Analysis and Protection Research of Ransomware in Industrial Control Systems

Analysis and Protection Research of Ransomware in Industrial Control Systems

The article “Analysis and Protection Research of Ransomware in Industrial Control Systems” authored by Professor Sui Tianju and others from Dalian University of Technology was published in the second issue of the 2025 journal “Digital Transformation”. The full text is shared as follows:

Analysis and Protection Research of Ransomware in Industrial Control Systems

Analysis and Protection Research of Ransomware in Industrial Control Systems

Analysis and Protection Research of Ransomware in Industrial Control Systems

Analysis and Protection Research of Ransomware in Industrial Control Systems

Mo Xiaolei 1 Miao Yong 1 Tong Yong 2 Tong Zhiming 2 Sui Tianju 1

(1. Dalian University of Technology, Dalian 116000;

2. Antiy Technology Group Co., Ltd., Beijing 100000)

Industry is the lifeblood of a country’s economy and a reflection of its comprehensive national strength. Currently, China is in a critical period of transforming from “Made in China” to “Intelligent Manufacturing in China”. As the core of the industrial system, Industrial Control Systems (ICS) are widely used in fields such as electricity, aerospace, water conservancy, and wind power, with over 60% of critical facilities using ICS systems for automated operations. Industrial control systems can be divided into two conceptual domains: Information Technology (IT) and Operational Technology (OT), which are an organic combination of the two. The IT side consists of software, servers, and databases that operate during system runtime, while the OT side includes programmable logic controllers (PLC), data acquisition and supervisory control systems (SCADA), and data transmission units, among other lower-level and dedicated devices. In recent years, with the development of industrial Ethernet and wireless interconnection technology, ICS systems have gradually transitioned from a closed and isolated state to an open and interconnected one. The market share of traditional ICS systems, which rely on independent networks, proprietary hardware, and software control protocols, is shrinking, replaced by new ICS systems that use Ethernet and various network communication protocols, such as Modbus, IEC-104, and PROFINET. However, as openness increases, various network security issues have emerged, with ransomware being a representative of network attacks on control systems. According to data from the National Industrial Information Security Situation Awareness Platform, in 2021, the number of low-protection networked devices nationwide was nearly 7 million, with IoT and industrial control system devices accounting for over 80%.

In 2023, the following representative ransomware attacks targeting ICS systems occurred.

(1) The municipal water supply company Aguas do Porto in Portugal was attacked by the well-known ransomware group LockBit, affecting some of its services. LockBit sent the victim’s information to a Tor website (an anonymous site using onion routing) and threatened to leak stolen data.

(2) The portal and customer support system of Dragos, a global unicorn company in industrial control security, were attacked by a ransomware virus. Dragos is the only unicorn in the field of industrial control security, focusing on the security protection of control systems in the natural gas, chemical, and mining industries.

(3) Swiss automation giant ABB was attacked by Black Basta ransomware, affecting its Windows Active Directory and impacting hundreds of devices, which affected project progress and factory operations to varying degrees.

According to a report by Rockwell, titled “Analysis of Over 100 Cybersecurity Incidents in ICS Systems,” attacks on industrial control systems are mainly concentrated in the energy sector (39%), with the most attacked devices being SCADA (53%) and PLC (22%).

The ransomware, regarded as the “root of all evil” in ICS systems, originated in 1989 when Joseph L. Popp, a Ph.D. in evolutionary biology from Harvard University, distributed over 20,000 infected files at the Fifth World AIDS Conference, including the earliest ransomware, the AIDS Trojan. In 2006, the Archives Trojan emerged as the first virus to use the RSA (a type of asymmetric encryption algorithm) for encryption. The emergence of Crypto Locker in 2013 marked the birth of modern ransomware. Crypto Locker used email to distribute its payload, encrypting and decrypting victim files using public and private keys, and demanded that victims pay a ransom in virtual currency. These pioneering techniques have been frequently adopted by subsequent ransomware. In 2017, WannaCry broke out, affecting at least 300,000 users in 150 countries and regions, causing losses of $8 billion, and ransomware officially entered the public eye.

