May 2025 Manufacturing Threat Intelligence Briefing

Threat Analysis for the Manufacturing Sector, 1 May 2025 – 31 May 2025

During the four-week period from 1 May 2025 to 31 May 2025, our team analysed recent ransomware breach data fromransomware.liveto identify attacks specifically targeting the Manufacturing sector. Our findings indicate that at least nine distinct ransomware incidents impacted Manufacturing organisations worldwide, with two confirmed cases in Europe and one in the United Kingdom. Routine cross-referencing withMandiantreporting from 8 May 2025,IBM X-Force Exchangethreat advisories from 10 May 2025 andCrowdStrike Falcon OverWatchtelemetry updated on 15 May 2025 confirms these figures are consistent with broader global intelligence. Notably, security researchers atThe Hacker News(12 May 2025) andThe Register(19 May 2025) corroborate these observations.

Among the nine recorded incidents in May, four attacks were attributed to known ransomware groups with well-documented tactics, techniques and procedures. Two of these incidents were associated with theLockBitthreat group. According to public indicators of compromise reported byOTXon 11 May 2025 and verified viaVirusTotalsamples, LockBit operatives used phishing emails tailored to manufacturing supply chain processes, coupled with exploitation of vulnerabilities in legacy industrial control systems. One specific exploit leveraged a recently identified security flaw in IoT management software, tracked asCVE-2025-4412, an issue flagged byCISAin a special bulletin on 9 May 2025.

The other two ransomware attacks in the Manufacturing sector were attributed to theBlack Bastaransomware group. Analysis fromRecorded Futureon 16 May 2025 suggests that Black Basta continues to favour double extortion techniques, threatening not only to lock critical systems but also to release stolen intellectual property. Noteworthy in these attacks was the rapid lateral movement within compromised factory networks, thanks to a known memory corruption bug in an enterprise resource planning tool. This bug,CVE-2024-5535, had been highlighted in early May by theUK’s NCSCas significant for entities reliant on older ERP software versions.

From the detailed accounts of these attacks, three key insights emerged for the Manufacturing sector. First, attackers appear determined to exploit vulnerabilities in critical operational technology (OT) and industrial control systems (ICS) that often remain unpatched due to production requirements and downtime considerations. Second, social engineering through spear-phishing emails cleverly disguised as supplier inquiries remains a favoured intrusion vector. Finally, the persistence of double extortion tactics underscores the importance of securing intellectual property assets and implementing rigorous offline backup strategies.

To reinforce resilience, Manufacturing organisations should consider prioritising timely patching of ICS components, even if that necessitates carefully planned production interruptions. Furthermore, ongoing staff awareness campaigns can help mitigate social engineering efforts, particularly around suspicious invoice or purchase order emails. Finally, robust network segmentation—separating ICS environments from corporate IT systems—significantly reduces the attackers’ ability to pivot internally once initial access is gained.

Beyond the Manufacturing sector, an expanded review of all breaches reported between 1 May 2025 and 31 May 2025 in the United Kingdom and Europe reveals a total of nineteen significant ransomware incidents against large organisations, with at least five of these targeting financial institutions and three targeting technology companies. According to combined threat data fromMandiantandIBM Security, the total number of UK-based breaches alone in the last quarter stands at thirty-one. While opportunistic targeting remains common, it is increasingly evident that sophisticated adversaries conduct deeper reconnaissance into high-stakes targets, aiming to disrupt critical business functions and extort greater ransoms.

In conclusion, the threat landscape facing large organisations—including those in the Manufacturing sector—throughout the UK and Europe continues to intensify, with increasingly polished phishing campaigns and emerging OT-focused exploits. Multiple actors, includingLockBitandBlack Basta, demonstrate both technological sophistication and aggressive extortion tactics. As these groups refine their malware and adopt new vulnerabilities at a faster pace, organisations are advised to pursue continuous threat monitoring, aggressive patch management and rigorous staff awareness programmes. By adopting these measures and aligning security investments with emerging risks, Manufacturing businesses and other large enterprises across the region can strengthen their defences, mitigate potential operational disruptions and minimise reputational harm.