OT Ransomware in 2025: How to Strengthen Security

The Rising Threat of OT Ransomware: A Wake-Up Call

Colonial Pipeline, the owner of 5,500 miles of pipeline carrying natural gas, gasoline, and diesel from Texas to New Jersey, shut down its operations in response to what it said was a ransomware attack targeting its IT network between May 6 and May 12, 2021.

While the attack was originally intended for the IT network, it exposed operational systems and exploited their vulnerabilities, resulting in a $4.4 million ransom. The incident required extensive recovery efforts while trying to maintain essential functions. Attacks like these can be disastrous for organizations with tight budgets and limited specialized staff.

After the Colonial incident, several other major ransomware attacks on operating entities have been reported, including Martha’s Vineyard Ferry Service

, FUJIFILM

, and the JBS meat company

, who supplies 40% of all the US meat supply. In the past year, major companies like Omni Hotels and Thyssenkrupp

have experienced ransomware attacks, and United Health Care publicly confirmed

a $22 million ransom payout in April of 2024, in an attempt to protect patient data after a breach.

Today’s cyber threats are outpacing traditional security controls with unprecedented speed and sophistication. The ReliaQuest 2025 Annual CyberThreat Report noted that attackers achieve lateral movement only 48 minutes after initial access. The most concerning is that 60% of hands-on-keyboard intrusions now use trusted business tools like remote management, making detection more difficult.

Investing in the proper OT security measures is imperative to staying prepared and helping to avoid the financial consequences of a ransomware attack. In this post, we’re diving into how your organization can remain vigilant to the rise of ransomware attacks by covering what ransomware is, why it targets OT, factors that make OT susceptible, five steps to limit the impact, and a real-world success story.

Contact Us

What is Ransomware?

Ransomware is a form of malicious software in which a threat actor finds a way (phishing, social engineering, etc) to invade the target network. Their ‘software’ then runs around the network, traversing network shares and local drives, encrypting everything it finds with a key only the hacker knows. If you want to unlock your files, you have to pay a ‘ransom.’ The costs to get the key and decrypt files can range from hundreds to thousands or even millions of dollars, depending on the specifics of the attacker and victim.

Ransomware exploits system vulnerabilities through phishing emails, compromised software, or weak network security. It scrambles data by using strong encryption algorithms, such as AES or RSA. The ransomware moves across the network and uses techniques like Server Message Block (SMB) to exploit remote desktop protocols to encrypt as many files as possible. The encryption process renders the data unreadable without a unique decryption key held by the attacker.

A lack of access to these critical resources can result in significant downtime and impact customer service, production, and overall revenue. To regain access, threat actors demand a ‘ransom.’ Keep in mind, the ransom doesn’t even guarantee a full recovery and can encourage further attacks.

Ransomware Attacks Are Up, With the Manufacturing Sector Still Under Siege

A Q4 2024 report by ReliaQuest highlighted that ransomware activity experienced a surge in December, with the highest number of victims recorded in a single month. Average ransom payments rose from $199,000 in 2023 to $1,500,000 in 2024. The report also confirms that manufacturing was the most common target sector for ransomware attacks. “Manufacturing companies are primary targets because of their economic importance, low tolerance for operational downtime, and higher willingness to pay ransoms,” the report states.

Why Ransomware Targets OT

Ransomware has roots in the scam and extortion criminal world, but by nature, it can also be used to target larger asset owners and organizations or to mask other activities that might be more devious.

Ransomware takes advantage of “availability” risks and is highly profitable in industrial organizations. The business of cyber theft of personal information used to be quite profitable, but prices for that information have fallen dramatically as supply has increased. But cybercriminals have found new models for attacks. They have shifted from the “C” in the Confidentiality-Integrity-Availability triad, to the “A”. Industrial organizations require availability to operate, so the payment is usually quick and large.

With current policies in place, the payment process is greased by the presence of insurance. However, this has been changing recently as insurers start to modify policies going forward, as seen in AXA’s 2021 announcement that they would stop coverage for ransomware payments in France.

Even IT attacks can shut down OT operations. OT systems are usually highly susceptible to ransomware. So, the first step in any incident response plan is to stop the spread by disconnecting OT systems. OT systems may be 3-4 times as costly to restore as IT systems, and may take much longer. Second, in many cases, operations do not solely rely on OT systems, but IT systems such as billing or supply chain software that are now necessary to operate effectively. Thus, shutting down key IT systems can essentially require an OT shutdown as well.

Why is OT so Susceptible to Ransomware?

Most ransomware takes advantage of older vulnerabilities that have been left unpatched. In OT, we know that there are a huge number of vulnerable and unpatched systems.
Ransomware often exploits network–based insecurities to gain access (for example, through Remote Desktop Protocol, or RDP) but spreads from endpoint to endpoint. Compensating controls, system hardening, vulnerability management and other techniques such as network isolation, all play a critical role in reducing the impact and spread of a virus attack.
OT Ransomware is often very effective because many organizations are insufficiently equipped to recognize (avoid) potential incidents. Large numbers of legacy, unpatched assets are often poorly monitored and supervised by a handful of non-cybersecurity personnel, which can lead to potential issues.

The following diagram illustrates the typical path of ransomware entry into a facility:

Typical path of ransomware entry into facility

1. Malicious entity implants ransomware using phising, file introduction, or malicious website, and gains access to enterprise IT system

2. Ransomware exploits vulnerabilities on the receiving host and then executes further malicious functionality

3. Ransomware utilizes poor containment by traversing networks with weak ACLs, and daul NIC machines, and is able to access OT or beyond

4. Lack of controls within OT sites (or enterprise) allows ransomware to spread across multiple business units, servers, workstations - further adding disruption

5. Lack of consistent, tested, offline, secure backups, and lack of known good configurations or software means restoration is a highly involved and lengthy process

5 Ways to Limit the Impact of Ransomware in OT

Given the current state of risk and the potential for a renewed acceleration in ransomware incidents in industrial environments, how should organizations respond?

