Ransomware in OT environments - risks, detection and response strategy

Ransomware in IT environments encrypts data and demands a ransom. Ransomware in OT environments can halt production, disrupt energy supply, or create unsafe conditions in an industrial process. The difference is not one of degree - it is one of kind. The consequences of a ransomware attack on industrial infrastructure extend far beyond downtime cost and ransom - they affect human safety, supply continuity, and physical process stability.

In 2024, Dragos reported that 70% of ransomware incidents affecting OT operations originated in the IT network and spread to OT due to insufficient segmentation. This means that for most industrial organizations, defending OT against ransomware begins with securing the IT-OT boundary. At the same time, the number of ransomware groups targeting the industrial sector grew by 50% year over year - not because they developed OT-specific malware, but because they discovered how high the ransoms organizations are willing to pay when production is down.

Why OT is particularly vulnerable to ransomware

Systems that cannot be easily patched

PLCs, DCS systems, HMI operator stations - many of them run on unsupported operating systems (Windows XP, Windows 7, Windows Server 2008). Security updates are unavailable, and even if they were, they require validation with the control system vendor and a maintenance window that may occur once per quarter or once a year during a planned shutdown.

The problem runs deeper than the operating system itself. SCADA and DCS software often requires a specific Windows version with specific patch levels. An OS update can cause incompatibility with control software - and production downtime from a failed update is just as costly as a ransomware attack.

Flat segmentation or none at all

In many plants, the OT network is a single large segment where engineering workstations, historian servers, HMIs, and PLCs communicate freely. Ransomware that gains access to any point in such a network spreads to every device with a vulnerable operating system. Intermediate systems are particularly exposed - historians, SCADA servers, jump hosts - which have connections to both IT and OT.

Limited monitoring

OT networks are rarely covered by SIEM/EDR-class monitoring. The lack of visibility means attackers can operate in the OT network for weeks or months without detection. In IT networks, the average intruder dwell time has dropped to roughly two weeks; in OT networks, it is frequently 90 days or more.

Infrequent backups

Backup of PLC configurations, SCADA projects, and control system settings is often not performed regularly. If encrypted, recovery may require weeks of engineering work, assuming anyone remembers the exact configuration. Many organizations discover backup gaps only during an incident.

Pressure for production continuity

Industrial organizations operate under enormous continuity pressure. An hour of downtime at a refinery, smelter, or pharmaceutical plant costs hundreds of thousands to millions of dollars. This pressure makes organizations willing to pay ransoms, making the OT sector an attractive target for ransomware groups.

Attack vectors - how ransomware reaches OT

Vector	Description	Frequency	Time to OT impact
IT-to-OT lateral movement	Phishing in IT, pivot to OT via lack of segmentation	Most common (70%)	Hours to days
Remote access VPN	Stolen credentials to VPN without MFA	Common	Hours
Supply chain	Infected update from control system vendor	Increasing	Days to weeks
USB/removable media	USB drive with malware carried into OT network	Less frequent but effective	Minutes
Direct internet exposure	OT systems exposed to the internet (misconfiguration)	Less common	Minutes

Reference cases

The Colonial Pipeline case (2021) illustrates the most common scenario: the DarkSide ransomware attack hit IT systems, but the organization chose to shut down OT operations out of concern about spreading. Result: a five-day fuel supply disruption on the US East Coast. A 4.4 million dollar ransom was paid, but indirect losses were many times greater.

The Norsk Hydro case (2019): LockerGoga ransomware encrypted both IT and OT systems simultaneously. The aluminum manufacturer switched to manual control for several weeks. Costs: over 70 million dollars. The organization publicly refused to pay the ransom and restored systems from backups - but the process took months.

The JBS case (2021): REvil attack on the world’s largest meat producer. Production in Australia, Canada, and the US halted. An 11 million dollar ransom was paid within days - pressure on food supply chain continuity left no room for lengthy restoration.

OT systems particularly vulnerable to ransomware

Not all elements of the OT environment are equally susceptible. Ransomware primarily targets systems running Windows:

• Historian servers - store process data, often Windows Server, connected to both IT and OT
• SCADA servers - manage communication with field devices
• HMI stations - operator interface, typically Windows 7/10
• Engineering workstations - used for PLC programming, often with internet access
• MES systems - link production planning to automation, the IT-OT middle layer

PLCs and RTUs with dedicated firmware (non-Windows) are not directly encrypted by ransomware, but can lose connectivity to an encrypted SCADA server, leading to failsafe mode operation or process shutdown.

Detecting ransomware in OT environments

Early indicators (pre-encryption)

Most ransomware attacks have a reconnaissance and lateral movement phase lasting hours to weeks before encryption begins. Detecting these phases provides time to respond:

• Unusual network traffic - port scanning, LDAP queries, network share access from atypical sources
• Administrative tool usage - PsExec, PowerShell remoting, WMI from stations that do not normally use them
• Active Directory changes - new account creation, addition to privileged groups
• Security disabling - Windows Defender service stopped, logging disabled, group policy modifications
• Data exfiltration - unusual outbound data volume (double extortion)
• Shadow copy deletion - vssadmin delete shadows is one of the last steps before encryption

OT-specific indicators

• New connections - an engineering workstation connects to a PLC it has never communicated with before
• OT traffic anomalies - unusual write commands to controllers
• Configuration changes - PLC program modification outside a planned maintenance window
• Increased network traffic - data exfiltration before encryption
• Communication with unknown addresses - traffic from the OT network to external addresses (C2)

Tools

OT-specific monitoring (Claroty, Nozomi Networks, Dragos Platform, Tenable.ot) complements traditional SIEM/EDR with visibility into industrial protocols. Correlating alerts from both domains (IT and OT) significantly reduces detection time.

