Honeywell reports massive surge in ransomware attacks targeting industrial operators

June 6, 2025
Findings included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators.

In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46% from Q4 2024 to Q1 2025, according to Honeywell's new 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators. 

“Industrial operations across critical sectors like energy and manufacturing must avoid unplanned downtime as much as possible—which is precisely why they are such attractive ransomware targets,” said Paul Smith, director of Honeywell Operational Technology (OT) Cybersecurity Engineering, who authored the report. “These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving.” 

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States defines incidents as substantial if they enable unauthorized access leading to significant operational downtime or impairments. Industry reports show that unplanned downtime, caused by cybersecurity attacks and other issues like equipment failure, costs Fortune 500 companies approximately $1.5 trillion annually, representing 11% of their revenue.

To develop the report, Honeywell researchers analyzed more than 250 billion logs, 79 million files, and 4,600 incident events that were blocked across the company’s global install base, finding:

  • Ransomware still on the rise: 2,472 potential ransomware attacks were documented in the first quarter of 2025, which represents 40% of the annual total from 2024.

  • Trojans exploiting industrial access: A dangerous trojan targeting OT systems—W32.Worm.Ramnit—accounted for 37% of files blocked by Honeywell’s Secure Media Exchange (SMX). This finding points to a 3,000% spike in the trojan compared to the previous quarter.

  • USB-based threats persist: 1,826 unique USB threats were detected via SMX in Q1 2025, with 124 never-before-seen threats—indicating a persistent risk via external media and USB devices. This built on a 33% increase in USB malware detections in 2023, following a 700% year-over-year surge in 2022.

The report expanded its analysis to include threats delivered through additional plug-in hardware—known as Human Interface Device (HID)—including mice, charging cords for mobile devices, laptops, and other peripherals often used when updating or patching software for on-premise systems.

“With increasingly significant threats and updated SEC reporting regulations requiring the disclosure of material cybersecurity incidents, industrial operators must act decisively to mitigate costly unplanned downtime and risks, including those linked to safety,” Smith said. “Leveraging Zero Trust architecture and AI for security analysis can speed detection and enable smarter decision-making and proactive defense in an increasingly complex digital landscape.”

To learn more and download the full report, visit Honeywell's website.