1. Understand Your Operational and Safety Risks from a Ransomware Attack

To gather this picture, an organization needs to have three key pieces of information:

First, an understanding of the operational criticality of different assets in the environment. For instance, you may have certain plants, mills, or facilities that are absolutely critical to the financial performance of the business. Others may be less financially critical independently but are key suppliers to those critical sites. A business understanding of site/facility criticality is the foundation.

Second, a comprehensive view of the ransomware risk to the assets in those facilities. Verve® typically does this through a “Technology Enabled Vulnerability Assessment”. This process provides a detailed picture of the software and hardware vulnerabilities, network protections, asset protections, patch status, and more within the OT environment. This 360° risk view provides clarity of the potential threats to the sites/facilities/plants.

And third, the current status of recovery and response capabilities. The extent of any ransomware event can be reduced by a well-prepared organization. Robust and updated backups, a rapid incident response plan, and alerts on canary files to catch ransomware in its early stages, can all provide limiting factors. By assessing these response and recovery capabilities, the organization can determine the potential extent of an attack’s impact and mitigate effects.

2. Create a Site-Level Remediation and Protection Roadmap

Too often we have seen organizations jump into a certain initiative to try to reduce the risks from ransomware (and other potential OT attacks). For instance, a frequent starting point is a comprehensive network segmentation effort to reduce connectivity between IT and OT, as well as partitioning within the OT environment. While this step is part of a robust roadmap, it may not be the most impactful first step in the overall program, and it is insufficient as an isolated initiative.

Understanding risks, but also a proper sequence of initiatives, is key to making rapid, sustainable progress. Conducting an asset inventory before network segmentation builds a stronger foundation for protection from attacks, and accelerates the segmentation efforts. Leveraging existing tools, like threat detection software and network monitoring, works best within a strategic plan. Verve works with clients to create a “portfolio of initiatives” that build on one another. Balancing short-term protection within the development of a long-term security foundation is crucial for effective OT ransomware defense.

3. Accelerate the OT Security Roadmap Using the Site and Asset Prioritization and #1 Above

One of the advantages of the assessment mentioned earlier is that the technology is already in place to be able to promptly remediate identified risks – from patching, to configuration hardening, to managing risky software, users, and accounts. Our assessment helps accelerate time to protection.

Beyond accelerating those endpoint detections, there will be a range of additional protections and response capabilities necessary. One of the biggest challenges is determining the appropriate execution plan to protect the most critical sites and assets, while not getting bogged down on these complex sites and never getting breadth of protection to the “medium” criticality sites.

Verve recommends what we call a “bi-focal” approach to the execution. On one lens, we would pursue a robust program deployment across the most critical sites. However, in parallel, we would encourage a broad and shallow approach to apply limited protections to all sites at an enterprise level while the deeper efforts are occurring on the critical sites.

What this means in practicality is that the “gold” or most critical sites may need comprehensive network segmentation, new infrastructure, advanced anomaly and threat detection, backups, patching, user and access management. However, at the “silver” or “bronze” sites that individually may be less critical, but together make up a significant risk, you might apply prioritized vulnerability management and backups while waiting on a more comprehensive network segmentation effort.

4. Maintain the Success You Have Achieved

In many cases, the implementation of a security program is a resource-intensive task, but it is critical that the organization plans for the maintenance of any improvements achieved during the program. In Verve’s experience, this includes two key elements:

A centralized OT Security Management platform that aggregates visibility, prioritization, and ability to manage assets that can significantly reduce the cost and resource requirements of securing distributed OT assets.
A resource plan that goes beyond the initial remediation program deployment to include ongoing support and maintenance of the controls put in place.

One of our colleagues says, “Security has a tendency to rot.” His message is that there are many reasons why security programs can fail:

Network rules put in place initially get changed during maintenance windows
Updated patches don’t get applied
AV signature updates get delayed
New assets are added but never inventoried
Backups fail and are not remediated

5. Organizational Commitment

This step is most critical in the maintenance period of the program. Security programs cannot get off the ground without the buy-in from executive leadership. Executive sponsorship verifies that OT security aligns with broader business objectives, creating a sustainable foundation for your security initiatives.

We often see many challenges occur once the program is launched and the hard work of maintaining commitment begins. Team members return to their day jobs, priorities arise, budgets reallocate, and many other obstacles can take precedence. This is where operational leaders must step forward as security champions, consistently reinforce the importance of security practices, and maintain team accountability through regular security training.

It is key that organizational commitment is more than a one-time effort. The best way to accomplish this is by aligning balanced scorecards with OT security as a focal element. This approach creates a culture of security where protection becomes everyone's responsibility, not just the security team's.

For IT/OT Security Managers, success hinges on the ongoing maintenance and support of implemented security controls. Comprehensive documentation of security processes, incident response plans, and system configurations is essential for continuity and effective knowledge transfer as teams evolve.

Success Story: Global Paper Production Safeguards 30 Mills

One of the largest global paper and packaging companies fell immune to a ransomware attack. They needed to secure vulnerabilities within 30 mills and 300 box plants while minimizing downtime and disruption. We helped them develop a comprehensive OT network segmentation strategy to strengthen cybersecurity and lower the risk of future attacks, which involved: