UII UPDATE 383 | JULY 2025

Intelligence Update

Ransomware incidents on OT equipment surge

Uptime Intelligence has highlighted the growing number of high-profile ransomware incidents involving data center owners, operators and third-party vendors in recent reports (see Seven fallacies of data center cybersecurity and Cybersecurity and the cost of human error). Despite the rise in reported incidents, many operators and industrial facilities continue to use outdated security systems and practices, leaving them vulnerable to internal and external threats.

In the first quarter of 2025, Honeywell (the US supplier of control systems) discovered 2,472 new ransomware incidents on industrial control (ICS/OT) systems — a steep 46% increase from the previous quarter. Ransomware accounted for 39% of all threats (see The 2025 Honeywell Cyber Threat Report, June 2025; Table 1 and Table 2). While ransomware incidents are increasing across IT generally, these incidents are mostly not associated with OT/control systems.

Another report from cybersecurity software supplier Claroty found that 50% of 270 industrial organizations have known exploitable vulnerabilities (KEVs) linked to ransomware (see State of CPS security 2025: OT exposures, February 2025). Ransomware was detected in 7% (approximately 6,000) of all devices, with one-third (approximately 2,000) of devices insecurely connected to the internet. KEVs represent significant risks because they are vulnerabilities that have either been exploited or are under active exploitation.

Malware checks

The data in Table 1 and Table 2 below is taken from a Honeywell survey based on telemetry data from its Secure Media Exchange (SMX) system. SMX checks for malware and blocks corrupt files transferring from a compromised removable media device, such as USB drives, mice, charging cords and laptops, into ICS/OT systems.

SMX is deployed on-premises at industrial sites. Personnel are required to scan their devices before entering the facility; and then when visitors or employees check-out, SMX rechecks the device and logs any anomalies.

Table 1 Cyber-physical threats, incidents, and unique incidents using Honeywell SMX

image

Table 2 provides a more granular view of the most common types of threats identified and blocked, as well as their most common attack routes into the ICS/OT system.

Table 2 Most common ICS/OT threats involving removable devices

image

The key findings from the Honeywell report include the following:

  • USB / external media vector threats are increasing. USB plug-and-play attacks accounted for 25% of the top 10 cyber incidents between Q4 2024 and Q1 2025. This figure is an increase of 33% from 2023 and 700% from 2022.
  • In Q1 2025, there were 2,472 potential ransomware attacks documented. This figure is 40% of the total number reported in 2024 (6,130). However, 1,929 ransomware threats were identified between Q4 2024 and Q1 2025; only 42% of these threats were blocked.
  • There were 124 “never-before-seen” threats and 107 unique incidents (11% of total unique incidents). Because these incidents are unique/never-before-seen, they are unlikely to be identified in the Cybersecurity and Infrastructure Security Agency’s (CISA’s) catalog of common vulnerabilities and exposures (CVEs) and KEVs.
  • More than half of the threats related to Windows (Win32) vulnerabilities (52%). The incidents caused by the Win32.Worm.Ramnit trojan increased by 3,000% from previous quarter, primarily targeting the banking sector. Win32 is an API which can be used to exploit old and unprotected versions of Windows, which are often used in control systems and can be too old to patch.

Legacy systems and removable devices

The recent Honeywell and Claroty reports highlight two critical issues that Uptime and other security specialists have consistently emphasized. Firstly, many data center facilities continue to use outdated computer hardware and legacy Windows operating systems for ICS/OT interfaces, such as SCADA, programmable logic controllers or building management systems. These systems are often embedded and may escape IT inventory checks.

Secondly, many operators assume that if they are not connected to the internet, their systems remain securely air-gapped. However, USB devices and mobile devices such as laptops are widely used to download and upload information and transfer files for data-related queries. Engineers and third-party contractors commonly use removable devices when performing on-site system updates and maintenance. Table 3 shows the prevalence of risk associated with update approaches on software and firmware.

Table 3 Prevalence and risks with software/firmware update approaches

image

Defense approach

At a minimum, OT systems should be up-to-date, properly patched, and network-protected, both within and outside the data center, to guard against all threats, including those introduced via removable media. The following steps can significantly enhance the security of existing ICS/OT systems:

  • Retire and replace all outdated IT equipment and software that is unpatched and unsupported.
  • Ensure all IT and network equipment supporting OT uses the latest operating system versions and ensure the latest firmware and patches are up to date.
  • Eliminate weak authentication methods for OT devices, such as passwords and default settings. Enforce multi-factor authentication and user-based access controls.
  • Eliminate, where possible, the use of removable devices for updates and system data transfers.
  • Test all removable devices before and after connection to any networked device.
  • Ensure that all third-party contractors comply with these requirements.

Conclusions

Effective data center cybersecurity is complex and requires constant diligence. Some data center operators are concerned that adding new security layers onto critical equipment, or into management operations, could impact their ability to respond to events or emergencies.

This may be a valid argument, but it can no longer be a reason for inaction. The steady rise in ransomware and never-before-seen incidents highlights the need for more proactive defense strategies to prevent threats from breaching the data center.

Other related reports published by Uptime Institute include:
Seven fallacies of data center cybersecurity
Cybersecurity and the cost of human error

About the Author

John O'Brien

John O'Brien

John is Uptime Institute’s Senior Research Analyst for Cloud and Software Automation. As a technology industry analyst for over two decades, John has been analyzing the impact of cloud migration, modernization and optimization for the past decade. John covers hybrid and multi-cloud infrastructure, sustainability, and emerging AIOps, DataOps and FinOps practices.

Posting comments is not available for Network Guests