Navigating the 2025 Food and Agriculture Sector Ransomware Landscape

In food and agriculture, "just-in-time" delivery is the pulse of the industry. The Food and Ag-ISAC’s 2025 Ransomware Report sheds light on how this complex, interconnected supply chain is being attacked by ransomware actors. 

The Food and Ag-ISAC, in partnership with the IT-ISAC, has been tracking the evolution of these ransomware threats since 2020. Our database now holds over 15,000 recorded incidents, providing a clear picture of the current threat landscape. The following is an overview of key takeaways from our 2025 Food and Agriculture Ransomware Report.

An Overview of Ransomware in the Food and Agriculture Sector

Last year showed a marked escalation in ransomware activity overall. We tracked 6,377 incidents across all sectors, an 82% increase over the 3,508 tracked in 2024.

In the food and agriculture sector specifically, we recorded 265 attacks. This accounts for 4.2% of total recorded ransomware incidents . Because of the sector's interconnected supply chains, there is always the concern that a single disruption to a supplier can ripple across the entire sector, causing significant spoilage and economic losses. Fortunately, the sector continues to show resilience in the face of these attacks.

The Food and Agriculture Industry’s Top Ransomware Threat Actors

Ransomware groups tend to be opportunistic in their attacks. They scan for any open door, regardless of industry. However, our 2025 data shows that ransomware group CL0P has a notable preference for the sector, with 9.3% of their total attacks hitting food and agriculture companies.

The top five ransomware groups for the sector in 2025 were the following:

1. Qilin: The dominant force in 2025, using Rust-based tools for cross-platform speed.

2. Akira: Rapidly ascending by targeting IT service infrastructure.

3. CL0P: Known for mass-exploiting zero-day vulnerabilities in File Transfer platforms.

4. Play: A closed cell known for high operational security.

5. Lynx: An active group specializing in double-extortion.

   
   

Exploited Vulnerabilities in 2025

2025 saw the rapid exploitation of critical software flaws. High-impact vulnerabilities in platforms like Citrix NetScaler, Fortinet, Ivanti, and Microsoft SharePoint allowed attackers to bypass authentication and execute code before patches could be applied.

Of particular note was the GoAnywhere MFT (CVE-2025-10035), which saw a CVSS score of 10.0, highlighting the extreme risk to managed file transfer systems.

Predictions for Ransomware in 2026

Our research points to four major trends that will define the food and agriculture ransomware landscape in the coming year:

• Fragmentation of Groups: The big brands of ransomware are being replaced by smaller, more agile cells. These groups have shorter lifespans, making them harder for law enforcement to track and sanction.

• The Return of DDoS: Attackers are layering distributed-denial-of-service (DDoS) attacks on top of data breaches. Even if you can restore from backups, a DDoS attack can keep your customer portals and logistics APIs offline, forcing you back to the negotiating table.

• "Under the Visor" Attacks: Expect continued focus on hypervisors (like VMware ESXi) and SaaS providers. By hitting the underlying infrastructure, one attack can take down hundreds of victim networks simultaneously.

• AI-Powered Social Engineering: 2026 will see the rise of AI and deepfakes. Hyper-realistic voice and video clones of CEOs or IT Directors are now being used to bypass multi-factor authentication (MFA) via urgent, fake phone calls.

  
  

As these threats become more sophisticated, defenses must evolve.

Organizations should prepare for multi-vector attacks, continue to implement Zero Trust identity, and review, exercise and update incident response plans. Food and agriculture companies, like all critical infrastructure sector companies, face a complex threat environment.  By actively engaging with industry peers and consuming actionable threat intelligence, companies can make informed decisions on how to best protect their enterprise.

Want to dive deeper into the data? Grab your copy of our public ransomware report for the sector today here.