When security researchers talk about a “new normal,” they usually mean a bad situation that has stabilized at an unacceptably high level. That’s precisely the right description for manufacturing ransomware in Q1 2026.
The quarterly threat intelligence data is in. More than 800 ransomware victims have been recorded across all sectors in the first quarter of 2026. Attack volumes held steady both quarter-over-quarter and year-over-year — which sounds like a plateau, but isn’t good news. It means the elevated attack rates that alarmed security teams in 2024 and 2025 are not a temporary spike. They are the baseline.
Manufacturing remains the hardest-hit sector — five consecutive years at the top of ransomware target lists. And the tactics have shifted in ways that make the threat harder to respond to: attackers are increasingly abandoning encryption in favor of data theft and extortion, reducing their operational complexity while maintaining their leverage.
This follows the picture we painted in our March report on 89 manufacturing ransomware attacks in 30 days. The Q1 data confirms that surge was not an anomaly — it was the trend settling into a permanent elevated state.
The Four Groups Running Industrial Targeting
Four ransomware operations dominate the industrial and manufacturing targeting landscape in Q1 2026. Understanding their distinct characteristics is relevant to how defenders should prioritize and prepare.
RansomHub — The Fastest Growing Operation
RansomHub has emerged as the dominant ransomware-as-a-service platform following the disruptions of LockBit and BlackCat/ALPHV in 2024. It has attracted significant affiliate talent displaced from those operations, and its industrial targeting has been aggressive.
RansomHub’s distinctive characteristic is its affiliate-favorable revenue model — affiliates retain 90% of ransom payments, significantly higher than traditional RaaS platforms. This creates strong incentives for sophisticated affiliates to join the platform, which means RansomHub campaigns are often conducted by threat actors with significant operational experience.
For manufacturing targets, RansomHub affiliates have demonstrated capability in:
- Initial access through internet-exposed remote services (VPN appliances, RDP, CITRIX)
- Lateral movement from IT networks to OT adjacent systems
- Data exfiltration prior to encryption, using cloud storage services for staging
- Targeting backup systems and business continuity infrastructure to maximize leverage
Manufacturing has been one of RansomHub’s top three target sectors throughout Q1.
SafePay — High Activity, Low Profile
SafePay has operated at very high activity levels in Q1 2026 while maintaining a relatively low public profile compared to RansomHub or LockBit. This is intentional: the group deliberately avoids high-profile targets that attract law enforcement attention, preferring mid-market manufacturers and industrial suppliers.
SafePay’s operational focus on mid-market industrial companies (typically $50M-$500M in annual revenue) reflects a calculated risk calculus: these organizations have sufficient revenue to pay meaningful ransoms but often lack the security maturity and dedicated resources of enterprise targets. They’re large enough to hurt, small enough not to attract immediate federal response.
The group’s ransom demands are typically calibrated to the target’s apparent ability to pay — security researchers note that SafePay conducts financial research on victims before issuing demands, setting initial demands at levels designed to appear painful but negotiable.
Akira — Windows and Linux, Globally Active
Akira is one of the more technically capable operations in the current landscape, with consistent targeting of manufacturing companies across North America and Europe. Its cross-platform capability — targeting both Windows and Linux environments — is particularly relevant for industrial settings where engineering workstations (Windows) and historian/SCADA servers (often Linux) coexist.
Akira has been linked to several significant manufacturing incidents in Q1 2026, with particular focus on automotive supply chain companies and precision manufacturing. The group has demonstrated patience in victim environments — average dwell time before encryption has been measured at 10-21 days, during which data exfiltration occurs before any visible disruption.
Akira’s ransom demands for manufacturing targets have ranged from several hundred thousand dollars to multiple millions, depending on company size and the sensitivity of data accessed. The group has a documented history of publishing victim data on its leak site when ransoms are not paid.
Qilin — International Operations, ICS Focus
Qilin is internationally active and has shown specific focus on industrial control systems — going beyond the typical ransomware playbook of attacking IT systems and hoping for OT impact. The group has demonstrated willingness to target ICS environments directly, which represents an escalation in capability compared to most ransomware operators.
