, aligning with espionage goals. Other tools, such as Cobalt Strike, Coinminer, and Korplug, demonstrate attackers’ versatility in exploiting systems for both financial gain and operational disruption.
In the past 12 months, CYFIRMA has identified 637 verified manufacturing industry ransomware victims. This accounts for 12.21% of the overall total of 5,219 ransomware victims during the same period.
The industry recorded a mild increase of 4.26% in recorded victims from the previous year. And ranked 3rd place for combined victims in both years as well as retained 3rd place in both respective years, underlying the continued and sustained risk.
The manufacturing industry shows sustained numbers of victims across all four quarters. A notable dip occurred during the 3rd quarter, however, was followed by an uptick during the 4th quarter.
Monthly activity closely follows the scaled-down global trendline. The only minor divergence was during August when the industry contrary to the global trend recorded a minor dip. October and November recorded significant growth and imply an uptick into 2025.
In total, 69 out of 97 gangs recorded victims in the manufacturing industry, with a 71% participation rate.
A breakdown of the top 30 gangs’ monthly activity provides insights into which gangs were active each month.
LockBit3 led ransomware activity with 74 victims, peaking in February (17 victims) and May (20 victims). Play followed with 59 victims, spiking in September (12 victims) and October (9 victims). RansomHub (44 victims) was most active in August, October, and November, while Akira (42 victims) peaked in July and November.
8Base (34 victims) focused on early-year campaigns, while Hunters (27 victims) maintained steady activity. Toufan published 25 victims in December and disappeared. Blackbasta (24 victims) and Cactus (23 victims) showed moderate but steady operations, with occasional peaks.
Dragonforce, Medusa, and Meow (18-19 victims each) focused on mid-to-late-year activity. Smaller groups like Incransom, Bianlian, Blacksuit, and Qilin (14-15 victims each) had scattered campaigns. Emerging actors like Fog (10 victims) and Cicada3301 (9 victims) were sporadically active, mostly late in the year.
LockBit3 and Play drove sustained activity, while others like RansomHub and Akira showed concentrated spikes.
Analyzing the top 35 active gangs, LockBit3 leads in activity within the manufacturing sector, with 74 victims (12.35%), showing a strong focus on this industry. Play follows closely, with 59 victims (16.03%), reflecting substantial targeting. RansomHub (44 victims, 9.26%) and Akira (42 victims, 14.95%) also show notable activity and focus in this sector. These gangs collectively dominate ransomware activity in manufacturing.
Several gangs exhibit a strong focus on the manufacturing sector:
Some gangs show disproportionately high percentages due to low victim counts:
The USA accounts for 63.1% of ransomware victims in the Manufacturing industry in 2024. The next most affected countries are Canada with 36 victims, Germany with 32, the UK with 26, and Italy with 23.
A total of 61 countries reported victims, with 26 of them having only one victim each.
Risk Level Indicator: High
APT Campaigns
The manufacturing sector recorded a high 47% incidence rate across observed APT campaigns, driven by a mix of espionage and financially motivated attacks. Groups like Lazarus and FIN7 target resources for financial gain, while nation-state actors such as MISSION2025, Mustang Panda, and Stone Panda focus on intellectual property theft and technological advancements. Emerging threats from less-defined groups highlight the growing global appeal of targeting this sector.
Actors: Lazarus, FIN7, Stone Panda, Mustang Panda, Cozy Bear, Transparent Tribe.
Geographic Focus: U.S., Japan, U.K.; Asia-Pacific nations (India, South Korea, Taiwan); emerging markets like Indonesia, and Philippines.
Targets: Web applications, operating systems, and core infrastructure.
Malware: Winnti, NukeSped RAT, Cobalt Strike, Coinminer, Korplug.
Ransomware
Manufacturing accounted for 637 ransomware victims (12.21% of the global total), showing a 4.26% increase year-over-year and ranking as the 3rd most targeted sector. Sustained activity across the year included a Q3 dip followed by significant growth in Q4, particularly in October and November, signaling a potential upward trend into 2025.
