Intelligence reports and incident data from the first half of 2026 confirm that state-aligned threat actors have substantially expanded ransomware operations into operational technology (OT) environments, targeting energy grids, manufacturing plants, and water utilities with tools and tactics previously confined to IT networks. The shift marks a strategic evolution in which disrupting physical processes - not merely encrypting data - has become the primary objective, according to multiple cybersecurity research organizations.

Background

The convergence of IT and OT networks has fundamentally enlarged the attack surface across critical infrastructure. Fewer than 10% of OT networks have adequate monitoring in place, and in 30% of incident response engagements, investigations began only after operational anomalies appeared rather than from proactive detection, according to Dragos's 2026 OT/ICS Cybersecurity Year in Review. Legacy control systems compound the problem: many PLCs (programmable logic controllers), SCADA systems, and industrial IoT devices were not designed for modern security controls, and in Europe, 80% of manufacturers continue to operate critical OT systems with known vulnerabilities, according to Check Point Research cited by Industrial Cyber.

The Waterfall Threat Report 2026 found that nation-state and hacktivist attacks on OT environments doubled in 2025 compared to 2024, with five of fourteen confirmed destructive attacks directly tied to Russia's invasion of Ukraine. The report also noted that distinguishing state-directed campaigns from hacktivist operations has grown increasingly difficult as the two categories converge in tactics and objectives.

Details

Dragos identified 119 ransomware groups attacking industrial organizations in 2025, a 49% rise from 80 groups in 2024, collectively affecting approximately 3,300 organizations; manufacturing accounted for over two-thirds of ransomware victims. In Q2 2025, North America recorded 355 industrial ransomware incidents - approximately 54% of global activity - while Europe reported 173 incidents, up from 135 in Q1, according to Dragos's quarterly analysis.

State actors are exploiting criminal infrastructure to obscure attribution. In March 2025, Qilin ransomware was adopted operationally by North Korea's state-sponsored threat actors, according to Dragos. Separately, Saltanat Mashirova, senior manager for OT cybersecurity at CPX, told Industrial Cyber that Iran-aligned cyber actors, including APT groups MuddyWater and APT33, have increasingly targeted critical infrastructure, with groups like DragonForce exfiltrating sensitive data from energy and medical device sectors by March 2026. "State-aligned actors have increasingly leveraged criminal groups, obscuring attribution and amplifying the impact of their attacks," Mashirova stated.

According to Poland's CERT-PL, a campaign attributed to the Russian-linked Dragonfly group targeted the Polish power grid on December 29, 2025, exploiting default credentials that had not been rotated on internet-exposed web interfaces. Team Cymru noted that the U.S. accounts for nearly half - 45.4% - of all ICS devices targeted by nation-state actors.

The ransomware-as-a-service (RaaS) model has accelerated OT intrusion capability. Qilin systematically exploited critical vulnerabilities in widely deployed Fortinet products through automated tooling, enabling rapid initial access and significant network penetration depth. Ransomware demands against industrial targets averaged $1.16 million in 2025, more than double the previous year's figure, per ENISA data cited by Industrial Cyber. Supply chain attacks in industrial environments nearly doubled, rising from 154 incidents in 2024 to 297 in 2025, according to Check Point Research.

In OT environments, ransomware targets availability rather than data alone. As IBM X-Force reported, among organizations surveyed for IBM's Cost of a Data Breach Report 2025, 15% experienced cybersecurity incidents that affected their OT environment, and of that group, nearly a quarter - 23% - reported that the incident resulted in damage to OT systems or equipment.

Outlook

Regulatory frameworks are being revised to match the threat's pace. In the United States, CIRCIA requires covered critical infrastructure entities to report covered cyber incidents within 72 hours and ransomware payments within 24 hours, with the final rule expected in May 2026. The EU's ENISA has called ransomware a prime threat to industrial operations and is coordinating vulnerability disclosure across member states. Waterfall Security projects ransomware attacks on OT-heavy industries will resume increasing in 2026-2027 after a statistical leveling in 2025.

Industry bodies and governments are pressing for standardized OT security baselines, mandatory asset inventories, and cyber-resilience testing protocols that do not interrupt critical processes. Security analysts now emphasize three technical imperatives for plant operators and utilities: achieving comprehensive OT asset visibility with real-time risk scoring, implementing risk-based network segmentation to confine lateral movement, and aligning incident response with cross-sector playbooks that integrate IT forensics with OT safety procedures.