Chaos Ransomware: 36 Victims in March, and Your OT Sector Is Next

In March 2026, the Chaos ransomware group claimed 36 new victims on its leak site. A raw statistic. But reading the targets reveals a heavy trend that should alert every industrial CISO: construction, manufacturing and business services concentrate the bulk of attacks. If you operate in one of these sectors, your name is statistically already on the list of next targets.

Why manufacturing OT has become the favorite playground

Four structural factors explain this targeting: • Hybrid IT/OT attack surface: less monitored than pure IT, more gray zones. • Minimal downtime tolerance: immediate financial impact → higher willingness to pay. • Equipment heterogeneity (PLC, SCADA, industrial sensors) with long patching cycles. • Poorly secured IT/OT convergence: a compromised office workstation becomes a door to the production network.

The diagnosis in 3 questions to ask yourself

1. Which of your sector peers (same industry, same country) have been victims in the last 90 days? 2. Which MITRE ATT&CK TTPs were observed in these attacks, and which target your tech stack? 3. Which external assets in your perimeter match these TTPs? If you can't answer these 3 questions in less than 10 minutes, you are in reactive mode — not anticipated mode.

Victimology: your best early warning signal

Victimology — the systematic analysis of who gets attacked, by whom, how, and why — has become one of the most powerful risk indicators for anticipating your own exposure. Concretely: if Chaos targets 12 American manufacturers with a particular TTP in March, and you are a Canadian manufacturer with the same tech stack, you have a window of a few weeks before being targeted in turn. This window is your action window.

How FortaRisks makes victimology actionable

Our CTI module continuously ingests and correlates: • Public claims from ransomware groups (Chaos, Akira, BlackBasta, LockBit, RansomHub…) • MITRE ATT&CK TTPs observed in each attack • The industry, size, and geography of each victim On your dashboard, you see in real time the victimology filtered on your profile: • How many organizations in your industry + your country have been victims in the last 30 / 60 / 90 days • Which actors are active on your target profile • Which TTPs they use — and which match your known weaknesses • Which remediation priority this implies this week Coupled with our EASM's native OT/ICS scanner (15+ industrial ports monitored in read-only mode: Modbus, S7, BACnet, DNP3, OPC UA, EtherNet/IP, IEC-104…), you see both the threat and your specific exposure. No more annual questionnaire, no more Mandiant PDF read diagonally. A correlated and actionable view.

Conclusion

36 Chaos victims in March is not a statistic. It's a signal. The next manufacturing CISO who falls can no longer say "we did not know we were targeted". The information is there, public. The question is: do you see it, or are you waiting for the ransomware?

→ See your sector's victimology in the FortaRisks console. Request a demo: https://www.fortarisks.com/en/contactez-nous