After nearly 40 years of evolution and development, researchers have conducted extensive analyses of its attack principles and mechanisms. The generalized stages of ransomware can be summarized as: initial distribution, virus implantation, system attack, file encryption, and user extortion. The virus first spreads to victims through email, unknown links, remote desktop protocol (RDP), and other means; once the victim opens the email or link, the virus automatically executes its program and injects its payload into the victim’s host through Trojans or computer vulnerabilities, during which numerous exploit kits (EK) may operate; after the virus is released and executed, it gains control of the host and may perform lateral movement attacks on other hosts within the internal network, then searches for files and disk information, sending them to the C&C (Command and Control) server to communicate with hackers for subsequent encryption operations, encrypting victim files using AES, RSA, and other encryption algorithms and appending extensions; after encryption, the virus typically generates a ransom note on the desktop, demanding that victims pay the ransom using Bitcoin, Monero, or other virtual currencies, with the ransom increasing over time. Some viruses also threaten to publicly disclose information, implementing double extortion.

This article studies ransomware attacks on ICS systems, briefly introducing the principles and attack events of ransomware, and then focuses on the analysis and discussion of ransomware classification, characteristics, and detection methods, aiming to provide a reference for the network security protection of industrial enterprises.

1. Classification of Ransomware

Ransomware executes different attack strategies after invading the victim’s host to achieve different attack objectives, either by encrypting victim file information, rendering it inaccessible, or isolating devices from users, preventing victims from normal operation. In recent years, ransomware attacks have shown an increasing and diversifying trend. Based on the functionality of ransomware, it can be classified into file encryption types, device locking types, system encryption types, and server encryption types; based on the type of system invaded by ransomware, it can be classified into Windows system viruses, Linux system viruses, VMware ESXi system viruses, and Android system viruses; based on whether it involves double extortion, it can be classified into double extortion, where attackers threaten to publish sensitive information of victims, and non-double extortion; based on whether it employs ransomware as a service (RaaS), it can be classified into viruses that provide customized ransomware services and charge a commission and those that do not use RaaS.

(1) Classification by Functionality

File encryption viruses: These viruses encrypt files using various algorithms after entering the victim’s system, specifically targeting key files related to industrial business, such as data, images, audio, video, compressed files, folders, and databases. Currently, most file encryption ransomware employs a combination of AES and RSA, encrypting victim files with the AES algorithm and using the RSA algorithm to encrypt the AES key, allowing attackers to retain the RSA private key, thereby completely isolating the file decryption key from the victim. Due to the characteristics of AES and RSA, which can only be broken through brute force, existing computing power cannot feasibly crack them in a short time, leaving victims with no choice but to pay the ransom. File encryption viruses are the predominant type of ransomware today. Typical file encryption viruses include Play, Lockbit3.0, etc., which operate similarly, encrypting files, deleting shadow backups, controlling system processes, and setting auto-start items based on black and white lists to determine which files to encrypt and which not to.

Device locking viruses: These viruses lock devices, preventing victims from normal usage. In ICS systems, such viruses may target the IT side for attacks, locking screens and displaying ransom information, rendering the host unusable; or they may target the OT side, exploiting vulnerabilities and weak passwords of control devices, gaining control over key ICS devices like PLC and SCADA, thus preventing them from functioning normally. Ultimately, victims can only pay the ransom to unlock the devices. EnkripsiPC is a device locking virus that locks the victim’s screen by creating entries in the Windows registry to maintain persistence, automatically starting each time the computer boots, making it unavoidable. Similar viruses include NBB, Nibiru, etc. LogicLocker is a device locking virus targeting industrial PLC systems, scanning for vulnerable devices within the ICS through API interfaces, breaking through security mechanisms via infection and bypassing methods to modify PLC code and lock devices, primarily targeting power plants or water treatment facilities.

System encryption viruses: These viruses encrypt system-level content, such as the master boot record and volume boot record of the system disk. The master boot record is a sector that must be read when accessing the hard disk after the computer starts. Ransomware encrypts the hard disk file allocation table and alters the computer’s master boot record to interrupt normal startup, such as the Petya virus. Another type of disk-level encryption virus like THT encrypts and unloads disks using legitimate disk encryption software BestCrypt Volume Encryption after gaining control of the host, thus achieving extortion.

Server encryption viruses: These viruses encrypt files on network servers. They typically exploit known vulnerabilities in content management systems to conduct RDP attacks on publicly accessible enterprise computer server ports, rendering all software and files connected to the server unable to open normally, such as mkp and master. In ICS systems, the IT layer servers are usually connected to multiple devices, with blurred boundaries between ICS networks and communication networks, lacking network isolation. Most viruses possess worm capabilities, allowing them to replicate and spread over the network, from the IT side server to the OT side production network and then to control devices, ultimately affecting all devices connected to the network and engaging in communications.

