Security
Cyble Report 2025: Ransomware Attacks on Transport & Logistics Surge, Disrupt Global Supply Chains
2026-01-06
Cyble released its Transport & Logistics Threat Landscape Report 2025, revealing a sharp escalation in cyber threats targeting one of the most critical pillars of global commerce. The report documents a record 283 ransomware attacks against transport and logistics organizations—more than the combined total of attacks observed in 2023 and 2024—alongside major data breaches, destructive hacktivist campaigns, and a thriving underground market for compromised network access.
The comprehensive analysis highlights how cybercriminals increasingly exploit the sector’s low tolerance for downtime, operational technology dependencies, and globally interconnected supply chains to maximize disruption and financial gain.
“The transport and logistics sector has become a prime target for cybercriminals because operational disruption translates directly into economic and societal impact,” said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. “In 2025, we observed ransomware campaigns capable of crippling airlines, shipping firms, and ground logistics providers within hours, often by exploiting a single vulnerability across dozens of organizations.”
Ransomware Campaigns Reach Unprecedented Scale
Cyble researchers observed 283 ransomware victims across the transport and logistics sector in 2025, with attacks maintaining consistent volume throughout the year. A small group of highly active ransomware operations accounted for the majority of incidents.
Dominant Ransomware Groups:
● CL0P – 68 attacks (24% of total), executing large-scale, campaign-driven exploitation
● Qilin – 43 attacks (15%), maintaining sustained pressure throughout the year
● Akira – 29 attacks (10%)
● Play – 20 attacks (7%)
Together, these four groups were responsible for 57% of all ransomware activity targeting the sector, demonstrating the outsized impact of a limited number of sophisticated Ransomware-as-a-Service operations.
Land Transport Most Impacted, Public Infrastructure at Risk
Ransomware activity disproportionately impacted land-based operations, accounting for nearly three out of every four attacks, with logistics and freight services emerging as the most targeted sub-sector. Airlines, maritime shipping firms, trucking companies, rail operators, and even public transit authorities were affected, underscoring the systemic risk to both commercial and public infrastructure.
Major Data Breaches Expose Millions of Records
The report documents a fragmented but highly active data breach ecosystem, where both persistent threat actors and opportunistic sellers leaked or sold sensitive data throughout the year.
Notable incidents include:
● A breach affecting approximately 6 million Qantas customers, exposing personal information such as names, email addresses, and frequent flyer numbers
● An alleged logistics platform breach involving over 7 million user records offered for sale on underground forums
● Multiple courier and postal service data leaks across Europe and Asia, exposing customer PII and operational data Government agencies, airlines, and supply chain firms were repeatedly targeted due to the high value of the data they process.
Underground Access Markets and Cyber-Enabled Cargo Theft
Cyble’s analysis identified a highly fragmented underground market for compromised network access, where dozens of actors sold VPN, firewall, and internal system access to transport and logistics organizations. These accesses often served as the initial foothold for ransomware deployment, espionage, or financially motivated attacks.
Emerging tactics also included cyber-enabled cargo theft, where attackers leveraged remote monitoring and management tools and weaknesses in GPS and operational technology systems to facilitate physical theft and operational sabotage.
Zero-Day Vulnerabilities Fuel Large-Scale Attacks
The report highlights extensive exploitation of critical zero-day and known exploited vulnerabilities, particularly in perimeter devices and enterprise software. A significant majority of vulnerabilities carried CVSS scores of 9.0 or higher, enabling unauthenticated remote code execution and rapid lateral movement within networks.
Vendors most frequently affected included Microsoft, Cisco, Fortinet, Apple, Ivanti, and Citrix, reflecting threat actors’ focus on widely deployed enterprise technologies.
Geopolitical Hacktivism Disrupts Aviation and Logistics
Hacktivist activity reached unprecedented levels in 2025, with over 40,000 data leak and dump posts impacting more than 44,000 unique domains globally. The transport and logistics sector was repeatedly targeted in campaigns driven by geopolitical conflicts, including a destructive cyberattack against a major Russian airline that resulted in flight cancellations and large-scale infrastructure damage.
Key Takeaways
● Ransomware attacks against transport and logistics organizations more than doubled, driven by campaign-style exploitation of shared vulnerabilities.
● Cyber incidents increasingly blurred the line between digital and physical risk, enabling operational disruption and cargo theft.
● A diverse mix of ransomware groups, access brokers, and hacktivists targeted the sector.
● Zero-day vulnerabilities in perimeter and enterprise technologies served as primary attack vectors.
See What’s Next in Tech With the Fast Forward Newsletter
SOFTWARE
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
