Cyber Security Cybersecurity

Trend Micro warns of ransomware targeting industrial control systems

Cybersecurity company Trend Micro raises the alarm of ransomware attacks attacks aimed at industrial facilities increasing risk of downtime and sensitive data theft.

According to the latest report from Trend Micro, Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%), and LockBit (10.4%) variants accounted for more than half of ICS ransomware infections in 2020. The cybersecurity company also discovered that variants of Conficker are spreading on ICS endpoints running newer operating systems by brute-forcing admin shares.

“Industrial Control Systems are incredibly challenging to secure, leaving plenty of gaps in protection that threat actors are clearly exploiting with growing determination,” said Ryan Flores, senior manager for threat research at Trend Micro. “Given the US government is now treating ransomware attacks with the same gravity as terrorism, we hope our latest research will help industrial plant owners to prioritize and refocus their security efforts.”

Trend Micro predicts remote, cloud-based systems will be center of attacks in 2021

Trend Micro blocked 8.8 million COVID-19 threats in 1H 2020

Industrial Control Systems (ICS) are a crucial element of utility plants, factories and other facilities, where they are used to monitor and control industrial processes across IT-OT networks.

Dark Web

Ransomware can disrupt operations of industrial systems which could cause a domino effect and affect supply chain and economy. It could knock out operations for days and increase the risk of designs, programs, and other sensitive documents finding their way onto the Dark Web.

The report also found that threat actors are infecting ICS endpoints to mine for cryptocurrency using unpatched operating systems still vulnerable to EternalBlue. Legacy malware such as Autorun, Gamarue, and Palevo are still widespread in IT/OT networks, spreading via removable drives.

To mitigate any disruption, the Trend Micro report urged closer cooperation between IT security and OT teams to identify key systems and dependencies such as OS compatibility and up-time requirements, with a view to developing more effective security strategies.


The company also advises organizations to do the basic patching but if this is not possible, consider network segmentation or virtual patching from vendors like Trend Micro. Applying the principle of least privilege to OT network admins and operators could also help mitigate any attack.

Organizations must tackle post-intrusion ransomware by mitigating the root causes of infection via application control software, and threat detection and response tools to sweep networks for IoCs. It is also advised to testrict network shares and enforce strong username/password combinations to prevent unauthorized access through credential brute forcing.

IT personnel should also use an IDS or IPS to baseline normal network behavior to better spot suspicious activity and it is also important to scan ICS endpoints in air-gapped environments using standalone tools.

Set up USB malware scanning kiosks to check the removable drives used to transfer data between air-gapped endpoints.