Victim Trends: Stable activity; spikes in October and November.
Key Actors: LockBit 3, Toufan (27% of its victims in manufacturing), Akira, 8Base, Cactus.
Geography: The U.S. accounted for 63% of victims; activity recorded in 61 countries.
Insight: Manufacturing remains a top target due to its critical role in global supply chains and technological innovation.
Ranking: Manufacturing ranked 3rd globally for ransomware targeting.
Over the past 12 months, automotive organizations recorded victims in 1 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 3%.
These victims spanned 2 segments within the automotive industry as per below:
The single observed campaign came from financially motivated cybercriminals. Due to overlapping TTPs, we have murky attribution to all three TA505, FIN11, and FIN7, which are known for their focus on data theft, ransomware, and financial extortion.
The low presence of only profit-driven actors represents a significant departure from the previously prominent state-sponsored cyber activities associated with China. This shift suggests that China has aimed its cyber capabilities towards different objectives.
The geographic distribution of APT activity in the automotive industry highlights a global reach, with incidents spread across countries like the United States, Japan, and the United Kingdom, reflecting their prominence in automotive innovation and production.
Activity in South Korea, Vietnam, and Indonesia underscores the importance of the Asia-Pacific region as a growing hub for automotive manufacturing.
The automotive industry’s sole targeted technology is web applications, highlighting their critical role in modern automotive operations and their vulnerability as internet-facing systems.
The automotive industry was targeted with unique/custom TTPs, reflecting a tailored approach by attackers to exploit specific vulnerabilities.
This highlights the industry’s exposure to sophisticated and highly targeted threats.
In the past 12 months, CYFIRMA has identified 99 verified automotive industry ransomware victims. This accounts for 1.90% of the overall total of 5,219 ransomware victims during the same period.
The industry recorded a significant decrease of -10.81% in recorded victims from the previous year. And ranked last at 14th place for combined victims in both years. Even though it dropped down from 13th to 14th during 2024 as the least frequent victim. It is important to note the relatively narrow scope of just automotive industry.
The automotive industry had a calm first quarter of the year, unfortunately, the rest of the year picked up the numbers. Especially in the second and fourth quarters.
Monthly activity only roughly follows the scaled-down global trendline. January and February we significantly calmer months, offset by above average months of March and April. Another dip came in September, but the year ended with a year high, signaling elevated risk into 2025.
In total, 35 out of 97 gangs recorded victims in the automotive industry, with a 36% participation rate.
A breakdown of the top 30 gangs’ monthly activity provides insights into which gangs were active each month.
Play led ransomware activity, targeting 13 victims, with peaks in March, May, and October. RansomHub followed with 11 victims, primarily active in August and November. 8Base and LockBit3 each accounted for 7 victims, with 8Base peaking in February and March.
Akira targeted 6 victims, with notable activity in July and November. Cactus and Medusa (4 victims each) were active sporadically, with Cactus peaking early in the year and Medusa showing scattered campaigns. Smaller groups like Blackbasta, Hunters, and Incransom targeted 3 victims each, with activity concentrated in specific months such as April, September, and November.
Emerging actors like Lynx, Raworld, and Spacebears (3 victims each) demonstrated isolated campaigns, while groups such as Blacksuit, Dragonforce, and Qilin (2 victims each) had limited activity. Minor actors like Safepay, Abyss, and Kairos targeted only 1 or 2 victims, with their campaigns appearing late in the year.
Overall, activity was dominated by Play and RansomHub, with smaller and emerging groups contributing sporadically to a fragmented threat landscape.
Looking at all 35 active gangs, Play is the most active gang in the automotive sector, with 13 victims (3.53%), suggesting moderate activity but no specific focus on this industry. RansomHub follows with 11 victims (2.32%), reflecting similar trends of moderate activity across industries. LockBit3 and 8Base each have 7 victims (1.17% and 4.40%, respectively), with 8Base showing a slightly stronger focus.
