In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46 percent from Q4 2024 to Q1 2025, according to Honeywell’s new 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000 percent spike in the use of one trojan designed to steal credentials from industrial operators.
Paul Smith, director of Honeywell Operational Technology (OT) Cybersecurity Engineering, who authored the report, states, “These attackers are evolving fast, leveraging ransomware-as-a-service kits to compromise the industrial operations that keep our economy moving.”
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States defines incidents as substantial if they enable unauthorized access leading to significant operational downtime or impairments. Industry reports show that unplanned downtime, caused by cybersecurity attacks and other issues like equipment failure, cost Fortune 500 companies approximately $1.5 trillion annually, representing 11 percent of their revenue.
To develop the report, Honeywell researchers analyzed more than 250 billion logs, 79 million files and 4,600 incident events that were blocked across the company’s global install base, finding:
- Ransomware is still on the rise: 2,472 potential ransomware attacks were documented in the first quarter of 2025, which represent 40 percent of the annual total from 2024.
- Trojans are exploiting industrial access: A dangerous trojan targeting OT systems – W32.Worm.Ramnit – accounted for 37 percent of files blocked by Honeywell’s Secure Media Exchange (SMX). This finding points to a 3,000 percent spike in the trojan compared to the previous quarter.
- USB-based threats persist: 1,826 unique USB threats were detected via SMX in Q1 2025, with 124 never-before-seen threats – indicating a persistent risk via external media and USB devices. This built on a 33 percent increase in USB malware detections in 2023, following a 700 percent year-over-year surge in 2022.
The report expanded its analysis to include threats delivered through additional plug-in hardware – known as Human Interface Device (HID) – including mice, charging cords for mobile devices, laptops and other peripherals often used when updating or patching software for on-premise systems.
“With increasingly significant threats and updated SEC reporting regulations requiring the disclosure of material cybersecurity incidents, industrial operators must act decisively to mitigate costly unplanned downtime and risks, including those linked to safety,” Smith said. “Leveraging Zero Trust architecture and AI for security analysis can speed detection and enable smarter decision making and proactive defense in an increasingly complex digital landscape.”
To learn more and download the full report, visit this website.