Ransomware in Indian manufacturing: inside the 34% surge
Twelve incidents analysed — initial access vectors, dwell times, and the controls that failed. With a hardening checklist mapped to CERT-In advisories.
1 June 2026 · 18 min read · Dataspace Research
Across the twelve manufacturing incidents Dataspace responded to or analysed in the past year, one pattern repeats: the attack did not begin at the plant. It began at an internet-facing service the IT team had stopped thinking about — a VPN concentrator two patches behind, a vendor-support portal with shared credentials, an RDP jump box that predated the current CISO.
Initial access: the unglamorous perimeter
Nine of twelve incidents started with exposed remote-access infrastructure or credential reuse; only one involved a genuine zero-day. Median dwell time before encryption was 11 days — enough time for detection, if telemetry from the IT/OT boundary had reached anyone who could act on it.
Why manufacturing pays
Attackers price downtime in crores per shift, and they know the sector's recovery posture: flat networks between corporate IT and the shop floor, backups reachable from the same domain, and insurance policies that make negotiation rational. Segmentation — not endpoint tooling — was the control whose absence most reliably predicted a plant stoppage.
The checklist
The full report includes a 22-point hardening checklist mapped to CERT-In advisories: remote-access inventory and MFA, IT/OT segmentation verification, offline backup drills, and the six detection rules that would have caught eleven of the twelve intrusions during dwell time. Request the full PDF via the contact page.
This research comes from real engagements.
The consultants who wrote it run the assessments and the platform behind it. Bring us the question your board is asking.
