Cybercriminal organizations that spent years targeting hospitals, schools, and small businesses with ransomware attacks have shifted their focus toward energy grids, water treatment systems, and transportation networks, according to a new threat intelligence report released Tuesday by the Halcyon Cybersecurity Research Group.
The report, which analyzed more than 3,400 confirmed ransomware incidents over an 18-month period, found that attacks on critical infrastructure increased by 67 percent year over year, while attacks on consumer-facing healthcare and education institutions declined by roughly a third during the same period.
Analysts attribute the shift in part to intensified law enforcement pressure on gangs targeting institutions that generate immediate public sympathy, as well as to legislative changes in several countries that imposed strict breach notification requirements on healthcare providers — making attacks on hospitals more legally complicated for affiliates operating in certain jurisdictions.
“Hospitals got loud. Every ransomware attack became a headline and a congressional hearing,” said Yusuf Adeyemi, senior threat intelligence analyst at the Halcyon group. “Critical infrastructure is quieter. Utilities do not hold press conferences. They negotiate in the dark.”
The shift carries compounding risks. Critical infrastructure operators are frequently bound by legacy industrial control systems that cannot be easily patched or replaced, creating durable vulnerabilities that sophisticated attackers can exploit repeatedly. Many of these systems were designed in an era before network connectivity was standard, and their integration into modern IT environments was carried out without the security architecture those integrations now require.
One incident detailed in the report involved an unnamed regional power cooperative that paid a substantial ransom after attackers encrypted operational technology systems controlling substation switching. Investigators found the intruders had maintained persistent access for more than four months before activating the payload, a timeline that suggests careful reconnaissance rather than opportunistic intrusion. The cooperative’s security team had no visibility into the operational technology network during that period, a gap that forensic analysts described as unfortunately common across the sector.
“This is not smash and grab anymore,” said Mirela Voss, a former national cybersecurity official now working in the private sector. “These groups are spending weeks mapping networks, identifying the exact systems that will cause the most disruption, and timing their moves for maximum leverage.”
The report also documents growing use of double and triple extortion tactics, in which attackers not only encrypt systems but exfiltrate sensitive operational data and threaten to share it with foreign intelligence services or release it publicly if ransoms are not paid. In the water sector, stolen operational data can include chemical dosing formulas and network topology maps — information that carries obvious security implications beyond the immediate ransom demand.
Governments have responded with a mix of indictments, sanctions, and seizure operations targeting ransomware infrastructure. Several high-profile disruptions have temporarily degraded the operational capacity of specific groups, but analysts say the distributed, affiliate-based structure of modern ransomware operations makes decisive disruption difficult. Taking down a gang’s administrative leadership rarely eliminates the technical infrastructure or the pool of operators who can reconstitute under a new brand within weeks.
The Halcyon report recommends that critical infrastructure operators accelerate network segmentation projects to isolate operational technology from information technology systems, implement zero-trust architectures, and participate more actively in government-run threat sharing programs that provide early warning of emerging attack patterns.
Regulators are watching closely. New minimum cybersecurity standards for critical infrastructure operators are under development in several countries, though industry groups have urged officials to ensure requirements are technically achievable given the age and complexity of many existing systems. Several operators have argued that rushed compliance mandates could divert resources from the targeted security improvements that would most effectively reduce actual risk. Cybersecurity officials have signaled they are open to phased implementation timelines for the most resource-constrained operators, provided those entities can demonstrate measurable progress against defined benchmarks.