(2) Classification by System Invasion

Windows system viruses: These viruses attack Windows systems, achieving initial intrusion through various vulnerabilities in Windows systems, using the system’s built-in RDP and Windows Management Instrumentation (WMI) to access and control operating systems, applications, and device information. The Windows system is the preferred target for ransomware intrusion. According to data from the security assessment organization AV-Test, attacks targeting Windows systems account for about 95% of all attacks, which is 36 times more than the second most targeted Linux system, and most viruses attacking Linux, VMware ESXi, and other systems also have variants targeting Windows systems.

Linux system viruses: Due to the open-source, free, customizable, and well-isolated characteristics of Linux systems, they are widely used in embedded systems, making Linux ransomware one of the key focuses of ICS system security protection. Unlike the diverse virus distribution strategies of Windows systems, Linux system viruses typically distribute payloads through RDP and vulnerability attacks, gaining legitimate credentials from public services. After invading the system, Linux viruses exploit vulnerabilities to elevate privileges and gain root access on the victim’s host to encrypt more victim files. Unlike Windows system viruses, Linux ransomware primarily targets web and cloud servers, with typical Linux ransomware like Sodinokibi exploiting outdated VPN devices or weak RDP passwords to invade systems, using Salsa20 and RSA-2048 algorithms to encrypt files within the victim’s network and extort them. Other Linux ransomware includes Erebus, QNAPCrypt, KillDisk, etc.

VMware ESXi system viruses: Due to the higher resource processing efficiency of VMware ESXi virtual machines, enterprises use ESXi to store data and host critical applications. These viruses specifically encrypt VMware ESXi virtual machines, deploying payloads by exploiting known vulnerabilities and executing them manually, gaining full administrative privileges or access credentials to the virtual machine monitor. Once inside the virtual machine, the virus moves laterally within the network to seek more victims, killing system processes and shutting down the virtual machine before encryption. ESXi system viruses encrypt files with specific extensions, including .vmdk, .vmem, .vswp, etc., while other encryption algorithms and ransom strategies are similar to those of Windows ransomware. Cheerscrypt, ESXiArgs, and fcker.py are typical ransomware targeting VMware ESXi systems. Currently, common ransomware does not limit itself to attacking a single system but develops various targeted variants, such as LockBit and Play, which have variants for Windows, Linux, and ESXi systems.

Android system viruses: These viruses target Android smart devices, which allow users to download open-source applications through third-party platforms, enabling Android ransomware to launch attacks disguised as legitimate software. In addition to encrypting files, these viruses also perform the following operations based on the characteristics of Android system devices: first, locking the device’s desktop screen; second, using Trojans to steal critical data, such as Anubis, which obtains sensitive information through phishing pages and can block user information and remotely control the device; third, using unauthorized permissions, such as displaying on top of other applications using SYSTEM_ALERT_WINDOW; fourth, resetting the device PIN to prevent victims from accessing the device, such as Lockerpin. Similarly, CovidLock obtains full control of the device using BIND_DEVICE_ADMIN.

(3) Other Classifications

Based on whether it involves double extortion, viruses can be classified into double extortion, where attackers threaten to publish sensitive information of victims, and non-double extortion. Double extortion emerged in 2019, referring to the practice of encrypting victims’ files for ransom while also publicly disclosing victims’ sensitive information to exert pressure and demand higher ransoms. If victims do not pay the ransom within a specified time, hackers will sell and disclose this sensitive information. Victims are often well-known companies, which are more likely to pay the ransom due to operational and reputational concerns compared to single ransom methods. Maze was the first virus to adopt double extortion, with victims including LG, a large electronics manufacturer in South Korea, and Xerox, an American company. Both refused Maze’s ransom demands, leading to the public disclosure of firmware source code for several LG products and customer service data for Xerox.

Based on whether it employs ransomware as a service (RaaS), viruses can be divided into those that provide customized ransomware services and charge a commission and those that do not use RaaS. RaaS is a new type of commercial operation model where ransomware developers are responsible for developing and maintaining software tools and facilities. Subscribers who lack development capabilities can directly use the ransomware for extortion by paying a rental fee. This model has significantly propelled the evolution of ransomware from a singular, simplistic approach to a modularized, industrialized one.

