{
	"id": "260516a1-f7a1-4716-a4a8-8ccdb0e2ebc4",
	"created_at": "2026-04-06T00:07:46.59396Z",
	"updated_at": "2026-04-10T03:24:30.238043Z",
	"deleted_at": null,
	"sha1_hash": "7413e56e0ea4271fdfd7f68ba83c4d747f7c5080",
	"title": "Implications of IT Ransomware for ICS Environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52479,
	"plain_text": "Implications of IT Ransomware for ICS Environments\r\nBy Dragos, Inc.\r\nPublished: 2019-04-10 · Archived: 2026-04-05 18:02:31 UTC\r\nICS environments require reliable, available, and sound processes to ensure continued, safe production.\r\nRansomware – malware that encrypts vital data and disrupts operations – directly impacts these goals, yet\r\nhistorically ICS networks were free of such software. The only example of “ICS targeting ransomware” is a proof-of-concept (or hoax, depending on perspective) from April 2017, never observed “in-the-wild.” Yet since that\r\ntime, ICS asset owners and operators faced several waves of ransomware (or disruptive malware masquerading as\r\nransomware) migrating from enterprise IT to ICS environments: WannaCry; NotPetya; and BadRabbit. In each of\r\nthese cases, self-propagating (“wormable”) malware initially infected IT networks, but through either exploit\r\n(particularly the SMBv1-targeting MS17-010 vulnerability) or dynamic credential capture-and-reuse, spread to\r\nindustrial networks producing significant impacts.\r\nThese “inadvertent” and relatively untargeted events (in many cases, actual victims were far removed from initial,\r\nintended targets based on unforeseen connectivity between organizations) continue to impact many environments.\r\nRecently, these untargeted, self-spreading events were eclipsed by more focused, targeted attacks on IT resources\r\nfor ICS-operating organizations. Starting with Ryuk in 2018 and proceeding to LockerGoga in 2019, events\r\ntransitioned from self-spreading, untargeted propagation to more directed, deliberate movement through victim\r\nenvironments. In these cases, adversaries leveraged long-term, persistent access to victim environments to enable\r\nprivilege and access, using either first-stage or “loader” malware (Ryuk) or compromised legitimate services\r\n(LockerGoga) to propagate infections. More concerning still for ICS environments is an evolution in targeting:\r\nfrom Ryuk events targeting municipal utilities (although not spreading to actual production environments) to\r\ndeliberate targeting of manufacturing environments in the case of LockerGoga.\r\nWhile ransomware increasingly impacts ICS operations, asset owners and defenders must still understand that\r\nsuch malware remains IT-focused in nature and operations. For the wormable variants from 2017, this IT-centric\r\nnature is obvious, but more-recent activity such as LockerGoga blurs this distinction due to the impacts of such\r\nknown events and their seemingly narrow focus on manufacturing-related organizations. Yet many commercial\r\nresponses stress the “OT focus” of LockerGoga (and recent ransomware campaigns more generally), while also\r\npromising the ability to “detect LockerGoga” or whatever is the current ransomware “flavor of the moment.” This\r\nsecond point is especially interesting and amusing, as nearly all victims will certainly detect ransomware, as it\r\nalmost always delivers its “impact” (encrypting files on the victim machine) shortly after infection – thus no entity\r\nreally needs a special tool to detect such software. Prevention is of course another matter entirely, yet here IT-centric solutions (such as resource-intensive Endpoint Detection and Response, or EDR, products or antivirus\r\nrunning in aggressive fashion against unknown or suspicious files) are either inappropriate for ICS operations or\r\nintroduce additional risk (through inadvertent clean-up or quarantine of a legitimate file, for example).\r\nThus, although media and security researchers expended much effort analyzing WannaCry, Ryuk, LockerGoga,\r\nand other ransomware types, from an ICS security perspective the keys to defending these networks are far\r\nhttps://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/\r\nPage 1 of 3\n\nremoved from the ransomware itself. Rather, ICS owners and operators must focus on two enabling steps for\r\nopportunistic, ICS-impacting ransomware infections: targeting the mechanisms by which such malware enters the\r\nindustrial environment; and identifying the attack surface industrial operations expose to infection through IT-centric systems supporting physical processes. Dragos previously addressed these concepts in our initial\r\npresentation on WannaCry in 2017, but given continued, and in some ways increasing, attention to the subject of\r\nransomware’s impact on ICS operations, such items are reexamined within this article.\r\nFirst, when viewed through the lens of the ICS Cyber Kill Chain, ransomware represents a final effect for Stage 1\r\n(IT-focused) operation. Focusing on ransomware detection – whether in ICS or IT environments – essentially\r\nmeans defenders cede much space and initiative to adversaries in executing attacks. Based on this perspective,\r\nransomware defense depends less on final-stage mitigation (although recovery planning is vital for the inevitable\r\nsuccessful attack), but rather on mid-stage detection and mitigation to prevent final effects on target. While\r\nunderstanding the “how” behind a specific piece of ransomware may be academically interesting, such analysis\r\nprovides little operational value for defense. Instead, defensive resources are better spent identifying the\r\nmechanism through which an adversary can either propagate malware throughout the victim network (wormable\r\ninfections) or interactively ensure widespread, targeted infection (LockerGoga).