The Rising Threat of OT Ransomware: A Wake-Up Call

Colonial Pipeline, the owner of 5,500 miles of pipeline carrying natural gas, gasoline, and diesel from Texas to New Jersey, shut down its operations in response to what it said was a ransomware attack targeting its IT network between May 6 and May 12, 2021.  

While the attack was originally intended for the IT network, it exposed operational systems and exploited their vulnerabilities, resulting in a $4.4 million ransom. The incident required extensive recovery efforts while trying to maintain essential functions. Attacks like these can be disastrous for organizations with tight budgets and limited specialized staff.

After the Colonial incident, several other major ransomware attacks on operating entities have been reported, including Martha’s Vineyard Ferry Service, FUJIFILM, and the JBS meat company, who supplies 40% of all the US meat supply. In the first 4 months of 2024, major companies like Omni Hotels and Thyssenkrupp have experienced ransomware attacks, and United Health Care publicly confirmed a $22M ransom payout in April to try and protect patient data after a breach. 

Stay Up to Date with Verve
Subscribe to our newsletter to stay in the loop with the latest OT cyber security best practices.

Today’s cyber threats are outpacing traditional security controls with unprecedented speed and sophistication. The ReliaQuest 2025 Annual CyberThreat Report noted that attackers achieve lateral movement only 48 minutes after initial access. The most concerning is that 60% of hands-on-keyboard intrusions now use trusted business tools like remote management, making detection more difficult. 

Investing in the proper OT security measures is imperative to staying prepared and avoiding the financial consequences of a ransomware attack. In this post, we’re diving into how your organization can remain resilient in the rise of ransomware attacks by covering what ransomware is, why it targets OT, factors that make OT susceptible, five steps to limit the impact, and a real-world success story. 

What is Ransomware?

Ransomwareis a form of malicious software in which a bad actor finds a way (phishing, social engineering, etc) to invade the target network.  Their ‘software’ then runs around the network, traversing network shares and local drives, encrypting everything it finds with a key only the hacker knows.  If you want to unlock your files, you have to pay a ‘ransom.’  The costs to get the key and decrypt files can range from hundreds to thousands or even millions of dollars, depending on the specifics of the attacker and victim.

Ransomware exploits system vulnerabilities through phishing emails, compromised software, or weak network security. It scrambles data by using strong encryption algorithms, such as AES or RSA. The ransomware moves across the network and uses techniques like Server Message Block (SMB) to exploit remote desktop protocols to encrypt as many files as possible. The encryption process renders the data unreadable without a unique decryption key held by the attacker.

A lack of access to these critical resources can result in significant downtime and impact customer service, production, and overall revenue. To regain access, attackers demand a ‘ransom.’ Keep in mind, the ransom doesn’t even guarantee a full recovery and can encourage further attacks.

Ransomware Attacks Are Up, With The Manufacturing Sector Still Under Siege

A Q4 2024 report by ReliaQuest highlighted that ransomware activity experienced a surge in December, with the highest number of victims recorded in a single month. Average ransom payments rose from 199,000 in 2023 to $1,500,000 in 2024.  The report also confirms that manufacturing was the most common target sector for ransomware attacks. “Manufacturing companies are primary targets because of their economic importance, low tolerance for operational downtime, and higher willingness to pay ransoms,” the report states.

Why Ransomware Targets OT

Ransomware has roots in the scam and extortion criminal world, but by nature, it can also be used to target larger asset owners and organizations or to mask other activities that might be more devious.

  • Ransomware takes advantage of “availability” risks and is highly profitable in industrial organizations. The business of cyber theft of personal information used to be quite profitable, but prices for that information have fallen dramatically as supply has increased. But cybercriminals have found new models for attacks. They have shifted from the “C” in the Confidentiality-Integrity-Availability triad, to the “A”. Industrial organizations require availability to operate, so the payment is usually quick and large. 

    With current policies in place, the payment process is greased by the presence of insurance. However, this has been changing recently as insurers start to modify policies going forward, as seen in AXA’s 2021 announcement that they would stop coverage for ransomware payments in France. 

  • Even IT attacks can shut down OT operations.  OT systems are usually highly susceptible to ransomware. So, the first step in any incident response plan is to stop the spread by disconnecting OT systems. OT systems may be 3-4X as costly to restore as IT systems, and may take much longer. Second, in many cases, operations do not solely rely on OT systems, but IT systems such as billing or supply chain software that are now necessary to operate effectively. Thus, shutting down key IT systems can essentially require an OT shutdown as well. 