According to Dragos data, in the second quarter of 2024, there were 312 attacks targeting industrial enterprises involving 29 organizations. Although the ransomware reported during this period did not specifically target the OT processes of ICS systems, attacks were concentrated on the IT side, but due to communication network disruptions, the OT side was also affected. This article statistically classifies the 20 ransomware with the highest attack frequency during this period, as shown in Table 1.

Table 1: Ransomware with High Attack Frequencies in Q2 2024 and Their Classification

Analysis and Protection Research of Ransomware in Industrial Control Systems

2. Characteristics of Ransomware Targeting ICS Systems

(1) Strong Targeting, High Destructiveness

Ransomware attacks targeting ICS systems often affect large industrial enterprises or service sectors with substantial data assets. Compared to traditional ransomware attacks targeting individual victims and non-industrial IT systems, ransomware attacks on ICS systems exhibit strong specificity. During the distribution phase, traditional IT ransomware primarily spreads through untargeted phishing emails, while ICS system viruses utilize customized vulnerability tools to distribute payloads. Moreover, traditional ransomware targets documents, photos, and other data files, demanding ransom for their decryption; ICS system viruses not only encrypt files but also lock devices like PLCs and RTUs in the system or conduct logical bomb attacks to halt their operation. Given that ICS systems are closely related to production manufacturing, equipment and personnel safety, and public services, the destruction caused by ransomware targeting ICS systems is more severe, leading to production halts, irreversible damage to equipment, and disruption of public services such as water and electricity supply. Data from Dragos indicates that in Q2 2024, major victims included internet service provider Frontier Communications (operational disruption) and the Gijón Bioenergy Plant (SCADA encryption and leakage, disruption of waste and energy management processes).

(2) Complex Encryption Algorithms, Difficult System Recovery

Ransomware targeting ICS systems employs increasingly complex encryption algorithms to pursue encryption speed and quality, generally categorized into symmetric and asymmetric encryption algorithms. Symmetric encryption algorithms use the same key for both encryption and decryption, with advantages including low computational load, fast speed, and good adaptability, but the downside is the risk of unilateral key leakage. AES, 3DES, and RC4 are typical symmetric encryption algorithms, with AES being the most widely used. AES is an encryption standard adopted by the U.S. government in 2002, with key lengths of 128, 192, and 256 bits. If a 256-bit key is used, the number of possible combinations is 2265. Even using the world’s fastest supercomputer, Frontier, with a peak computing power of 1.206EFlop/s, it would take 2.629×1051 years to compute, thus AES is considered unbreakable by brute force.As for asymmetric encryption algorithms, they use different keys for encryption and decryption, divided into public and private keys, with the public key for encryption and the private key for decryption. Their advantages include high security and easy management, while the downside is high computational load. Common asymmetric encryption algorithms include RSA and ECC. The principle of RSA involves multiplying large prime numbers, which is relatively easy, but reverse factoring is extremely difficult. Given the constraints of computational resources and technical barriers, RSA, like AES, is currently unbreakable.In addition, other encryption algorithms include:Hash algorithms, also known as hash functions, are one-way functions that accept input messages and output digests, ensuring that different files produce different outputs for identification, with common hashes including MD5 and SHA;Base64 encoding, which is a way of encoding bytes, converting plaintext into base64 encoding for encryption purposes.To make encrypted files difficult to recover, ransomware not only employs a combination of symmetric and asymmetric encryption algorithms but also uses three or more encryption algorithms in combination. Well-designed viruses may include integrated encryption modules that can switch encryption algorithms based on object and process characteristics, linking to various encryption libraries such as Crypto++, MbedTLS, and libntri to select appropriate encryption algorithms for the attack.

(3) Broad Attack Paths, Diverse Attack Methods

Ransomware targeting ICS systems not only conducts traditional encryption attacks on communication and control networks but also attacks on field devices, including PLCs, RTUs, SCADAs, etc., locking devices to halt their operation or conducting physical attacks, such as logical attacks that damage facilities or modify parameters to deceive maintenance personnel. Additionally, ransomware may target communication protocols used in ICS systems, such as Modbus, PROFINET, and ZigBee, launching data injection and DoS attacks by exploiting the different security mechanisms of Modbus in terms of data integrity and availability, or conducting related flooding attacks by exploiting the lack of request quantity restrictions in ZigBee networks.