For manufacturing security teams, Qilin’s ICS targeting capability is the most concerning element. Most ransomware operators disrupt manufacturing operations indirectly — by encrypting the IT systems that support production scheduling, ERP, and supply chain management. Qilin has in some cases disrupted production systems more directly, by targeting historian systems, process control servers, and in at least one documented case, engineering workstations with direct PLC programming access.
Qilin has been confirmed in incidents affecting companies in the UK, Germany, Netherlands, and the United States in Q1 2026, with manufacturing consistently among its top targeted sectors.
The Structural Shift: From Encryption to Data Extortion
The most significant tactical evolution in Q1 2026 ransomware is the accelerating shift from encryption-based attacks to data theft and extortion-only operations.
Traditional ransomware worked like this: breach the organization, spread through the environment, encrypt files, demand payment for the decryption key. This approach has always had operational complexity for attackers — developing reliable encryption that doesn’t trigger EDR, staging and deploying encryption tools, managing decryption key infrastructure, providing actual decryption when victims pay.
The data extortion model is simpler: breach the organization, exfiltrate sensitive data, threaten to publish it unless paid. No encryption deployment needed. No decryption key infrastructure. The leverage is reputational and regulatory — the threat of data exposure, customer notification obligations, regulatory fines, and competitor intelligence exposure.
Why this shift is happening:
EDR and endpoint security have gotten better at detecting encryption. Modern endpoint detection and response tools identify the behavioral signatures of ransomware encryption — rapid file modification, shadow copy deletion, specific process trees — with high reliability. Data exfiltration is significantly harder to detect, particularly when it’s conducted slowly and uses legitimate cloud services (OneDrive, Google Drive, Mega) for staging.
The regulatory environment has increased the cost of data exposure. GDPR, CCPA, and sector-specific regulations have increased the financial and reputational cost of data breaches. This increases the leverage available to attackers who hold exfiltrated data — the threat of triggering regulatory notification and fines adds financial pressure on top of the operational pressure.
Manufacturing data has specific competitive value. Unlike consumer data breaches that expose credit card numbers or passwords, manufacturing data exfiltration can expose intellectual property — product designs, manufacturing processes, supplier contracts, customer pricing, R&D roadmaps. This data has specific value to competitors, which creates additional dimensions of leverage for attackers.
For manufacturing security teams, this shift has practical implications:
Traditional ransomware defense focused heavily on backup integrity — if you can restore from clean backups, encryption doesn’t have to mean paying. Data extortion attacks this assumption directly: even with perfect backups, if your sensitive data has been exfiltrated, you have a problem that backups don’t solve.
This means that data loss prevention, exfiltration detection, and data classification — capabilities that have historically been compliance-focused — become directly relevant to ransomware defense.
Why Manufacturing Stays at the Top of the Target List
Five consecutive years of manufacturing being ransomware’s top target is not coincidence. It reflects structural characteristics of the sector that create persistent attractive conditions for attackers.
Operational urgency creates payment pressure. Manufacturing production downtime is expensive — typically measured in thousands to tens of thousands of dollars per hour for continuous process manufacturers. This urgency creates pressure to pay ransoms quickly rather than endure lengthy recovery. Attackers calibrate demands to the cost of downtime.
The IT/OT convergence has expanded the attack surface without commensurate security investment. As manufacturing has connected operational technology to enterprise IT networks for efficiency, remote monitoring, and supply chain integration, the network boundary that once physically separated production systems from internet-reachable infrastructure has eroded. But security investment has not kept pace with the connectivity expansion.
Legacy systems and extended patching cycles. Industrial equipment has long operational lifespans and patching cycles that are constrained by production schedules, vendor support limitations, and regulatory considerations. The result is manufacturing networks containing Windows systems that are years behind on security patches — exactly the conditions that ransomware operators rely on for initial access and lateral movement.
Supplier and vendor access creates lateral entry points. Manufacturing operations typically involve extensive third-party connectivity — equipment vendors, maintenance contractors, logistics partners, engineering firms. Each external connection is a potential initial access vector, and managing the security of third-party access is a persistent challenge.
Insufficient OT-specific security visibility. Many manufacturing organizations have invested in IT security monitoring but have limited visibility into their OT networks. Attackers who move from IT to OT-adjacent systems may operate undetected for extended periods.