Watch the Webinar On-Demand:

How to Defend, Detect and Recover from Ransomware
Want to learn more about defending your OT systems from ransomware attacks? Watch this webinar to discover proven strategies for prevention, detection, and recovery from Verve industry experts.

Why is OT so Susceptible to Ransomware?

  • Most ransomware takes advantage of older vulnerabilities that have been left unpatched. In OT, we know there are a huge number of vulnerable and unpatched systems. 
  • Ransomware often exploits networkbased insecurities to gain access (e.g., through Remote Desktop Protocol, or RDP) but spreads from endpoint to endpoint. Compensating controls, system hardening, vulnerability management and other techniques such as network isolation, all play a critical role in reducing the impact and spread of a virus attack. 
  • OT Ransomware is often very effective because many organizations are insufficiently equipped to recognize(avoid) potential incidents. Large numbers of legacy, unpatched assets are often poorly monitored and supervised by a handful of non-cybersecurity personnel which can lead to potential issues.

The diagram below illustrates the typical path of ransomware entry into a facility: 

Infographic showing a typical ransomware scenario from IT to OT. The process starts with a malicious entity implanting ransomware via phishing, file introduction, or a malicious website, gaining access to the enterprise IT system. The ransomware exploits vulnerabilities on the receiving host and executes further malicious functions. It then traverses networks with weak access control lists (ACLs) and dual network interface card (NIC) machines to access operational technology (OT) or beyond. The lack of controls within OT sites allows the ransomware to spread across multiple business units, servers, and workstations, adding disruption. Finally, the lack of consistent, tested, offline, secure backups, and good configurations or software makes restoration a highly involved and lengthy process.

5 Ways to Limit the Impact of Ransomware in OT  

Given the current state of risk and the potential for a renewed acceleration in ransomware incidents in industrial environments, how should organizations respond?

1. Understand Your Operational and Safety Risks from a Ransomware Attack

To gather this picture, an organization needs to have three key pieces of information: 

  • First, an understanding of the operational criticality of different assets in the environment. For instance, you may have certain plants, mills, or facilities that are absolutely critical to the financial performance of the business. Others may be less financially critical independently but are key suppliers to those critical sites. A business understanding of site/facility criticality is the foundation. 
  • Second, a comprehensive view of the ransomware risk to the assets in those facilities. Verve typically does this through a “Technology Enabled Vulnerability Assessment”. This process provides a detailed picture of the software and hardware vulnerabilities, network protections, asset protections, patch status, and more within the OT environment. This 360-degree risk view provides clarity of the potential threats to the sites/facilities/plants. 
  • And third, the current status of recovery and response capabilities. The extent of any ransomware event can be reduced by a well-prepared organization. Robust and updated backups, a rapid incident response plan, and alerts on canary files to catch ransomware in its early stages, can all provide limiting factors. By assessing these response and recovery capabilities, the organization can determine the potential extent of an attack’s impact and mitigate effects. 

2. Create a Site-Level Remediation and Protection Roadmap

Too often we have seen organizations jump into a certain initiative to try to reduce the risks from ransomware (and other potential OT attacks).  For instance, a frequent starting point is a comprehensive network segmentation effort to reduce connectivity between IT and OT, as well as segregation within the OT environment. While this step is part of a robust roadmap, it may not be the most impactful first step in the overall program, and it is insufficient as an isolated initiative.  

Understanding risks, but also a proper sequence of initiatives, is key to making rapid, sustainable progress. Conducting an asset inventory before network segmentation builds a stronger foundation for protection from attacks, and accelerates the segmentation efforts. Leveraging existing tools, like threat detection software and network monitoring, works best within a strategic plan. Verve works with clients to create a “portfolio of initiatives” that build on one another. Balancing short-term protection within the development of a long-term security foundation is crucial for effective OT ransomware defense.  

3. Accelerate the OT Security Roadmap Using the Site and Asset Prioritization and #1 Above

One of the advantages of the assessment mentioned earlier is that the technology is already in place to be able to immediately remediate identified risks – from patching, to configuration hardening, to managing risky software, users, and accounts. Our assessment accelerates time to protection. 

Beyond accelerating those endpoint detections, there will be a range of additional protections and response capabilities necessary. One of the biggest challenges is determining the appropriate execution plan to protect the most critical sites and assets, while not getting bogged down on these complex sites and never getting breadth of protection to the “medium” criticality sites. 