Ransomware response strategy for OT

Phase 1: Identification and containment

Critical decision: Should the OT network be isolated from IT?

Isolation prevents spreading but can also cut access to systems needed for safe process management (e.g., a historian providing data to the operator). Every organization should have this decision analyzed in advance, with a clear decision tree considering:

• Can the process safely continue without IT connectivity?
• Do safety systems (SIS) operate autonomously?
• Can operators manage the process in manual mode?
• How long can the process run in degraded mode?

OT containment checklist:

• Disconnect VPN and remote access to the OT network
• Disconnect IT-OT links at the firewall (not physically, unless necessary)
• Maintain internal OT connections if the process must continue
• Do not restart PLCs - they may lose RAM-resident configuration
• Preserve evidence (logs, memory copies, disk images) before they are overwritten
• Notify the OT team and process engineers
• Initiate regulator communication procedure (if critical infrastructure)
• Do not communicate with the attacker without legal and IR expert consultation

Phase 2: Scope assessment

Determine which systems have been encrypted and which may have been compromised but not yet encrypted:

• IT systems: servers, workstations, Active Directory, backup
• Intermediate systems: historian, jump host, SCADA server, MES
• OT systems: HMI, engineering workstations, PLCs

For PLCs, check configuration integrity - compare current logic with backup. If you have no backup, engage process engineers to verify correct operation. Also verify that safety system (SIS) logic has not been modified.

Phase 3: Eradication and recovery

The recovery sequence in an OT environment differs from IT:

1. First: safety systems (SIS) - verify they are functioning correctly
2. Next: PLCs and DCS - confirm control logic integrity
3. Then: HMIs and operator stations - restore from a clean image
4. After that: intermediate systems (historian, SCADA server) - restore from backup
5. Finally: restore controlled IT-OT connectivity after confirming IT is clean

Each step requires verification before moving to the next. Rushing recovery can lead to reinfection.

Phase 4: Lessons learned

Every ransomware incident should conclude with a formal post-mortem analysis. Questions to answer:

• How did the attacker gain initial access? (phishing, VPN, supply chain?)
• Why did segmentation not prevent spreading to OT?
• Did monitoring detect the reconnaissance phase? If not, why?
• How long did recovery take? What caused delays?
• Were backups complete and current?
• Did IR procedures work as planned? What needs adjustment?
• Was crisis communication (internal and external) effective?

Prevention - key mechanisms

The most effective defense against OT ransomware is preventing entry and limiting spread:

1. IT-OT segmentation with a dedicated DMZ zone - the fundamental mechanism limiting lateral movement
2. MFA on all access points to the OT network - VPN, jump host, engineering workstations
3. Controller configuration backup - regular, offline, tested. Covers PLC logic, SCADA configuration, network settings
4. OT network monitoring - tools specific to industrial protocols, correlated with IT SIEM
5. HMI/engineering workstation hardening - application whitelisting, USB disabled, privilege restrictions
6. Ransomware prevention best practices applied consistently across IT and OT
7. Tabletop exercises - regular ransomware scenario simulations involving IT, OT, and executive teams
8. Vulnerability management - where patching is possible, prioritize systems at the IT-OT boundary

Prevention priority table

Mechanism	Effectiveness	Implementation cost	Implementation time
IT-OT segmentation (DMZ)	Very high	Medium-high	2-4 months
MFA on remote access	Very high	Low	2-4 weeks
OT configuration backup	High	Low	2-4 weeks
OT network monitoring	High	Medium-high	2-4 months
Application whitelisting	Medium-high	Medium	1-3 months
Tabletop exercises	Medium	Low	1-2 days per exercise

Summary

Ransomware in OT environments is not an IT problem transplanted to a different context - it is a threat with fundamentally different consequences. Response requires understanding the physical process, IT and OT team collaboration, and procedures that balance cybersecurity with process safety. Organizations that prepare for this scenario in advance - building segmentation, deploying monitoring, testing procedures - respond faster and with smaller losses.

SEQRED helps industrial organizations build ransomware resilience - from designing IT-OT segmentation to creating response plans and conducting simulation exercises.

Sources

• Dragos: ICS/OT Cybersecurity Year in Review 2024 - https://www.dragos.com/year-in-review/
• CISA: Rising Ransomware Threat to OT Assets - https://www.cisa.gov/news-events/alerts
• NIST SP 800-82 Rev. 3: Guide to OT Security - https://csrc.nist.gov/pubs/sp/800/82/r3/final
• SANS ICS: Ransomware in OT Environments White Paper - https://www.sans.org/white-papers/
• IEC 62443-2-1: Establishing an IACS Security Program - https://www.iec.ch/
• Mandiant: Trends in Ransomware Targeting Industrial Organizations - https://www.mandiant.com/