Check Point Report Shows 46% Surge in Ransomware Activity, with Qilin Group Leading Attacks on Industrial Sectors
Ransomware Attacks Surge by 46% as Threat Actors Target Construction and Manufacturing
Related Entities(initial)
Threat Actors
Organizations
Full Report(when first published)
Executive Summary
A new threat intelligence report from Check Point Research reveals a concerning trend in the cyber threat landscape: while the overall average of weekly cyber attacks per organization saw a minor 4% decrease, ransomware-specific activity has surged by an alarming 46%. This suggests that threat actors are shifting from high-volume, low-impact attacks to more targeted, high-value ransomware operations. The report identifies the construction, business services, and industrial manufacturing sectors as the primary targets of this intensified focus. The Qilin ransomware-as-a-service (RaaS) group was noted as a particularly active player in this space.
Threat Overview
The analysis, based on data from threat actor leak sites, shows a clear pivot in attacker strategy. Instead of broad, opportunistic attacks, criminal groups are concentrating their efforts on sectors perceived as vulnerable or more likely to pay a ransom. The most impacted industries were:
- Construction and Engineering: 11.4% of victims
- Business Services: 11.0% of victims
- Industrial Manufacturing: 10.1% of victims
Other heavily targeted sectors include financial services (9.4%) and healthcare (8.4%), demonstrating that while the focus may be shifting, traditional high-value targets remain at risk. The education sector, while not a top ransomware target, continues to be the most attacked industry overall, with an average of 4,175 weekly attacks per organization.
Technical Analysis
The report highlights the Qilin RaaS group as a major contributor to the surge, accounting for over 14% of publicly claimed victims. Qilin is an established operation known for its double-extortion tactics, where data is both encrypted (T1486 - Data Encrypted for Impact) and exfiltrated for potential leaking (T1041 - Exfiltration Over C2 Channel). The RaaS model allows the core Qilin developers to scale their operations by providing their malware and infrastructure to less-skilled affiliates in exchange for a share of the profits. This model is a key driver of the overall increase in ransomware incidents.
Impact Assessment
The surge in targeted ransomware attacks poses a severe business risk, especially for the construction and manufacturing sectors. These industries often rely on operational technology (OT) and just-in-time supply chains, making them highly susceptible to disruption. A successful ransomware attack can halt production lines, delay projects, and lead to significant financial losses. The focus on business services firms is also strategic, as compromising these companies can provide attackers with a pivot point into their various clients' networks, creating a supply chain attack scenario. The report underscores the need for all organizations, particularly those in the newly targeted sectors, to reassess their ransomware defenses.
IOCs
No specific IOCs were provided in this trend-focused report.
Detection & Response
- Industry-Specific Threat Intelligence: Organizations in targeted sectors must subscribe to and consume threat intelligence feeds relevant to their industry to understand the specific TTPs being used against their peers.
- Behavioral Monitoring: Deploy EDR solutions that focus on detecting ransomware behaviors (e.g., mass file encryption, shadow copy deletion) rather than relying solely on static signatures.
- Network Monitoring: Monitor for large, unexpected outbound data transfers, which could be an indicator of data exfiltration prior to encryption.
- D3FEND Techniques: Use
D3-UDTA: User Data Transfer Analysisto detect the large-scale data exfiltration that precedes a double-extortion ransomware attack.
Mitigation
- Secure Backups: The most critical defense is to maintain a robust backup strategy, following the 3-2-1 rule (three copies, on two different media, with one offsite and immutable).
- Patching and Vulnerability Management: Many ransomware attacks start by exploiting known vulnerabilities. A rigorous patching program is essential.
- Multi-Factor Authentication (MFA): Enforce MFA on all remote access points (VPN, RDP) and for all privileged accounts to prevent initial access via compromised credentials.
- User Awareness Training: Train employees to recognize and report phishing emails, which remain a primary initial access vector for ransomware.
Timeline of Events
Article Updates
October 17, 2025
New report details 36% YoY ransomware surge in Q3 2025, with data exfiltration in 96% of attacks.
Update Sources:
MITRE ATT&CK Mitigations
Operating System Configuration
Maintaining secure backups, especially immutable and offline copies, is the most critical mitigation against the impact of ransomware.
Multi-factor Authentication
Enforcing MFA on remote access services prevents attackers from gaining initial access using stolen credentials.
Mapped D3FEND Techniques:
Update Software
Promptly patching vulnerabilities in internet-facing systems is crucial for preventing ransomware infections.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
With the rise of double-extortion ransomware like Qilin, detecting the data exfiltration phase is a critical opportunity for early response. Organizations, especially in targeted sectors like manufacturing and construction, should implement User Data Transfer Analysis. This involves using Data Loss Prevention (DLP) or network monitoring tools to baseline normal data flows and alert on anomalies. Specifically, configure alerts for large volumes of data being uploaded to public cloud storage services (e.g., Mega, Dropbox) or transferred via non-standard protocols from file servers or critical workstations. Detecting this stage allows security teams to intervene before the final encryption payload is deployed, potentially saving the organization from a catastrophic outage.
Regardless of the industry, the most effective preventative measure against the majority of ransomware attacks is the enforcement of Multi-Factor Authentication (MFA). Since many initial access vectors involve compromised credentials for remote services like VPNs and RDP, MFA acts as a powerful barrier. Even if a Qilin affiliate acquires an employee's password through phishing or other means, they will be unable to access the network without the second authentication factor. This single control should be mandated for all remote access, cloud services, and privileged accounts. It is a foundational defense that significantly reduces the attack surface for ransomware groups.
For industrial manufacturing and construction firms, deploying decoy objects can be a highly effective detection strategy. This involves creating decoy files, folders, or even entire decoy OT/ICS systems (honeypots) on the network. These decoys should appear realistic but have no legitimate business function. Any interaction with them—a file being opened, a login attempt, a network scan—is a high-fidelity indicator of an attacker performing reconnaissance. This can provide the earliest possible warning that a ransomware operator like Qilin is inside the network, allowing the security team to respond before critical production systems are impacted.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats