A new report from Honeywell reveals a significant escalation in cyber threats facing the industrial sector, with ransomware attacks surging by 46% from Q4 2024 to Q1 2025. The company’s 2025 Cybersecurity Threat Report indicates a widespread increase in both malware and ransomware activity, notably including a 3,000% spike in a specific trojan designed to steal credentials from industrial operators.
The allure of industrial targets for cybercriminals is clear, as explained by Paul Smith, director of Honeywell Operational Technology (OT) Cybersecurity Engineering and author of the report, “Industrial operations across critical sectors like energy and manufacturing must avoid unplanned downtime as much as possible – which is precisely why they are such attractive ransomware targets.” He further emphasized the agility of attackers, stating, “These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving.”
The urgency of these threats is underscored by definitions from the Cybersecurity and Infrastructure Security Agency (CISA) in the United States, which classifies incidents as “substantial” if they lead to unauthorized access causing significant operational downtime or impairment. Industry analyses corroborate the severe financial impact, showing that unplanned downtime—whether from cyberattacks or equipment failure—costs Fortune 500 companies approximately $1.5 trillion annually, representing a substantial 11% of their revenue.
To compile these critical findings, Honeywell’s researchers undertook an extensive analysis, reviewing over 250 billion logs, 79 million files, and blocking 4,600 incident events across the company’s global installed base. Their detailed examination yielded several concerning trends:
- Ransomware’s Relentless Ascent: The first quarter of 2025 alone saw 2,472 potential ransomware attacks, already accounting for 40% of the entire annual total recorded in 2024, signaling a rapid acceleration of this threat.
- Trojan Exploitation Targeting OT: A particularly dangerous trojan, identified as W32.Worm.Ramnit, was responsible for 37% of files blocked by Honeywell’s Secure Media Exchange (SMX). This figure represents an alarming 3,000% increase in this specific trojan compared to the preceding quarter, indicating a concerted effort to exploit industrial access.
- Persistent USB-Based Risks: Despite awareness campaigns, external media continues to pose a significant threat. Honeywell’s SMX detected 1,826 unique USB threats in Q1 2025, with 124 of these being entirely new and previously unseen. This follows a 33% increase in USB malware detections in 2023 and an astounding 700% year-over-year surge in 2022, highlighting the enduring vulnerability posed by removable devices.
The scope of the report’s analysis also expanded to include threats introduced via other plug-in hardware, known as Human Interface Devices (HIDs). This encompasses commonly used items such as mice, mobile device charging cords, laptops, and various other peripherals, which are frequently connected to on-premise systems for software updates or patching, creating additional vectors for potential compromise.
In light of these escalating risks and evolving regulatory landscapes—such as new SEC reporting regulations requiring the disclosure of material cybersecurity incidents—industrial operators face increasing pressure to enhance their defenses. As Smith concluded, “Leveraging Zero Trust architecture and AI for security analysis can speed detection and enable smarter decision making and proactive defense in an increasingly complex digital landscape.” His recommendation underscores the need for decisive action and advanced security strategies to mitigate costly operational downtime and safety-related risks in the industrial environment.