Several gangs demonstrate notable focus within the automotive sector, albeit with varying victim counts:
Certain gangs show disproportionately high percentages due to very low victim counts:
The USA accounts for 43.4% of ransomware victims in the Automotive industry in 2024. The next most affected countries are the UK with 9 victims, Australia with 7, Germany with 6, and Canada with 5.
A total of 20 countries reported victims, with 6 of them having only one victim each.
Risk Level Indicator: Low/Moderate
APT Campaigns
The automotive sector had a low 3% incidence rate across observed APT campaigns, driven solely by financially motivated groups such as TA505, FIN11, and FIN7, targeting data theft, ransomware, and extortion. Notably, Chinese state-sponsored activity, previously prominent in this sector, has significantly declined.
Actors: TA505, FIN11, FIN7.
Geographic Focus: The U.S., Japan, U.K.; emerging hubs in South Korea, Vietnam, and Indonesia.
Targets: Solely web applications, reflecting their vulnerability as critical internet-facing systems.
Tactics: Custom TTPs tailored to exploit specific vulnerabilities.
Ransomware
The automotive industry accounted for 99 ransomware victims (1.90% of global total), marking a -10.81% year-over-year decrease and ranking as the least targeted sector. Activity was calm in Q1 but increased in Q2 and Q4, with a year-high in December indicating potential elevated risk into 2025.
Victim Trends: Steady increase after Q1; peaks in March, April, and December.
Key Actors: Play (most active), 8Base, Lynx (5.0% share), Raworld (6.7%), Spacebears (8.1%).
Geography: U.S. accounted for 43% of victims; activity recorded in 20 countries.
Insight: The lack of a concentrated focus by ransomware groups reflects the sector’s lower priority compared to others.
Ranking: Automotive industry ranked 14th as the least frequent target of ransomware.
Over the past 12 months, materials organizations recorded victims across 2 of the 34 Advanced Persistent Threat (APT) campaigns observed – an incidence rate of 6%.
These victims spanned multiple segments within the materials industry as per below:
The materials industry faces threats from a mix of nation-state and financially motivated actors. Cozy Bear and Fancy Bear (Russia) focus on espionage, likely targeting sensitive data and intellectual property related to critical materials. Meanwhile, TA505 represents profit-driven motives, targeting the sector for financial extortion and data theft.
MISSION2025 (China) emphasizes geopolitical interests, aiming to exploit technological advancements and trade secrets. This combination of threats underscores the materials industry’s strategic importance in both economic and geopolitical contexts.
The materials industry faces geographically diverse targeting, with a strong focus on Asia-Pacific nations like South Korea, Vietnam, Japan, Taiwan, and India, reflecting the region’s role as a hub for critical material production and innovation.
The United States also features prominently, underscoring its strategic importance in the global supply chain.
Other countries, including the Philippines, United Kingdom, and Saudi Arabia, illustrate the expanding reach of attacks, targeting both established and emerging players in the materials sector.
The materials industry’s targeted technology is web applications, emphasizing their vulnerability as internet-facing systems essential for operations. This highlights the critical need for securing these interfaces to prevent exploitation and protect sensitive industry data.
The materials industry is targeted by a mix of custom and well-known malware. Winnti is notable for its long-term infiltration and data theft capabilities, commonly used in espionage operations. Unique/Custom TTPs highlight attackers’ tailored approaches to exploiting specific vulnerabilities. MiniDuke, known for its espionage focus, further underscores the strategic importance of the materials sector to nation-state actors.
In the past 12 months, CYFIRMA has identified 223 verified materials industry ransomware victims. This accounts for 4.27% of the overall total of 5,219 ransomware victims during the same period.
The industry recorded a major increase of 43.87% in recorded victims from the previous year. And ranked at 11th place for victims in both years combined. The industry moved up from 11th to 10th place during 2024 as a tenth most frequent victim.
The materials industry experienced sustained activity in the first three quarters, with a minor dip during the second. However, in line with the global trend number of victims spiked in the fourth quarter.
Monthly activity only follows the scaled-down global trendline at the start and end of the year. In March and April, the industry recorded a dip in activity and diverged from the global trendline. In May activity picked up again and towards the end of the year caught up with the global trendline, which suggests higher activity at the start of 2025.
In total 54 out of 97 gangs recorded victims in the materials industry, 56% participation.
A breakdown of the top 30 gang’s monthly activity provides insights into which gangs were active each month.
LockBit3 dominated ransomware activity with 27 victims, peaking in February (8 victims). Play followed with 17 victims, with notable spikes in August and September. Akira targeted 15 victims, with activity concentrated in the latter half of the year, particularly in November (8 victims).
RansomHub recorded 13 victims, with steady activity from August through October. Medusa and Qilin each accounted for 11 victims, with Medusa peaking in May and October, while Qilin maintained consistent activity across multiple months. Bianlian and Hunters (10 victims each) focused their campaigns on August and October.
Smaller actors included 8Base (7 victims), Dragonforce, and Fog (6 each), with Dragonforce peaking in August and Fog active later in the year. Blackbasta and Rhysida targeted 5 victims each, with Rhysida showing late-year spikes in October and November. Sarcoma also reached 5 victims, with its activity exclusively in October and November.
Emerging groups such as Alphv, Cactus, and Meow (4 victims each) showed limited but sporadic operations. Minor actors like Cloak, Clop, and Incransom (3 victims each) contributed with isolated campaigns, primarily in mid-to-late months.
Overall, LockBit3 and Play led the ransomware landscape, while groups like Akira, RansomHub, and Medusa demonstrated seasonal peaks.
Analysis of the top 35 gangs, LockBit3 is the most active gang in the materials sector, with 27 victims (4.51%), followed by Play, with 17 victims (4.62%). Both demonstrate moderate activity but no specific focus on the materials industry. Akira (15 victims, 5.34%) and RansomHub (13 victims, 2.74%) also show some presence in this sector, though their focus appears distributed across multiple industries.
Several gangs exhibit significant focus within the materials sector:
Certain gangs show disproportionately high percentages due to low victim counts:
The USA accounts for 47.5% of ransomware victims in the Materials industry in 2024. The next most affected countries are Canada with 16 victims, France with 7, Spain with 7, and Italy with 5.
A total of 44 countries reported victims, with 20 of them having only one victim each.
Risk Level Indicator: Moderate
APT Campaigns
The materials sector experienced a low 6% incidence rate across observed APT campaigns, driven by nation-state and financially motivated actors. Cozy Bear and MISSION2025 target intellectual property and trade secrets, while TA505 focuses on financial extortion. The sector’s strategic importance to global supply chains and innovation makes it a key target for espionage and economic disruption.
Actors: Cozy Bear, Fancy Bear, MISSION2025, TA505.
Geographic Focus: U.S., South Korea, Vietnam, Japan, and India; emerging targets in the Philippines, U.K., and Saudi Arabia.
Targets: Web applications, reflecting their critical role in operations and vulnerability as internet-facing systems.
Malware: Winnti, MiniDuke; custom TTPs for tailored exploitation.
Ransomware
The materials industry accounted for 223 ransomware victims (4.27% of the global total), with a significant 43.87% year-over-year increase, ranking 10th among targeted sectors in 2024. Activity remained steady across most quarters, with a Q4 spike indicating higher risks moving into 2025.
Victim Trends: Stable across Q1-Q3; spikes in Q4.
Key Actors: LockBit 3 (27 victims, peak in February), Play (17 victims, peaks in August/September), Akira (15 victims, peak in November).
Geography: The U.S. accounted for 48% of victims; activity recorded in 44 countries.
Ranking: The materials industry ranked 10th as the tenth most frequent victim of ransomware.