In recent years, numerous new attack methods and tools have emerged, such as off-ground attacks and supply chain attacks. Off-ground attacks utilize the target victim’s own resources, such as scripts, software, and payloads, to launch attacks, representing a no-payload delivery attack that increases the difficulty of detection and defense by reducing attack traces. Supply chain attacks refer to infections from services or products provided by upstream suppliers, leading to ransomware invasions of downstream enterprises. Compared to isolated security attacks, supply chain attacks are larger in scale and have more severe impacts. In 2023, a supply chain attack on Progress Company’s MOVEit tool led to ransomware affecting three major industrial controller manufacturers, sweeping through 32 countries and over 2,000 enterprises. One point that cannot be overlooked regarding ransomware is that as attack methods and tools evolve, the techniques for virus reverse analysis and evasion have also improved, with common anti-analysis and evasion techniques including code obfuscation and packing, polymorphism and metamorphism, anti-virtualization, anti-debugging, and anti-API hooking, all of which pose challenges for the detection and defense of ICS system viruses.

3. Detection and Identification of Ransomware Attacks Targeting ICS Systems

The existing security mechanisms of ICS systems are reactive, but due to the heterogeneous nature of ICS systems and the continuous enhancement of ransomware reverse analysis and evasion techniques, many industrial enterprises are unaware of the potential hidden attacks within their systems. Their security devices and confidential data may have been invaded and leaked without their knowledge, thus raising the requirements for detection and identification methods for ransomware. Existing methods include: first, signature-based static detection, which extracts static parameter features of virus samples, such as keywords and suspicious function calls, to identify unique signatures that can mark the virus; second, behavior-based dynamic detection, which analyzes and identifies behavioral features of viruses during their runtime, utilizing behavioral features such as file types and malicious IP addresses. Both methods are passive and reactive in conducting attack detection, lacking comprehensive information about the attacks. Model-based attack identification methods can actively engage, knowing both self and enemy, effectively nipping virus attacks in the bud. Such methods include the Pain Pyramid, Diamond Model, Cyber Kill Chain, and ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework, among which the ATT&CK framework is the most widely applied and technically detailed.

(1) Signature-Based Detection

This method identifies ransomware by analyzing static features of the local ransomware program that can be obtained without execution, including keywords in the virus file, such as “ransomware” and “encrypt”; suspicious functions related to file encryption/decryption and process control; malicious domain names and IP addresses; and MD5 hashes. This detection method scans based on these static features to generate unique signatures and compares them with signatures in the database to identify the category of ransomware. The advantage of this method is its speed and efficiency; however, it requires prior capture of complete virus samples, and when samples employ code obfuscation techniques, it becomes difficult to obtain features, thus limiting its application scenarios and frequency compared to other methods.

(2) Behavior-Based Detection

Behavior-based detection refers to detecting the file, traffic, and other behavioral features during the virus program’s runtime to identify the type of ransomware. Behavior-based detection is typically conducted on honeypots or virtualized platforms, using detection tools to analyze the behavior of virus samples during execution and extract behavioral features, which are then classified using machine learning algorithms. Usable dynamic behavioral features include four categories. First, files: the type, extension, and content of files change before and after the virus runs; second, abnormal traffic: including analyzing data interactions between the system and external C&C, or detecting a large number of DNS queries generated by DGA (Domain Generation Algorithm); third, CPU resources: samples running will consume a large amount of CPU resources, analyzing average CPU utilization, RAM volume, and other indicators to determine whether an infection has occurred; fourth, API calls: for example, API functions like GetWindowDC that can capture information from windows. The difficulty of behavior-based detection lies in defining behaviors and the similarities and differences in feature extraction and identification.

(3) Attack Identification Based on ATT&CK Framework

ATT&CK is a security knowledge base proposed by MITRE that includes strategies, techniques, and procedures (TTP) for cyber attacks. The ATT&CK framework integrates existing APT (Advanced Persistent Threat) attack strategies and techniques, forming a common language and abstract knowledge base framework for describing hacker behaviors, observing real-world cyber attacks from the attacker’s perspective. The ATT&CK framework applicable to ICS systems emerged in 2020, summarizing and analyzing common industrial attacks based on the principles and characteristics of monitoring layers, field control layers, and physical layers of ICS, identifying 12 strategies and 94 tactics, including initial access, execution, persistence, privilege escalation, evasion, discovery, lateral movement, collection, command and control, suppression of response functions, damage to process control, and impact. The ICS ATT&CK matrix is shown in Figure 1.

