Operational technology (OT) ransomware attacks have escalated to crisis levels in 2025. A recent FBI report revealed a 9% increase in ransomware attacks targeting U.S. infrastructure in 2024, with more than 1,300 complaints linked to critical sectors like energy, water, and transportation.

The numbers reflect a growing and dangerous trend of attackers shifting their focus from data-rich IT systems to mission-critical OT environments where the consequences of downtime can be catastrophic.

“Ransomware attacks are on the rise, and most discussion revolves around recovering from ransomware—either paying the ransom or hiring a recovery firm,” said Shane Fry, CTO at RunSafe Security. “Unfortunately, those approaches are just band-aids addressing the symptoms. The better approach is prevention. If an attacker can’t gain code execution on a system, they can’t run their ransomware in the first place.”

A prevention mindset is urgently needed to defend OT systems.

Ransomware’s OT Evolution

A report from Dragos found an 87% increase in ransomware attacks against industrial organizations over the past year and a 60% rise in ransomware groups affecting OT/ICS (operational technology/industrial control systems) in 2024.

OT networks were historically “air-gapped” or isolated, but the rise of Industrial IoT (IIoT) and convergence with IT systems has opened the floodgates to cyber threats. Legacy systems, outdated firmware, insecure protocols, and unpatched vulnerabilities make OT a soft target that attackers are paying more attention to.

Not only that, but changes in the geopolitical landscape are likely attributable to the rise in attacks. “With the changing geopolitical landscape and the changes in cyber priorities, it is no surprise to see an increase in attacks and reports of ransomware,” said Joe Saunders, Founder and CEO of RunSafe Security.  “Attackers are testing the fault lines and seeking ransom payouts.”

Additionally, OT systems aren’t designed to be restored overnight like cloud servers and require manual resets, specialized hardware, and physical technician access. Downtime from an ICS/OT ransomware attack costs an average of $4.73 million per incident and results in public safety risks. Because of the costs and risk involved, OT organizations may be more inclined to pay a ransom to restore operations, and bad actors and threat groups are taking notice.

“We must implement straight solutions now to make critical infrastructure safe in an efficient way,” Joe said. “Otherwise, China and other adversaries will, at a time of their choosing, disrupt operations.”

Where OT Ransomware Attacks Originate

Ransomware doesn’t need to originate in OT to impact OT. If your supply chain includes IT/OT integration, third-party maintenance tools, or remote access services, your OT is exposed.

The SANS 2024 State of ICS/OT Cybersecurity report found that 20.3% of ICS/OT leaders reported supply chain compromise as the initial attack vector involved in OT/control systems incidents.

We can see this growth in a few notable ransomware incidents involving OT.

Kaseya Ransomware Attack (2021) – IT/OT Convergence Breach

In 2021, the REvil ransomware gang compromised Kaseya’s VSA remote management tool used by MSPs, which had clients across various sectors, including manufacturing and industrial facilities. It’s estimated that 200+ companies were compromised as a result. The attack is an example of how software supply chain attacks can create a domino effect for companies further down the chain, including how IT-focused supply chain tools can cascade into OT disruption through shared access.

The Colonial Pipeline Incident (2021) – Indirect OT Disruption via Ransomware

The Colonial Pipeline incident in 2021 is a good reminder to take ransomware seriously. DarkSide ransomware hit Colonial Pipeline’s IT systems. Although the OT environment wasn’t directly compromised, operations were proactively shut down due to uncertainty and risk. The incident revealed how ransomware can indirectly cripple OT via compromised IT systems that manage or monitor critical infrastructure.

Strategies for OT Ransomware Defense

The best defense against ransomware is a proactive approach that prevents attackers from ever gaining code execution on a system. Below are several measures to defend OT software.

• Network Segmentation: Isolate critical OT systems from IT networks to limit lateral movement.
• Strong Credential and Access Management: Enforce multi-factor authentication, rotate credentials, and use allowlist-based access controls.
• Regular, Offline Backups: Maintain encrypted, offline backups and test them regularly to ensure rapid recovery without paying ransoms.
• Incident Response Planning: Develop and rehearse OT-specific incident response plans, including procedures for isolation and recovery.
• Continuous Monitoring: Stay updated on indicators of compromise and integrate threat intelligence into monitoring practices.
• SBOMs and Supply Chain Security: Generating and maintaining a Software Bill of Materials (SBOM) enhances transparency, helps identify vulnerable components, and is rapidly becoming a regulatory requirement.
• OT-Specific EDR: Deploy endpoint detection and response solutions tailored for OT, minimizing operational impact while detecting malicious behaviors.
• Memory Safety and Software Hardening: Tools like RunSafe Security’s Protect proactively defends against memory-based vulnerabilities and zero-day exploits by hardening software at build time, reducing the risk of code execution by attackers.

Prevention Is the Only Real Cure

The surge in ransomware attacks on OT environments is a wake-up call for critical infrastructure operators. Relying solely on reactive measures is no longer sufficient. As Shane Fry notes, preventing initial access and code execution is the most effective way to stop ransomware before it can cause harm. 

By adopting proactive, OT-specific security measures, such as memory safety hardening, software supply chain transparency, and robust incident response, organizations can build resilience and protect the systems that keep our world running.

Learn how an industrial automation leader automated software hardening and vulnerability identification for their products.

FAQs:

Why are ransomware attacks on OT environments increasing?

The convergence of IT and OT networks, reliance on legacy systems, and recent geopolitical tensions have made OT environments prime targets.

Are ransomware attacks against OT systems increasing?

Yes. In 2025, the FBI reported that ransomware attacks on US infrastructure rose 9% and that ransomware attacks on critical infrastructure accounted for almost half of all ransomware complaints received in 2024.

How do attackers typically infiltrate OT systems?

Through phishing, exploiting unpatched vulnerabilities, abusing trusted tools, and moving laterally from IT to OT networks.

What is the most effective ransomware protection for OT?

Proactive prevention, such as memory safety hardening, virtual patching, OT-specific EDR, and supply chain transparency, offers the best defense against modern ransomware threats.