Verve recommends what we call a “bi-focal” approach to the execution. On one lens, we would pursue a robust program deployment across the most critical sites. However, in parallel, we would encourage a broad and shallow approach to apply limited protections to all sites at an enterprise level while the deeper efforts are occurring on the critical sites. 

What this means in practicality is that the “gold” or most critical sites may need comprehensive network segmentation, new infrastructure, advanced anomaly and threat detection, backups, patching, user and access management. However, at the “silver” or “bronze” sites which individually may be less critical, but together make up a significant risk, you might apply prioritized vulnerability management and backups while waiting on a more comprehensive network segmentation effort. 

4. Maintain the Success You Have Achieved

In many cases, the implementation of a security program is a resource-intensive task, but it is critical that the organization plans for the maintenance of any improvements achieved during the program. In Verve’s experience, this includes two key elements: 

  • A centralized OT Security Management platform that aggregates visibility, prioritization, and ability to manage assets that can significantly reduce the cost and resource requirements of securing distributed OT assets. 
  • A resource plan that goes beyond the initial remediation program deployment to include ongoing support and maintenance of the controls put in place. 

One of our colleagues says “Security has a tendency to rot”. His message is that there are many reasons why security programs can fail:  

  • Network rules put in place initially get changed during maintenance windows  
  • Updated patches don’t get applied 
  • AV signature updates get delayed 
  • New assets are added but never inventoried 
  • Backups fail and are not remediated 

5. Organizational Commitment

This step is most critical in the maintenance period of the program. Security programs cannot get off the ground without the buy-in from executive leadership. Executive sponsorship ensures OT security aligns with broader business objectives, creating a sustainable foundation for your security initiatives.

We often see many challenges happen once the program is launched and the hard work of maintaining commitment begins. Team members return to their day jobs, priorities arise, budgets reallocate, and many other obstacles can take precedence. This is where operational leaders must step forward as security champions, consistently reinforce the importance of security practices, and ensure team accountability through regular security training.

It is key that organizational commitment is more than a one-time effort. The best way to accomplish this is by aligning balanced scorecards with OT security as a focal element. This approach creates a culture of security where protection becomes everyone’s responsibility, not just the security team’s.

For IT/OT Security Managers, success hinges on the ongoing maintenance and support of implemented security controls. Comprehensive documentation of security processes, incident response plans, and system configurations is essential for continuity and effective knowledge transfer as teams evolve.

Success Story: Global Paper Production Safeguards 30 Mills

One of the largest global paper and packaging companies fell immune to a ransomware attack. They needed to secure vulnerabilities within 30 mills and 300 box plants while minimizing downtime and disruption. We helped them develop a comprehensive OT network segmentation strategy to strengthen cybersecurity and lower the risk of future attacks, which involved:

  • A thorough assessment of existing operations
  • Bespoke network segmentation for each site
  • Extensive training for proper maintenance and alignment
  • Resource management through Verve, a Rockwell Automation company
  • Sourcing local and international equipment to address supply chain disruptions

With our help, the global paper and packing leader recovered from the ransomware attack and developed a robust defense against future threats. 

Defend your critical infrastructure against targeted and non-targeted ransomware threats with comprehensive protection. 

 

Stop Ransomware in its Tracks—Safeguard Your OT Environments

Ready to shield your critical infrastructure from evolving cyber threats? The Verve Security Center combines layered protection, real-time visibility, and swift remediation into one powerful platform. Keep operations running smoothly and reduce the risk of costly disruptions by securing every asset across your industrial control systems.

Explore the Verve Security Center Data Sheet

Related Resources

Blog

Colonial Pipeline Attack: Lessons Learned for Ransomware Protection

How to leverage lessons learned from the Colonial Pipeline ransomware attack to prepare for cyber-related threats in oil & gas.

Learn More
Guide

A CISO’s Guide to Building an OT Cybersecurity Program

Learn how CISOs and OT cyber security leaders should manage risk in industrial OT environments against key drivers.

Learn More
Blog

Attack Surface Management: 6 Steps for Success in OT/ICS

Most attack surface management tools and approaches do not understand the technical complexities and operational requirements of these OT systems. But there is a way to effectively and efficiently conduct ASM in OT.

Learn More

Ransomware Data Sheet

Defend your critical infrastructure against the threats of targeted and nontargated ransomware with comprehensive protection.

Data Sheet Download

Contact Us

Speak with one of our OT cyber security experts to prevent the risk of ransomware in your industrial environment.

Contact Us