Analysis and Protection Research of Ransomware in Industrial Control Systems

Figure 1: ICS ATT&CK Framework

Utilizing ATT&CK allows for comprehensive feature analysis of the entire lifecycle of ransomware attacks on ICS systems. (1) Initial Access: The virus deploys payloads to the victim’s host;(2) Execution: Executes the code carried by the virus attachment, such as PowerShell and CMD;(3) Persistence: Maintains access and control permissions to the target host within the ICS environment;(4) Privilege Escalation: The virus obtains higher privileges at this stage, including system-level and administrative privileges;(5) Evasion: Utilizes certain system tools to evade antivirus software;(6) Discovery: Attackers gather information about the target network topology, discovering more servers and devices;(7) Lateral Movement: Moves between servers and devices to expand the infection scope;(8) Collection: Gathers more high-value data and asset information from victims;(9) Command and Control: Establishes network communication and remote interaction with the ICS system;(10) Suppression of Response Functions: Prevents victims from responding to ICS system or device failures, hazards, or unsafe conditions;(11) Damage to Process Control: The virus negatively affects the controlled processes by destroying control logic and manipulating response information;(12) Impact: The ICS system, data, or environment is controlled, interrupted, or destroyed.

For the 20 ransomware mentioned earlier, TTP statistics were conducted based on ATT&CK strategies and techniques, as shown in Figure 2. Frequently used techniques include “Exploitation of Public-Facing Applications” (T0819), “Phishing” (T0865), and “Scripting” (T0853). Specifically, an ICS system virus targeting Siemens S7 PLC (PLC-Blaster) has the following TTP attack profile as shown in Figure 3. PLC-Blaster first stops the user program being executed on the target, replicates itself into the target (T0858); subsequently maintains its original code on the target (T0821) and uses functional blocks to destroy TCP connections with other systems (T0834); PLC-Blaster replicates itself into each program organization unit on the device (T0889) to achieve persistence; scans for other Siemens device targets within the system (T0846), utilizing PLC communication and management API for lateral movement (T0843); ultimately executing DoS attacks (T0814) and manipulating any output from the PLC (T0835) for extortion.

Analysis and Protection Research of Ransomware in Industrial Control Systems

Figure 2: Strategies and Techniques Used by 20 Types of ICS Ransomware

Analysis and Protection Research of Ransomware in Industrial Control Systems

Figure 3: PLC-Blaster Attack Profile

Based on the above, it is evident that using the ATT&CK framework for identifying ransomware attacks on ICS systems allows for a comprehensive analysis of the attacks, effectively characterizing the attack chain, covering the entire lifecycle from virus identification to intrusion to implementation. This method of using abstract language to uniformly describe virus behaviors and characterize cyber attacks can analyze the features of the entire attack lifecycle, identifying the techniques and methods employed by attackers, which is not available in the aforementioned two types of attack detection methods. Among the four model-based methods, the Pain Pyramid is difficult to obtain high-value IOCs (Indicators of Compromise); the Diamond Model, while simple in appearance, has a complex modeling solution process; the Cyber Kill Chain model has asymmetric and uneven attack-defense dynamics. Although ATT&CK also faces issues of non-linear, grouped, or hierarchical matching of tactics and strategies, it is widely applied due to its excellent unified framework and detailed technical characterization.

4. Protection Against Ransomware in ICS Systems

(1) Current Protection Status

With the increasing openness of ICS system networks, the network security issues present in traditional IT systems are becoming increasingly prominent in ICS systems. Ransomware can launch attacks through the IT side enterprise networks, servers, OT side communication networks, and devices of ICS systems, making prevention difficult. Currently, ICS systems mainly face the following security issues: first, weak protection capabilities, with low-protection ICS system devices accounting for over 80%; second, insufficient isolation, leading to lateral movement of viruses and blurred IT/OT boundaries, resulting in inadequate boundary protection capabilities; third, numerous vulnerabilities, with difficulties in maintaining them after weighing economic and security factors; fourth, defects in industrial protocols, with data transmission lacking authentication, authorization, and encryption protections. These shortcomings make it difficult for ICS systems to withstand ransomware attacks.

