Back to Intelligence

ICS Ransomware Surge: Detecting and Containing Encryption-Based Attacks on Industrial Control Systems

SA
Security Arsenal Team
April 19, 2026
6 min read

Introduction

The Dragos annual report has dropped a stark warning for the industrial sector: we are witnessing a significant rise in encryption-based cyber incidents targeting operational technology (OT). This isn't just about data exfiltration anymore; adversaries are actively engaging in operational disruption by encrypting critical assets. For defenders, the urgency has shifted from "if" to "when." The integrity of industrial environments—power grids, water treatment plants, and manufacturing lines—is at stake. We need to pivot our defensive posture immediately to detect the precursors of encryption and ensure business continuity.

Technical Analysis

The Dragos intelligence highlights a shift in adversary behavior within OT environments. While traditional IT ransomware focuses on data encryption for extortion, the surge in industrial incidents focuses on the availability of safety-critical processes.

  • Affected Platforms: Primarily Windows-based Engineering Workstations, Human-Machine Interfaces (HMIs), and Historians running on legacy or unpatched Windows Server versions.
  • Threat Vector: Initial access typically follows lateral movement from the IT network, exploiting weak remote access protocols (RDP, VPN) or phishing to gain a foothold in the OT demilitarized zone (DMZ).
  • Attack Mechanics: Once inside the OT network, adversaries conduct reconnaissance to identify high-value targets. The "encryption-based" attack involves deploying ransomware payloads that encrypt flat-file databases used by Historians or configuration files for PLCs, rather than just office documents.
  • Exploitation Status: Active exploitation is confirmed. The report notes that these are not theoretical proofs of concept but active engagements causing operational downtime. While no specific 0-day CVE is mentioned for the encryption mechanism itself, the delivery often relies on leveraging legacy authentication protocols (NTLM v1) or unpatched vulnerabilities in RDP services.

Detection & Response

Defending against encryption attacks in OT requires a balance between sensitivity and availability. We cannot deploy noisy EDR agents that might jitter a legacy PLC controller. Therefore, our detection must focus on process anomalies and network lateral movement indicative of pre-encryption staging.

SIGMA Rules

YAML
---
title: Potential OT Ransomware Preparation - Shadow Copy Deletion
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects deletion of volume shadow copies, a common precursor to ransomware encryption to prevent recovery, executed on common OT Windows hosts.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wbadmin.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'delete backup'
  filter_ot:
    ParentImage|contains:
      - '\View.exe'
      - '\Ignition'
      - '\FactoryTalk'
  condition: selection and not filter_ot
falsepositives:
  - Legitimate system maintenance by administrators
level: high
---
title: Suspicious PowerShell Execution on Engineering Workstations
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects base64 encoded PowerShell execution or suspicious spawning from engineering software, often used for lateral movement in OT attacks.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cli:
    CommandLine|contains:
      - ' -enc '
      - ' -encodedcommand '
      - 'FromBase64String'
  filter_legit:
    ParentImage|contains:
      - '\ServiceUI.exe'
      - '\mms.exe'
  condition: selection_img and selection_cli and not filter_legit
falsepositives:
  - Legitimate software deployment scripts
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query looks for patterns of mass file modification or access to command-line utilities often used in encryption scripts (e.g., cipher.exe, icacls.exe) originating from non-administrative users or unusual paths on the OT network.

KQL — Microsoft Sentinel / Defender
// Hunt for ransomware precursor activity on OT endpoints
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("cipher.exe", "icacls.exe", "vssadmin.exe", "wbadmin.exe", "bitsadmin.exe")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "mmc.exe")
| extend FullPath = FolderPath + "\" + FileName
| where ProcessCommandLine contains " /w" or ProcessCommandLine contains " /delete" or ProcessCommandLine contains " /deny"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc

Velociraptor VQL

This artifact hunts for executables running from temporary or user directories on systems that are typically locked down in an industrial environment (e.g., Engineering Workstations). This is a common tactic for payload delivery before encryption.

