{
	"id": "d67d4f57-ab71-4d3d-bd76-969f36ecbe39",
	"created_at": "2026-04-06T00:07:28.483449Z",
	"updated_at": "2026-04-10T13:12:15.453806Z",
	"deleted_at": null,
	"sha1_hash": "7790f5d9e177406b37049e1a9b36b1dfeafc996b",
	"title": "The Impact of Modern Ransomware on Manufacturing Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1529350,
	"plain_text": "The Impact of Modern Ransomware on Manufacturing Networks\r\nBy Trend Micro ( words)\r\nPublished: 2020-12-01 · Archived: 2026-04-05 23:43:49 UTC\r\nRansomware threats have disrupted the manufacturing industry significantly in 2020. These attacks have resulted\r\nin substantial losses in production and disjointed operations. In a disturbing trend during the third quarter of the\r\nyear, attackers appeared to be singling out manufacturing organizations as a victim of choice in their ransomware\r\noperations. Data from Trend Micro™ Smart Protection Network™ shows how ransomware threat actors have\r\naffected different industries. \r\nFigure 1. Industries affected by ransomware in Q3 of 2020 (data from Smart Protection Network)\r\nManufacturing facilities use big physical machines — assembly lines, furnaces, motors, and the like — but both\r\nthe advancement of technology and the trend of Industry 4.0open on a new tab have also meant that computers\r\nhave been introduced into production and operation systems. These big industrial machines are controlled or\r\nmonitored by computers; these computers, in turn, are connected to other computers and networks in order to pass\r\naround data.\r\nFigure 1 illustrates the architecture of an Industrial Control System (ICS).\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 1 of 7\n\nLevel 0 is where the big pieces of hardware are. These are the machines that normally come to mind when one\r\nthinks a factory or a power plant.\r\nHowever, to control and monitor these machines, the computers on Level 2 are necessary. The human-machine\r\ninterface (HMI) and supervisory control and data acquisition (SCADA) computers give the operators visibility\r\nand control of the industrial machines, while the engineering workstation contains the blueprints, design\r\ndocuments, robot codes, programs, and configurations that are needed to create the final product.\r\nIn many cases, a centralized file server containing the design files and product documents for shared access\r\nbetween engineering workstations can be found on Level 3, as well as the historian, a historical database that\r\ncontains equipment, performance metrics, and product quality.  \r\nWhat happens if a ransomware attack is able to penetrate the computers on Levels 2 and 3?  \r\nLoss of View and Loss of Control\r\nModern ransomware is not designed to shut down or cripple infected machines. The last ransomware that\r\neffectively decommissioned infected computers was Petyaopen on a new tab, which was active in 2017 and 2018.\r\nThe ransomware families that came after were more careful in their file encryption, purposefully excluding system\r\nfiles and executable files, as these are needed by the computer to boot and operate. Everything else is encrypted.\r\nThis means that there would be no abrupt shutdown in the factory floor if ransomware were to hit any of the\r\ncontrol and monitoring computers in the operational technology (OT) network.\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 2 of 7\n\nFigure 2. An example of an HMI\r\nHowever, an HMI that might look like the image above wouldn’t be able to load, and would have errors after the\r\nransomware hits.\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 3 of 7\n\nFigure 3. Errors that an HMI could experience due to ransomware\r\nAs a graphical interface, HMIs are extremely reliant on image files.  Every button, value, logo, pipe, and piece of\r\nequipment represented in the HMI has a corresponding image file somewhere in the HMI software’s directory.\r\nNot only that, configurations that contain values, mappings, logic, thresholds, and lexicons are stored in text files\r\nalongside the image files. In one ransomware incident that affected an HMI, we found that 88% of the encrypted\r\nfiles were JPEG, BMP, or GIF files — the images used by the HMI to render the interface. If all of these files\r\nwere encrypted, recovering the affected systems would not just end with a reinstallation of the ICS software.\r\nAdditionally, the custom HMI or SCADA interface would need to be restored as well.   \r\nTake note that ransomware does not need to directly target the ICS software’s processes in order to incapacitate\r\nthe ICS. By encrypting the files that the HMI, SCADA, or engineering workstation (EWS) depends on,\r\nransomware can render the system useless, resulting in both a Loss of Viewopen on a new tab and Loss of\r\nControlopen on a new tab scenario for the operator, and ultimately, Loss of Productivity and Revenueopen on a\r\nnew tab for the factory.  \r\nTheft of Operational Information\r\nNetworked file sharing is practically a necessity in manufacturing environments.  On the operational side of\r\nthings, engineers and designers use it not only as a means to share design and engineering documents that they are\r\nworking on, but also as a repository for reference files, guidelines, parts lists, tooling, and workflow.\r\nOn the business operational side of things, managers and staff use network shares to store information about\r\nvendors, suppliers, purchase orders, invoices, and the like.  A dedicated supply chain management (SCM), and/or\r\nproduct life cycle management (PLM) system and its associated databases could even be found on Level 4 or 5.\r\nAlthough a ransomware attack that affects these file repositories and databases would not necessarily disrupt the\r\nproduction line, it would hamper business operations, supply chain management, and product engineering and\r\ndesign.  Unfortunately, those are only the short-term consequences. Modern ransomware operations also involve\r\ndata theft, which leaves a permanent impact.  \r\nIn a trend started by the Mazeopen on a new tab ransomware, it is now almost standard practice for ransomware\r\ngroups to steal data from their victims, utilizing off-the-shelf file backup tools to do the job.  