{ "id": "2ab9a1ff-42b3-4ee0-a45d-6e7a3e3e0f7d", "created_at": "2026-04-06T00:13:14.362374Z", "updated_at": "2026-04-10T03:36:11.045705Z", "deleted_at": null, "sha1_hash": "ae2ada40c7dde0f50cf9d976286d46b1ff16d676", "title": "Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1269813, "plain_text": "Ransomware Against the Machine: How Adversaries are Learning\r\nto Disrupt Industrial Production by Targeting IT and OT |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2020-02-24 · Archived: 2026-04-05 15:44:12 UTC\r\nWritten by: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly\r\nSince at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting\r\nindustrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry,\r\nLockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a\r\nvariety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also\r\nresulted in significant disruptions and delays to the physical processes that enable organizations to produce and\r\ndeliver goods and services.\r\nWhile lots of information has been shared about the victims and immediate impacts of industrial sector\r\nransomware distribution operations, the public discourse continues to miss the big picture. As financial crime\r\nactors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have\r\nobserved an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to\r\nsupport the chain of production. As a result, ransomware infections—either affecting critical assets in corporate\r\nnetworks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of\r\nend products or services.\r\nTruly understanding the unique nuances of industrial sector ransomware distribution operations requires a\r\ncombination of skillsets and visibility across both IT and OT systems. Using examples derived from our\r\nconsulting engagements and threat research, we will explain how the shift to post-compromise ransomware\r\noperations is fueling adversaries’ ability to disrupt industrial operations.\r\nIndustrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise\r\nDeployment\r\nThe traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of\r\nindiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following\r\nthis model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many\r\nindividuals as possible. While early ransomware campaigns adopting this approach were often considered out of\r\nscope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have\r\nmoved toward adopting a more operationally complex post-compromise approach.\r\nhttps://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nPage 1 of 6\n\nIn post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to\r\nobtain their initial access to a victim environment, but once on a network they will focus on gaining privileged\r\naccess so they can explore the target networks and identify critical systems before deploying the ransomware. This\r\napproach also makes it possible for the attacker to disable security processes that would normally be enough to\r\ndetect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which\r\nexpand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a\r\nresult, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly\r\ncommensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For\r\nmore information, including technical detail, on similar activity, see our recent blog posts on FIN6 and\r\nTEMP.MixMaster.\r\nFigure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches\r\nHistorical incidents involving the opportunistic deployment of ransomware have often been limited to impacting\r\nindividual computers, which occasionally included OT intermediary systems that were either internet-accessible,\r\npoorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya\r\nand BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while\r\nhttps://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nPage 2 of 6\n\nmasquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption\r\nof post-compromise deployment presents three major twists in the plot.\r\nAs threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived\r\nabilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an\r\nexpansion of financial crime actors’ targeting of industries that process directly marketable information\r\n(e.g., credit card numbers or customer data) to include the monetization of production environments.\r\nAs threat actors perform internal reconnaissance and move laterally across target networks before\r\ndeploying ransomware, they are now better positioned to cast wide nets that impact the target’s most\r\ncritical assets and negotiate from a privileged position.\r\nMost importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in\r\nthe past, resemble those employed by high-skilled actors across the initial and middle stages of the attack\r\nlifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to\r\nand deploying ransomware in OT intermediary systems to further disrupt operations.\r\nOrganized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets\r\nAn actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on\r\nmany factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the\r\nvictim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT\r\nand business processes, to also OT assets monitoring and controlling physical processes. This is apparent in\r\nransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a\r\nseries of processes that included some industrial software from vendors such as General Electric and Honeywell.\r\nAt first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the\r\nrelatively small number of processes (yet high number of OT-related processes) identified with automated tools\r\nfor initial triage. However, after manually extracting the list from the function that was terminating the processes,\r\nwe determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.\r\nIn fact, we have observed very similar process kill lists deployed alongside samples from other ransomware\r\nfamilies, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been\r\nassociated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill\r\nlist containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019.\r\nThe list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an\r\napparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples:\r\n“proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that\r\none of these malware authors identified and corrected the error when initially copying the OT-processes from the\r\nLockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical\r\ncommon source of origin, such as a dark web post.