Ransomware Targets Industrial OT Systems, NCC Group Finds

NCC Group analysis found industrial organizations experienced 2,073 ransomware attacks in the 12 months to March 2026, representing 30% of all recorded attacks in that period.

Manufacturers of capital goods recorded 1,192 attacks; within that group, machinery firms were targeted 442 times and construction and engineering companies 394 times.

The firm reported industrial organizations were the most targeted sector in every month of the year. The analysis highlights a shift in attacker focus from traditional IT systems to operational technology, or OT, which controls industrial processes, infrastructure and machinery.

NCC Group noted many companies continue to prioritize IT security while underestimating OT exposure. Ray Robinson, NCC Group’s OT director, warned that “when OT systems are disrupted, the impact goes far beyond data loss – production can halt, essential services can be disrupted, and in some cases, lives can be put at risk.”

Regulators are pressing organizations to treat OT similarly to IT for resilience and compliance. In the UK, the Network and Information Systems Regulations require operators of essential services to adopt proportionate technical and organizational measures covering both IT and OT. The EU Cybersecurity Act and sector-specific guidance address OT governance, incident reporting, resilience and supply-chain security.

Katarina Sommer, NCC Group’s global head of government affairs and analyst relations, noted regulators are increasingly clear that OT falls within cyber resilience obligations and warned that firms focusing compliance only on IT face operational, regulatory and safety consequences.

The UK National Cyber Security Centre, together with counterparts in the United States, Australia, Canada and Europe, published procurement guidance asking OT owners and operators to verify that products support security and safety logging, include strong authentication controls, protect data, ship configured securely by default, and are backed by vendor vulnerability management processes. Jonathon Ellison, NCSC director of national resilience and future technology, urged critical infrastructure operators to ensure security is integrated into the systems they use.

The 2026 Annual Threat Assessment from the US Office of the Director of National Intelligence warned that China, Russia, Iran and North Korea will continue to target OT to collect intelligence, create options for disruption and to obtain funds. The report listed recent targets including Jaguar Land Rover, water and wastewater systems in the United States, electrical subsystems and the Ukrainian power grid, and estimated North Korean-linked groups likely stole about $2 billion in cryptocurrency in 2025.

NCC Group’s report recommends companies include OT in risk assessments and compliance frameworks, strengthen procurement standards and prepare incident response plans specifically for OT-related attacks.