Full Report
Ransomware attacks targeting the food and agriculture sector jumped by nearly 23% last year with five threat actors — Qilin, Akira, CL0P, Play and Lynx — accounting for nearly half of the attacks as a “more complex” environment threatens critical food lifelines, according to a new report from sector security experts. The Food and Ag…
Analysis Summary
# Incident Report: Annual Surge in Ransomware Targeting Food and Agriculture (2025)
## Executive Summary
The food and agriculture sector experienced a 23% increase in ransomware attacks in 2025, reaching a total of 265 incidents. These attacks are increasingly driven by specialized threat actors like CL0P and Akira, who are moving toward "strategic adaptation" by targeting underlying infrastructure and utilizing generative AI for advanced social engineering.
## Incident Details
- **Discovery Date:** Ongoing (Report released February 2026)
- **Incident Date:** January 1, 2025 – December 31, 2025
- **Affected Organization:** Multiple (Aggregated sector data)
- **Sector:** Food and Agriculture
- **Geography:** Primarily United States (Global implications)
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout 2025
- **Vector:** Phishing, Social Engineering, and Exploitation of known vulnerabilities.
- **Details:** Increasing use of Generative and Agentic AI to refine social engineering lures and identify vulnerable infrastructure.
### Lateral Movement
- **Details:** Threat actors are observed moving from initial IT entry points to OT (Operational Technology) environments, targeting precision agriculture systems and control systems.
### Data Exfiltration/Impact
- **Details:** Double extortion remains the standard; sensitive corporate data and research security information are exfiltrated prior to encryption.
### Detection & Response
- **How it was discovered:** Analysis by the Food and Ag-ISAC and IT-ISAC via incident databases.
- **Response actions taken:** Intelligence sharing across the ISAC member base and legislative review by the House Homeland Subcommittee on Emergency Management and Technology.
## Attack Methodology
- **Initial Access:** Phishing (AI-enhanced), exploitation of edge infrastructure.
- **Persistence:** Utilization of smaller, specialized affiliate groups to maintain presence while evading law enforcement tracking.
- **Privilege Escalation:** Not explicitly detailed in report; standard ransomware TTPs assumed.
- **Defense Evasion:** Fragmentation into smaller "boutique" ransomware groups that are harder to track than large cartels.
- **Credential Access:** Credential theft via AI-driven social engineering.
- **Discovery:** Scanning for underlying virtual machine infrastructure and precision ag controllers.
- **Lateral Movement:** Pivot from IT to agricultural control systems.
- **Collection:** Targeting of proprietary research and operational data.
- **Exfiltration:** Standard data theft to support extortion.
- **Impact:** Forced downtime of "critical food lifelines," DDoS attacks layered over ransomware, and mass-deletion of virtual machines.
## Impact Assessment
- **Financial:** High; aggregate sector losses contribute to the general critical infrastructure ransomware surge.
- **Data Breach:** Compromise of research data, business records, and precision agriculture telemetry.
- **Operational:** Disruption of trucking, banking, fertilizer distribution, and harvest activities.
- **Reputational:** Potential for "catastrophic" loss of public trust in food safety and supply chain stability.
## Indicators of Compromise
*Note: As this is a sector-wide report, specific IOPS are attributed to the primary threat groups involved.*
- **Network Indicators:** Traffic associated with CL0P, Akira, Qilin, Play, and Lynx infrastructures.
- **File Indicators:** Ransomware variants specific to the "Big Five" threat actors (e.g., `.akira`, `.clop`).
- **Behavioral Indicators:** Bulk deletion of Virtual Machines (VMs); sustained DDoS traffic concurrent with encryption activity.
## Response Actions
- **Containment measures:** ISAC-led information sharing to alert members of new "strategic adaptation" techniques.
- **Eradication steps:** Sector-wide focus on securing precision agriculture controllers and research facilities.
- **Recovery actions:** Legislative efforts to increase funding and training for agricultural cybersecurity.
## Lessons Learned
- **Key takeaways:** Threat actors are becoming more specialized; smaller groups are harder for authorities to dismantle than large operations.
- **What could have been done better:** Acknowledge that the sector is no longer just a "victim of opportunity" but is being strategically targeted (especially by CL0P).
## Recommendations
- **Harden Infrastructure:** Focus security on underlying virtualization layers to prevent mass VM destruction.
- **AI Awareness:** Implement advanced training for employees to detect AI-generated phishing and social engineering.
- **Hybrid Threat Defense:** Prepare for "multi-layered" attacks where DDoS and ransomware occur simultaneously.
- **Precision Ag Security:** Isolate and encrypt data pathways between precision agriculture sensors and corporate networks.