India Becomes APAC’s Ransomware Epicentre: What the Manufacturing Surge Means for Every Business
April 2026
A new report from Check Point Software has landed with a stark finding: India is now the Asia-Pacific epicentre of ransomware activity, with the manufacturing sector absorbing the heaviest blow. According to the Manufacturing Threat Landscape 2025 report, 65% of affected Indian organisations paid ransom demands last year, with average payouts reaching $1.35 million. Globally, attacks on manufacturers jumped 56% year-on-year, from 937 incidents in 2024 to 1,466 in 2025.
This is not a distant problem. Industrial manufacturing organisations in India faced up to 2,786 cyberattacks per week over the last six months alone. The numbers reflect a clear strategic shift: attackers have identified India’s manufacturing base as a high-value, under-defended target — and they are systematically exploiting it.
Why Manufacturing Is So Attractive to Attackers
The vulnerability of the sector comes down to three structural weaknesses that have been present for years but are now being weaponised at scale.
Legacy OT infrastructure is the first problem. Manufacturing environments run on Programmable Logic Controllers, SCADA systems, and industrial IoT devices that were engineered decades before modern cybersecurity frameworks existed. Many of these cannot be patched or updated without halting production — which means known vulnerabilities stay open for months or years. Attackers know this and have built specific toolkits designed for these environments.
Supply chain complexity is the second. Modern manufacturing involves dozens of vendors, logistics partners, ERP systems, and SaaS platforms. Each connection is a potential entry point. In 2025, supply chain attacks nearly doubled — rising from 154 incidents in 2024 to 297 — with threat actors increasingly compromising smaller vendors or managed service providers to gain access to larger industrial targets downstream.
Ransomware-as-a-Service (RaaS) maturation is the third. Criminal groups no longer need deep technical expertise to execute a sophisticated attack. Affiliate-based RaaS models allow groups to scale operations rapidly, reuse proven toolkits, and localise campaigns by industry and geography. Groups like Akira, Qilin, and Play are specifically targeting manufacturing and logistics, combining data exfiltration with encryption to maximise both disruption and extortion leverage.
The Attack Path Into Manufacturing Networks
Ransomware accounted for 890 manufacturing incidents globally, but the methods of initial access are diversifying. Exploited vulnerabilities — particularly in legacy systems and internet-facing applications — account for 32% of incidents. AI-enabled, highly personalised phishing campaigns represent 23%. Compromised credentials, widely available on dark web marketplaces, and supply chain exploitation through remote access are growing rapidly.
Attack strategies have also evolved beyond simple encryption. Data exfiltration, extortion-only models (where no files are encrypted but sensitive data is threatened for public release), and direct operational disruption are now standard playbook entries. A manufacturing company that believes its backup strategy protects it from ransomware is operating with an outdated threat model.
What Manufacturing Businesses Need to Do Now
The security shifts the sector needs are not exotic. They are structural and achievable.
- Visibility across IT and OT environments. Most manufacturers have reasonable visibility into their office IT networks but near-zero visibility into the operational technology running their plant floor. Real-time monitoring must extend across both.
- Zero Trust architecture. Every connection — internal or external, user or machine — should be validated. Least-privilege access and network segmentation are the minimum baseline.
- Vendor risk management. Third-party access, SaaS integrations, and managed service providers are primary attack vectors. Every vendor relationship represents an implicit trust that attackers will test.
- Incident response planning. Knowing what to do in the first 15 minutes of a confirmed breach — who gets called, what gets isolated, what gets preserved — is the difference between a contained incident and a catastrophic one. Most manufacturing SMEs have no documented playbook.
The broader picture from the Check Point data is that manufacturing is now targeted by both financially motivated ransomware groups and geopolitically aligned actors. India’s growing position as a global manufacturing hub makes it a strategic target, not just an economic one. Security for the sector needs to reflect that reality.