The Q1 Numbers in Context
The 800+ victim figure for Q1 2026 requires context to be useful:
This number reflects confirmed victims — organizations whose data appears on ransomware group leak sites, whose incidents are disclosed publicly, or whose incidents are documented through threat intelligence feeds. The actual number of ransomware incidents is substantially higher; many organizations pay ransoms quietly without public disclosure.
Manufacturing’s position within those 800+ victims reflects its sustained status as the second-highest targeted sector (behind technology, ahead of healthcare and finance). The absolute numbers have not declined year-over-year, meaning the sector is not becoming safer despite increased security awareness and investment.
Geographic distribution shows North American manufacturing companies as the most frequently targeted, followed by European manufacturers (particularly UK, Germany, and France), with increasing attention to Asia-Pacific manufacturing as threat actors expand their geographic targeting.
Company size distribution has shifted toward mid-market targets — $100M-$1B revenue — as large enterprise organizations have improved their security postures and law enforcement attention has focused on headline-grabbing large-company attacks. Mid-market manufacturers often have the revenue for meaningful ransoms but lack enterprise-scale security programs.
What Industrial Security Teams Should Prioritize
Given the Q1 data and the tactical shift toward data extortion, manufacturing security teams should focus on several specific improvements:
1. Exfiltration detection capability. If your security monitoring is primarily focused on detecting malware and encryption behavior, you have a detection gap for the fastest-growing attack technique. Implement data loss prevention tooling, monitor for large-volume transfers to cloud storage services, and establish baselines for normal data flow patterns so anomalies are detectable.
2. Third-party access management. Audit every external connection in your environment. Vendor remote access should be time-limited, authenticated with MFA, logged comprehensively, and scoped to specific systems. Persistent always-on vendor connections are among the most common initial access vectors in manufacturing ransomware incidents.
3. IT/OT segmentation validation. If you believe your OT network is segmented from your IT network, validate that segmentation. Penetration testing that specifically attempts IT-to-OT lateral movement is the most reliable way to verify your segmentation controls are effective. Many organizations believe they are segmented when they are not.
4. Data classification and access controls. Identify your highest-value data — product designs, manufacturing processes, customer contracts, supplier agreements — and implement access controls proportional to the sensitivity. Data that only three people need to access should not be accessible to three hundred.
5. Incident response planning for data extortion scenarios. Traditional ransomware incident response focuses on recovery — restore from backups, rebuild systems, resume operations. Data extortion incidents require a different response: legal counsel involvement, regulatory notification assessment, customer and partner communication, and negotiation considerations. Ensure your IR plan covers this scenario explicitly.
6. Backup architecture review. While backups don’t solve data extortion, they remain essential for operational recovery. Verify that your backups are isolated from your primary network (so ransomware encryption doesn’t reach them), tested for recoverability, and retained for a period long enough to recover from incidents with long dwell times.
The Outlook
Q1 2026 data suggests that manufacturing’s ransomware crisis is not going to resolve through market dynamics or attacker fatigue. The economics remain favorable for attackers: the return on investment for manufacturing ransomware remains high, the attack techniques are well-established and commoditized, and the defensive landscape is improving but not yet closing the gap.
The groups operating today — RansomHub, SafePay, Akira, Qilin — will be joined by new entrants and successor operations as law enforcement disrupts individual actors. The underlying economic model is resilient.
For manufacturing security leaders, the Q1 data is a case for continued, sustained investment — not a crisis to respond to reactively, but a structural condition to defend against strategically. The “new normal” at 800 victims per quarter is the environment in which manufacturing cybersecurity decisions are being made.
The organizations that treat this as a permanent operating condition — building defenses proportional to a sustained elevated threat — will be better positioned than those waiting for the threat to recede on its own.
Data in this article draws on Industrial Cyber, BlackFog State of Ransomware 2026, Viking Cloud ransomware statistics, Equilibrium Risk Manufacturing Security Digest (April 2026), and threat intelligence from Dragos and Claroty. Victim counts reflect compiled data from multiple threat intelligence sources and should be understood as lower bounds on actual incident volumes.