\r\nToward this end, the first step in defending industrial environments from ransomware (or related) infections is not\r\nto ensure something like antivirus definitions are up-to-date, but rather to understand just what features of the ICS\r\nenvironment make it potentially vulnerable to infection. “Breaking research” on a specific strain of ransomware is\r\nunhelpful at best and breeds a false sense of accomplishment at worst when adopting a realistic view of ICS\r\nsecurity. Instead, the mechanisms through which an IT-based infection would propagate to ICS are most important\r\nfor defense. With WannaCry, SMB links required for migrating historian data to business intelligence systems\r\nprovided the IT-ICS link – in many cases allowing MS17-010-targeting exploits to migrate into control system\r\nenvironments; for LockerGoga, federated Active Directory installations appear to be the most-likely reason for\r\nICS network impacts. In both cases, connectivity designed to either facilitate or improve the efficiency of normal\r\nbusiness practice was weaponized, resulting in disruptive impact in environments otherwise reasonably isolated\r\nfrom enterprise IT.\r\nDefenders must identify links between IT and ICS in advance to grasp the true threat landscape facing their\r\nprocesses and industrial operations. Organizations may do an excellent job in securing interactive links between\r\nnetworks (e.g., enforcing jump hosts or multi-factor authentication [MFA] for remote ICS network access), yet\r\nfeature other operational links (to business intelligence systems, vendor licensing or remote update servers, remote\r\ndiagnostics and maintenance services, or similar items) that provide adversaries with a potential ingress route to\r\nsensitive networks. Identifying these connections, then either eliminating them where possible or hardening them\r\nto the greatest extent allowed provide ICS asset owners and operators with their best, most robust options for\r\nmitigating such attacks. For example, it may be necessary to export process data via historians to business\r\nintelligence systems residing in enterprise IT – yet such a link need not be bidirectional and can certainly be\r\nmonitored for and potentially limited to forbid the movement of executable code along this path.\r\nIn addition to preventing opportunistic ICS attacks through intelligent, secure architecture and design,\r\norganizations must also prepare for breach. In this sense, ICS asset owners must understand that a potentially\r\ndisruptive infection remains a possibility even after the best, most robust controls are applied to networks. From\r\nthis residual risk, organizations must plan for response (to reduce the scope or impact of an intrusion) and\r\nhttps://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/\r\nPage 2 of 3\n\nrecovery (to restore operations to a known, safe state as quickly as possible). Norsk Hydro’s response to a\r\nLockerGoga infection in March 2019, captured in company-released video, provides an example of what an\r\norganization must commit to – in terms of operational pain and contingencies – to ensure continued production in\r\nthe event of a widespread disruptive network intrusion reaching or impacting ICS operations.\r\nThrough these mechanisms, ICS operations can protect themselves from inadvertent or propagating infection\r\nevents that take advantage of IT-ICS links to produce ICS-relevant impacts. Reacting to truly ICS-targeted\r\nransomware may represent another problem entirely, as a sufficiently motivated (and well-resourced) adversary\r\ncould pursue operations designed specifically to inflict the most amount of pain for industrial operations:\r\nmanipulating firmware, encrypting project files, and eliminating access to HMIs and EWs. Yet no such operations\r\nexist at this time, and given the level of effort required (and likely law enforcement interest in response) such\r\noperations seem unrealistic for the near future. Instead, organizations must prepare for the migration of IT-centric\r\nmalware to increasingly IT-enabled ICS environments, and learn to mitigate and prepare appropriately.\r\nUnfortunately, uninformed parties will proclaim that increased IT-ICS convergence means that the extension of IT-centric security solutions will suffice to head off this threat. Yet the operational and functional differences between\r\nIT and ICS networks (including Windows-based systems in ICS that would appear to resemble enterprise IT\r\ndeployments) mean that such solutions may present a mirage of defense at best and be counter-productive at\r\nworst. As noted earlier in this article, ICS-focused systems, even those that superficially resemble enterprise\r\nWindows machines, face an entirely different set of constraints from the typical IT workstation. Vendor warranty\r\nrequirements, limited processing capability, uptime and throughput necessity, and older operating systems all work\r\nagainst simply deploying the latest EDR or related product or making typical hardening changes. Therefore, rather\r\nthan expect a direct port of IT security products and best-practices, ICS asset owners and operators must recognize\r\nthe constraints imposed by the operational requirements of their environment and adapt suitable solutions within\r\nthese boundaries.\r\nWhile ICS operators and defenders face unique challenges in protecting their networks in an increasingly\r\nconnected and interdependent networking environment, such tasks are far from impossible. Scoping the attack\r\nsurface in advance of events, hardening services where possible, and limiting exposure to business-critical\r\ncommunication pathways can all be combined to significantly reduce the likelihood or impact of opportunistic IT-focused but ICS-impacting events. Further actions, such as heightened network segmentation, traffic limitation,\r\nand building an ICS-centric business recovery and continuity plan for cyber-nexus events will further enable\r\norganizations to maintain operational resilience and make relatively quick recovery from events possible.\r\nUltimately, organizations must begin planning and taking action now in advance of potential malicious activity to\r\nensure robust, resilient, and defensible networks, while also realizing that IT-centric solutions and chasing the\r\n“next headline” in malware are insufficient to foster true defense.\r\nSource: https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/\r\nhttps://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
	],
	"report_names": [
		"implications-of-it-ransomware-for-ics-environments"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434066,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7413e56e0ea4271fdfd7f68ba83c4d747f7c5080.pdf",
		"text": "https://archive.orkl.eu/7413e56e0ea4271fdfd7f68ba83c4d747f7c5080.txt",
		"img": "https://archive.orkl.eu/7413e56e0ea4271fdfd7f68ba83c4d747f7c5080.jpg"
	}
}