VQL — Velociraptor
-- Hunt for suspicious execution paths on OT assets
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Exe =~ 'C:\\Users\\.*\\AppData\\Local\\Temp\\.*'
   OR Exe =~ 'C:\\ProgramData\\.*\\'
   OR Exe =~ 'C:\\Windows\\Temp\\.*'
   AND Name NOT IN ("chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe")

Remediation Script (PowerShell)

Use this script to audit and harden OT Windows hosts against common ransomware vectors. Note: Test thoroughly in a non-production OT lab before deployment.

PowerShell
# OT Hardening Audit & Remediation Script
# Usage: .\OT-Hardening.ps1 -AuditMode $false

param(
    [bool]$AuditMode = $true
)

Write-Host "[+] Starting OT Host Hardening Audit/Remediation..." -ForegroundColor Cyan

# 1. Disable RDP if not strictly required (Common Vector)
$RDPStatus = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections").fDenyTSConnections
if ($RDPStatus -eq 0) {
    Write-Host "[!] RDP is ENABLED. Critical Risk." -ForegroundColor Red
    if (-not $AuditMode) {
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 1
        Write-Host "[+] RDP Disabled." -ForegroundColor Green
    }
} else {
    Write-Host "[+] RDP is Disabled." -ForegroundColor Green
}

# 2. Audit SMBv1 (WannaCry vector)
$SMB1 = Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
if ($SMB1.EnableSMB1Protocol -eq $true) {
    Write-Host "[!] SMBv1 is ENABLED. Critical Risk." -ForegroundColor Red
    if (-not $AuditMode) {
        Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
        Write-Host "[+] SMBv1 Disabled." -ForegroundColor Green
    }
} else {
    Write-Host "[+] SMBv1 is Disabled." -ForegroundColor Green
}

# 3. Check for unusual services (Persistence mechanism)
Write-Host "[*] Checking for services running from Temp directories..."
$SuspiciousServices = Get-WmiObject Win32_Service | Where-Object { $_.PathName -like '*Temp*' -or $_.PathName -like '*AppData*' }
if ($SuspiciousServices) {
    Write-Host "[!] Found suspicious services:" -ForegroundColor Red
    $SuspiciousServices | Select-Object Name, PathName, StartMode
} else {
    Write-Host "[+] No suspicious services found." -ForegroundColor Green
}

Write-Host "[*] Script Complete. Review Audit findings." -ForegroundColor Cyan

Remediation

To address the rise in encryption-based attacks highlighted by Dragos, immediate remediation steps must be taken:

  1. Network Segmentation (Purdue Model Enforcement): Ensure strict segmentation between the IT network and the OT network. Verify that the Industrial DMZ (IDMZ) is actively filtering traffic, allowing only necessary protocols (e.g., OPC-UA, Modbus) and blocking all SMB/RPC traffic.

  2. Disable Inbound Remote Desktop: The primary vector for OT ransomware remains compromised remote access. Disable RDP (TCP 3389) on all HMIs, Historians, and Engineering Workstations. If remote access is required, enforce MFA and utilize a secure, monitored jump host with Privileged Access Management (PAM).

  3. Application Allowlisting: Implement deterministic allowlisting (e.g., Microsoft AppLocker) on OT endpoints. In an encryption attack scenario, the malware must execute to encrypt files. If the binary is not signed by the ICS vendor (e.g., Rockwell, Siemens, Schneider), it must not run.

  4. Offline Backups: Ensure that Historians and configuration files are backed up to offline or immutable storage. Ransomware will actively seek out network shares to encrypt backups.

  5. Vendor Advisory Reference: Review the CISA Insights: Ransomware Prevention Best Practices and the specific recommendations in the latest Dragos Year in Review report.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiricsot-securitydragos

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
ICS Ransomware Surge: Detecting and Containing Encryption-Based Attacks on Industrial Control Systems | Security Arsenal | Security Arsenal