Industrial ransomware is experiencing a double whammy. Attackers aren’t only launching more attacks but they’re staying undetected for longer. In this article, David Montoya, Presales Director at Paessler GmbH explains how businesses can close the ransomware detection window more quickly.
A report in February found that ransomware attacks against operational technology (OT) and industrial control systems (ICS) are up 50% year-on-year. And, even more concerning, the average dwell time between infection and attack is 42 days. This means attackers have more than a month inside production environments to inflict maximum damage.
This is a numbers game for attackers and, unfortunately, the numbers are growing in their favor. Ransomware actors know that downtime is expensive for industrial operators with some of the world’s largest companies losing about 10 % of their annual revenue to unplanned production pauses. More time inside networks means more opportunities to encrypt systems and a higher chance of payout.
We need to nip this threat in the bud. Industrial operators want to adopt emerging technologies like artificial intelligence, machine learning, and distributed technologies. But these solutions will only multiply the attack surface if foundational visibility isn’t in place. Before layering in new tools, let’s explore how teams can actually see what’s happening across their environments. And more importantly how they can close the ransomware detection window more quickly.
More Than a Month in the Network Dark
More than 40 days is a long time for an attacker to be inside your network. And the longer the gap between infection and detection, the worse the outcome for industrial operators. Ransomware attackers make the most of their time by mapping the environment, identifying backups, and determining which type of encryption attack will most disrupt production. As a result, attackers aren’t just encrypting one system but, potentially, the system.
Interestingly, attackers can now potentially hold production up without direct access to industrial equipment. Many organizations today run critical OT software – SCADA systems, historian databases, and HMIs – as virtual machines on shared IT infrastructure. Attackers realize they don’t need to reach a PLC or field device but can instead encrypt the virtualization layer that hosts these systems. By doing so, operators lose visibility and control of the production floor just as effectively as a direct OT attack.
And the problems don’t stop there. The report found that in about three-quarters of cases, attackers gained access through remote access infrastructure using legitimate credentials. Further, nearly a third of the investigated attacks began with an operator reporting that something felt “off”. This means that, instead of a detected intrusion or ransom note, the alarm was raised on simple suspicion rather than on a provable paper trail or data point. And in a majority of these cases, the telemetry needed to investigate had never been recorded.
You could also be interested in this article
Why Industrial Operators Are Prime Targets
These are industrial monitoring holes that only exacerbate other systemic issues. For starters, ransomware and cybersecurity haven’t been top priorities in the past because production took place on legacy machinery with specific protocols away from the network. There wasn’t much of a cybersecurity focus because air-gapping provided a physical barrier against would-be attackers.
However, as these systems connect to the wider ecosystem for big data and remote management, industrial protocols such as Modbus and Profinet become potential attack vectors. While both protocols have added security extensions over the past decade, these features remain rarely deployed in practice since legacy devices can’t support them and OT infrastructure upgrades are slow. The result is that most operational environments still run without authentication, encryption, or session integrity at the protocol level.
Further, as this machinery comes online, internal questions of ownership return to the fore. Historically, IT and OT teams have been rather neatly divided into network and production teams. The problem is that these traditional divisions are crumbling and attackers are taking advantage of the gap. IT is lost in translation trying to understand industrial protocols while OT is focused on keeping production running rather than monitoring behavior. In the middle, while teams are pointing fingers, hackers are more often finding their way inside.
And the tooling problem runs deeper. Even when teams want to monitor, their existing tools can’t do the job. OT stacks are built to track production metrics, not network behavior. IT monitoring tools go the other way, understanding network traffic but unable to interpret industrial protocols. We see two teams with separate tools, knowing full well there’s a target on their backs. And yet neither can adequately cover the full environment.
Closing the Detection Window on OT Ransomware
The state of industrial ransomware demands operators move in kind and redouble detection and response efforts.
First, teams can’t defend what they can’t see, so network visibility is non-negotiable. Teams, wherever they sit across IT and OT, need to have a finger on the pulse and understand what’s happening and why at all times. Unified monitoring that spans both production and networking is the best way to ensure attackers don’t easily find space in between. Working from a single pane of glass that speaks both languages eliminates division and essentially makes teams twice as effective.
Then, armed with device-level insights over time, industrial teams can begin to understand “normal” behavior and quickly flag deviations. Anomaly detection is a step beyond threshold-based monitoring because it detects legitimate credential abuse and unusual activity as they occur. The immediate flagging of issues like unexpected connections and traffic pattern changes, rather than them slipping under the radar for weeks, goes a long way toward moving beyond “gut feelings” and demonstrating threats with data.
Alerts like this also give teams the chance to respond in real time. I’ve seen this firsthand. An aerospace manufacturer noticed something amiss with its Modbus traffic and immediately investigated. The team found that a PLC had been incorrectly configured during standard maintenance earlier that day. By identifying the issue quickly and fixing it on the spot, the team avoided an estimated 24 hours of production downtime. Instant response, instant solution.
Closing the detection window on ransomware is as much about future-proofing as it is production safeguarding and cyber resilience. Manufacturing is already the most attacked industry of the past 12 months. And the integration of more innovative technologies like AI and machine learning threatens to make a bad problem even worse. Every new capability is only as secure as the environment in which it runs. This is why the visibility foundations operators build today determine whether tomorrow’s threats are caught in hours or discovered several weeks too late.
