Top 10 ransomware targets by industry
In any given year, certain industries seem to make more attractive targets for ransomware groups. But no single sector shoulders all -- or even most -- of the risk.
Manufacturing remained ransomware operators' most-targeted sector heading into 2026, according to analysis by threat researchers at cybersecurity services provider NordStellar. Other top targets by industry include IT firms, professional services providers and construction companies.
Note, however, that -- as for-profit businesses -- ransomware gangs constantly adapt to shifting market conditions, victimizing any organizations they see as both relatively vulnerable and likely to pay. With that caveat in mind, what follows are the 10 industries that ransomware operators most frequently targeted in 2025, according to NordStellar's research.
1. Manufacturing
NordStellar found nearly one in five attacks in 2025 targeted a manufacturing company, with 1,156 ransomware incidents in this sector -- a 32% year-over-year increase.
A recent ransomware attack on Jaguar Land Rover brought the luxury automaker's manufacturing activities to a halt for more than a month. U.K. experts have called it the most financially damaging cyberattack in national history, costing the British economy $2.5 billion.
2. Information technology
The IT sector currently ranks second, accounting for 8.7% of ransomware incidents. In July 2025, for example, technology firm Ingram Micro suffered a ransomware attack that disrupted normal operations for several days. The SafePay ransomware group claimed responsibility.
In a high-profile incident in 2021, the REvil gang targeted Taiwan-based PC manufacturer Acer and demanded one of the largest ransoms on record -- $50 million. Whether the company paid the ransom is unknown.
3. Professional, scientific and technical services
Professional, scientific and technical services providers were also frequently in ransomware operators' crosshairs in recent months, making up 8.2% of attacks.
In August 2025, ransomware disrupted operations at Inotiv, a pharmaceutical and biotechnology services firm. The Qilin ransomware gang claimed responsibility for the incident, in which attackers stole the personal data of roughly 9,500 people.
4. Construction and property
NordStellar researchers found 7.4% of ransomware attacks in 2025 targeted organizations in the construction and property sector.
In early 2024, ransomware operators hit mortgage lender LoanDepot, stealing the sensitive personal information of 16.6 million customers. The company later said that it incurred more than $41 million in attack-related expenses in the first half of that year.
5. Healthcare
Medical providers' high-stakes work and widespread security vulnerabilities make them a perennial target of cybercriminals. In 2025, 5.7% of ransomware attacks targeted healthcare organizations, NordStellar researchers found.
Ransomware incidents in this sector can be deadly. An attack on a hospital in Düsseldorf, Germany, once forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient died, although prosecutors later concluded the attack and subsequent delay did not play a role. Regardless, research strongly suggests ransomware attacks have already contributed to unnecessary deaths.
6. Financial services
One in 20 ransomware attacks in 2025 targeted the financial services industry. A major ransomware attack on this sector could have widespread, catastrophic effects on the economy and society at large. New York's Department of Financial Services has warned it could trigger "the next great financial crisis" by crippling key organizations and eroding consumer confidence.
In 2019, the REvil ransomware gang hit foreign exchange bureau Travelex, disrupting operations in dozens of countries and leaving banks and travelers without access to funds for more than a week. The incident, along with the COVID-19 pandemic, left the company in dire financial straits, resulting in 1,300 job cuts and insolvency administration proceedings.
7. Transportation, logistics, supply chain and storage
Ransomware incidents in the transportation, logistics, supply chain and storage sectors accounted for 4.9% of attacks last year. Cybercriminals have long viewed organizations in the logistics sector as attractive ransomware targets. Almost a decade ago, for example, a still-infamous NotPetya attack cost Danish shipping giant Maersk up to $300 million in lost revenue.
8. Legal
The legal services sector was also among the 10 most targeted industries in recent months, accounting for 4.7% of all attacks, according to the NordStellar report. Major law firms are attractive ransomware targets, as many possess highly sensitive data and are likely to have financial resources to pay large ransom demands. Criminals might also victimize smaller legal firms with outdated or lackluster cybersecurity programs that make their networks relatively easy to access.
In February 2021, major law firm Campbell Conroy & O'Neil said ransomware operators had accessed and encrypted system data that included sensitive personal information such as Social Security numbers and financial information. The trial attorneys have represented numerous Fortune 500 companies, including Boeing, FedEx, Home Depot and Johnson & Johnson.
The previous year, a ransomware attack hit prominent entertainment firm Grubman Shire Meiselas & Sacks, which has represented celebrity clients such as Lady Gaga and Madonna.
9. Retail
The retail sector also accounted for 4.7% of attacks in 2025, tying with legal. Sophos researchers found that exploited vulnerabilities have been the most common root cause of ransomware attacks in this sector for the past three years.
Several major British retailers sustained high-profile ransomware attacks in 2025, including Marks & Spencer. The incident resulted in stolen customer data and caused online and in-store operational disruptions, with the retail giant later estimating costs of up to $402 million.
10. Education
According to NordStellar, educational organizations were targets in 3.6% of ransomware attacks. In positive news, Sophos researchers found that median ransom demands and payments in this sector both fell sharply in 2025. And while roughly half of education victims made ransom payments, the proportion of the initial demands paid also fell year over year.
In 2022, 157-year-old Lincoln College became the first American college to attribute its permanent closure in part to a ransomware attack. The school also pointed to the COVID-19 pandemic as a contributing factor. More recent targets include Texas Tech University's Health Sciences Centers, the Colorado Department of Higher Education and Bunker Hill Community College in Boston.
Other industries
The total number of ransomware attacks is on the rise, with NordStellar researchers finding evidence on the dark web of 9,251 incidents in 2025 -- up 45% over the previous year. Organizations from industries not mentioned above were targets in 27.8% of these attacks, underscoring an important core truth: No company, regardless of size or sector, is immune.
Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity site.