Initially, the purpose\r\nof this was to increase the likelihood of payment by the victim, as the data leak allows for the additional threat of\r\nblackmail. However, data from ransomware victims is also being leaked to or sold in the underground. This is\r\nparticularly unfortunate for enterprises since design and engineering documents could contain intellectual\r\nproperty. In addition, vendor and supplier information could contain confidential supply chain data such as pricing\r\nand order information.\r\nManufacturing companies should consider these possibilities in case they ever face a ransomware incident. Once\r\nthe production and business operations are restored, an assessment of stolen data needs to be done. Afterward,\r\norganizations should ask themselves a painful question: If the data is leaked or sold, what would the repercussions\r\nbe for production, business relationships, and customers?  The answers to this would guide an organization’s post-mortem actions and enable a more effective response strategy. \r\nPost-Intrusion Ransomware\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 4 of 7\n\nOver the years, there has been a dramatic decrease in incidents of ransomware arriving as email attachments or\r\nbeing installed through malicious websites (see Figure 4). However, judging by news headlines, many might think\r\nthat the amount of ransomware being distributed at large has not decreased at all.\r\nFigure 4. Ransomware detected by Trend Micro as email attachments (email) or in malicious\r\nwebsites (web) over the years\r\nThe reason behind this is that in the past few years, ransomware actors have become more selective in their\r\ntargets. They have started moving away from mass-distributed ransomware spam campaigns and adopting a\r\nnarrowed-down approach called “big-game hunting.” This means that ransomware actors are not concerned with\r\ninfecting household desktops (aka small game) and are instead more interested in medium-to-large enterprises\r\n(aka big game). The reason behind this shift is that ransomware actors are now  under the impression that\r\nparticipating in big-game hunting has larger payouts per infection.\r\nBig-game hunting is more complicated and requires more time to observe, track, and stalk the prey. This is the\r\nreason that most ransomware families affecting big industries (such as manufacturing) are called “post-intrusion\r\nransomware.”  Simply put, the attackers would have already gained access to the network through other means\r\nbefore installing the ransomware.\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 5 of 7\n\nFigure 5. The distribution of different ransomware families affecting manufacturing networks in Q3\r\nof 2020\r\nMost of the different ransomware affecting manufacturing during Q3 of 2020 are known to be post-intrusion\r\nransomware. Sodinokibiopen on a new tab, the ransomware that affected the most manufacturing networks during\r\nQ3, is installed after attackers gain access to vulnerable Oracle WebLogic servers. Gandcrab is usually installed\r\nafter attackers exploit vulnerable public-facing MySQL servers. The ransomware Ryuk is installed by attackers\r\nwho have already gained a foothold in networks through the Emotet malware. Attackers installing Sodinokibi,\r\nMedusalocker, Crysis, and a host of other ransomware are known to abuse weak RDP credentials.  \r\nMore importantly, this shows that a ransomware incident is not a single incident. Rather, it is a manifestation of\r\nseveral security problems that enable attackers to gain access into a network, move laterally, and identify key\r\nassets to ransom.\r\nBoth the recent data on the manufacturing industry and the pattern of ransomware in ICS systems suggest that\r\nthere might be holes in the demilitarized zone (DMZ) and network segmentation. These factors enable a\r\ncompromise from the IT network to traverse into the OT network. Another possible issue is that there are remote\r\naccess connections directly to the OT network that are weak or unaccounted for. Nevertheless, true recovery does\r\nnot end when the ransomware incident is mitigated and production and operations are able to resume. It ends\r\nwhen the security weaknesses that enabled the ransomware infection in the first place are finally addressed. \r\nSecuring Manufacturing Networks\r\nAs we have seen in the past few years, manufacturing networks are as easy to compromiseopen on a new tab as\r\nany other network in other industries. Even with the specialized equipment, software, and protocol and network\r\nsegmentation, attackers are routinely able to ransom ICS systems.  \r\nStandard security best practices and solutions should work, but these should be deployed in a manner that is\r\nsensitive to the production environment. Aside from the standard capabilities of security solutions, the additional\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 6 of 7\n\nrequirements that security officers in the manufacturing industry should look at when evaluating security solutions\r\nare:\r\nLow latency. Solutions should avoid interfering with time-sensitive production processes.\r\nProtocols that are aware of OT protocols in the field. Security products should properly identify and\r\nmonitor traffic coming to and from ICS systems.\r\nIntegrated monitoring and detection on IT and OT networks. Security strategies need products that can\r\nwork together and send data between network segments, thereby increasing ease of use and simplifying\r\nmonitoring and response.  \r\nIn a short period, ransomware actors have learned how to target and navigate manufacturing networks.  It is\r\ntherefore necessary to integrate secure solutions and implement security best practices in critical industries.\r\nRead more about Trend Micro’s security solutions for manufacturing and smart factoriesopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nhttps://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html"
	],
	"report_names": [
		"the-impact-of-modern-ransomware-on-manufacturing-networks.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7790f5d9e177406b37049e1a9b36b1dfeafc996b.pdf",
		"text": "https://archive.orkl.eu/7790f5d9e177406b37049e1a9b36b1dfeafc996b.txt",
		"img": "https://archive.orkl.eu/7790f5d9e177406b37049e1a9b36b1dfeafc996b.jpg"
	}
}