Executive Summary

A new threat intelligence report from Check Point Research reveals a concerning trend in the cyber threat landscape: while the overall average of weekly cyber attacks per organization saw a minor 4% decrease, ransomware-specific activity has surged by an alarming 46%. This suggests that threat actors are shifting from high-volume, low-impact attacks to more targeted, high-value ransomware operations. The report identifies the construction, business services, and industrial manufacturing sectors as the primary targets of this intensified focus. The Qilin ransomware-as-a-service (RaaS) group was noted as a particularly active player in this space.

Threat Overview

The analysis, based on data from threat actor leak sites, shows a clear pivot in attacker strategy. Instead of broad, opportunistic attacks, criminal groups are concentrating their efforts on sectors perceived as vulnerable or more likely to pay a ransom. The most impacted industries were:

• Construction and Engineering: 11.4% of victims
• Business Services: 11.0% of victims
• Industrial Manufacturing: 10.1% of victims

Other heavily targeted sectors include financial services (9.4%) and healthcare (8.4%), demonstrating that while the focus may be shifting, traditional high-value targets remain at risk. The education sector, while not a top ransomware target, continues to be the most attacked industry overall, with an average of 4,175 weekly attacks per organization.

Technical Analysis

The report highlights the Qilin RaaS group as a major contributor to the surge, accounting for over 14% of publicly claimed victims. Qilin is an established operation known for its double-extortion tactics, where data is both encrypted (T1486 - Data Encrypted for Impact) and exfiltrated for potential leaking (T1041 - Exfiltration Over C2 Channel). The RaaS model allows the core Qilin developers to scale their operations by providing their malware and infrastructure to less-skilled affiliates in exchange for a share of the profits. This model is a key driver of the overall increase in ransomware incidents.

Impact Assessment

The surge in targeted ransomware attacks poses a severe business risk, especially for the construction and manufacturing sectors. These industries often rely on operational technology (OT) and just-in-time supply chains, making them highly susceptible to disruption. A successful ransomware attack can halt production lines, delay projects, and lead to significant financial losses. The focus on business services firms is also strategic, as compromising these companies can provide attackers with a pivot point into their various clients' networks, creating a supply chain attack scenario. The report underscores the need for all organizations, particularly those in the newly targeted sectors, to reassess their ransomware defenses.

IOCs

No specific IOCs were provided in this trend-focused report.

Detection & Response

1. Industry-Specific Threat Intelligence: Organizations in targeted sectors must subscribe to and consume threat intelligence feeds relevant to their industry to understand the specific TTPs being used against their peers.
2. Behavioral Monitoring: Deploy EDR solutions that focus on detecting ransomware behaviors (e.g., mass file encryption, shadow copy deletion) rather than relying solely on static signatures.
3. Network Monitoring: Monitor for large, unexpected outbound data transfers, which could be an indicator of data exfiltration prior to encryption.
4. D3FEND Techniques: Use D3-UDTA: User Data Transfer Analysis to detect the large-scale data exfiltration that precedes a double-extortion ransomware attack.

Mitigation

1. Secure Backups: The most critical defense is to maintain a robust backup strategy, following the 3-2-1 rule (three copies, on two different media, with one offsite and immutable).
2. Patching and Vulnerability Management: Many ransomware attacks start by exploiting known vulnerabilities. A rigorous patching program is essential.
3. Multi-Factor Authentication (MFA): Enforce MFA on all remote access points (VPN, RDP) and for all privileged accounts to prevent initial access via compromised credentials.
4. User Awareness Training: Train employees to recognize and report phishing emails, which remain a primary initial access vector for ransomware.