\r\nhttps://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nPage 3 of 6\n\nFigure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)\r\nRegardless of which ransomware family first employed the OT-related processes in a kill list or where the\r\nmalware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list\r\nitself is more noteworthy than any individual malware family that has implemented it. While the OT processes\r\nidentified in these lists may simply represent the coincidental output of automated process collection from target\r\nenvironments and not a targeted effort to impact OT, the existence of this list provides financial crime actors\r\nopportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to\r\nimpact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and\r\nOT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments\r\nrunning industrial software products and technology.\r\nRansomware Deployments in Both IT and OT Systems Have Impacted Industrial Production\r\nAs a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets,\r\nransomware incidents have effectively impacted industrial production regardless of whether the malware was\r\ndeployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks\r\nhave resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has\r\ncaused insufficient or late supply of end products or services, representing long-term financial losses in the form\r\nof missed business opportunities, costs for incident response, regulatory fines, reputational damage, and\r\nsometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also\r\ncritical to societal well-being.\r\nhttps://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nPage 4 of 6\n\nThe best-known example of ransomware impacting industrial production due to an IT network infection is Norsk\r\nHydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced\r\nmultiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted\r\ncommunication between IT systems that are commonly used to manage resources across the production chain.\r\nInterruptions to these flows of information containing for example product inventories, forced employees to\r\nidentify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant\r\nhas responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig\r\nmanufacturer. While the infection happened only on corporate networks, the biggest business impact was caused\r\nby disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting\r\nproduction.\r\nRansomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering\r\nworkstations. Most of this equipment relies on commodity software and standard operating systems that are\r\nvulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial\r\nfacility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's\r\nnetwork was improperly segmented, which allowed the malware to propagate from the corporate network into the\r\nOT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to\r\nmultiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of\r\nproduction.\r\nAs recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-\r\n049A describing how a post-compromise ransomware incident had affected control and communication assets on\r\nthe OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers\r\nresulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of\r\noperations that lasted two days.\r\nMitigating the Effects of Ransomware Requires Defenses Across IT and OT\r\nThreat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal\r\nbusiness model, imposing high operational costs on victims. We encourage all organizations to evaluate their\r\nsafety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build\r\nresilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every\r\ncase will differ, we highlight the following recommendations.\r\nFor custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting,\r\nManaged Defense, and Threat Intelligence.\r\nConduct tabletop and/or controlled red team exercises to assess the current security posture and ability of\r\nyour organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze,\r\nand recover from such an attack. Revisit recovery requirements based on the exercise results. In general,\r\nrepeatedly practicing various threat scenarios will improve awareness and ability to respond to real\r\nincidents.\r\nhttps://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nPage 5 of 6\n\nReview operations, business processes, and workflows to identify assets that are critical to maintaining\r\ncontinuous industrial operations. Whenever possible, introduce redundancy for critical assets with low\r\ntolerance to downtime. The right amount and type of redundancy is unique for each organization and can\r\nbe determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be\r\nconducted without involving business process owners and collaborating across IT and OT.\r\nLogically segregate primary and redundant assets either by a network-based or host-based firewall with\r\nsubsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like\r\nSMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote\r\nconnections, we recommend routine auditing of all systems that potentially host these services and\r\nprotocols. Note that such architecture is generally more resilient to security incidents.\r\nWhen establishing a rigorous back-up program, special attention should be paid to ensuring the security\r\n(integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.\r\nOptimize recovery plans in terms of recovery time objective. Introduce required alternative workflows\r\n(including manual) for the duration of recovery. This is especially critical for organizations with limited or\r\nno redundancy of critical assets. When recovering from backups, harden recovered assets and the entire\r\norganization's infrastructure to prevent recurring ransomware infection and propagation.\r\nEstablish clear ownership and management of OT perimeter protection devices to ensure emergency,\r\nenterprise-wide changes are possible. Effective network segmentation must be maintained during\r\ncontainment and active intrusions.\r\nHunt for adversary intrusion activity in intermediary systems, which we define as the networked\r\nworkstations and servers using standard operating systems and protocols. While the systems are further\r\naway from direct control of physical processes, there is a much higher likelihood of attacker presence.\r\nNote, that every organization is different, with unique internal architectures and processes, stakeholder\r\nneeds, and customer expectations. Therefore, all recommendations should be carefully considered in the\r\ncontext of the individual infrastructures. For instance, proper network segmentation is highly advisable for\r\nmitigating the spread of ransomware. However, organizations with limited budgets may instead decide to\r\nleverage redundant asset diversification, host-based firewalls, and hardening as an alternative to\r\nsegregating with hardware firewalls.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" ], "report_names": [ "ransomware-against-machine-learning-to-disrupt-industrial-production.html" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434394, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae2ada40c7dde0f50cf9d976286d46b1ff16d676.pdf", "text": "https://archive.orkl.eu/ae2ada40c7dde0f50cf9d976286d46b1ff16d676.txt", "img": "https://archive.orkl.eu/ae2ada40c7dde0f50cf9d976286d46b1ff16d676.jpg" } }