Traditional common methods for protecting ICS systems from viruses include backups, avoiding weak passwords, regular security training, closing unnecessary shared ports, and planning and clarifying response strategies and responsibilities. Literature suggests combining policies and procedures, controls and management, exposure analysis and reporting, and awareness and education for prevention; literature also suggests using WMI tools for comprehensive feature extraction, storage, and analysis for virus detection and isolation, which are feasible approaches.

(2) Protection Recommendations

Based on analyzing the functionality, characteristics, and detection methods of ransomware in ICS systems, this article proposes systematic protective strategies in response to the low protection, weak isolation, and multiple vulnerabilities of industrial control systems. (1) Enhance identity verification. Implement multi-factor authentication and strong password verification across all levels and endpoints of the ICS system, including external maintenance devices, internal servers, control devices, and edge gateways.(2) Implement boundary protection. Manage ICS by dividing it into different isolated zones, such as dividing it into five zones based on the Purdue control hierarchy model, then deploying firewalls and static routing, establishing security domains with unified trust levels and executing policies to minimize access to sensitive information and avoid widespread virus propagation.(3) Implement vulnerability management. Set maintenance periods and prioritize vulnerability maintenance based on asset priority, balancing production and security needs. Priority from high to low includes: Industrial firewalls, industrial switches, servers, engineering workstations, HMI servers.(4) Effective monitoring, including system status monitoring and key traffic monitoring. Monitor processes that start abnormally, patches, and key logs, establish black and white lists for IPs and domain names, and analyze sensitive traffic to ensure control over this critical information.(5) Take proactive measures for threat identification. This includes assessing potential vulnerabilities and threat vectors, constructing risk scenarios, simulating virus intrusions, and obtaining threat intelligence to ultimately nip the virus in the bud.

5. Conclusion

The network security of ICS systems is crucial for the normal operation of critical infrastructure, affecting not only the safety of relevant personnel but also the public services provided to residents. Among these, ransomware poses the most severe network security issue facing ICS systems. As the degree of ICS systems connecting to the Internet continues to increase, the boundaries between the IT and OT sides have become increasingly blurred and vulnerable, facilitating ransomware attacks. The complex and variable nature of ransomware can target all levels of ICS systems, including IT, PLC, SCADA, and communication protocols, raising higher and more comprehensive demands for ransomware detection and protection. The MITRE company’s ICS ATT&CK framework has good descriptive capabilities and a wide application range, applicable to the detection and identification of ransomware attacks throughout the entire lifecycle of ICS systems. Furthermore, ATT&CK can also be applied to virus threat hunting and cybersecurity management, integrating detection and protection, which is one of the future development trends. Literature combining the Diamond Model proposes the ICS Threat Hunting Framework (ICS-THF), which includes threat hunting triggers, threat hunting, and network threat intelligence. Literature also synthesizes various elements to propose a security management model that includes risk identification, defense strategies, and defense measures, fully illustrating that detection and protection are not separate. This article also analyzes the low protection, weak isolation, and multiple vulnerabilities present in ICS systems, proposing countermeasures for pre-validation and management, as well as post-monitoring and identification. Industrial control enterprises and related operational personnel need to enhance their operational and detection capabilities, advance their own network protection capacity building, and achieve integrated detection and management of ransomware in ICS systems.

Author Introduction

Mo Xiaolei, Dalian University of Technology, Master, research direction: Attack detection and identification of industrial control systems;

Miao Yong, Dalian University of Technology, Master, research direction: Information security in industrial internet;

Tong Yong, Antiy Technology Group Co., Ltd., Master, research direction: Network security, malicious code detection and analysis;

Tong Zhiming, Antiy Technology Group Co., Ltd., Senior Engineer, Bachelor, research direction: Network security, malicious code detection and analysis;

Sui Tianju (corresponding author), Dalian University of Technology, Professor, PhD supervisor, research direction: System security protection and fault diagnosis, industrial internet technology, and networked control systems, email: [email protected].

Digital Transformation》2025 subscription work has started, welcome to subscribe.

Editorial Department of Digital Transformation

Contact: Li Menglong Xu Xinyu

Phone: 13681051611 13146167216

Address: No. 35, Lugulu Road, Shijingshan District, Beijing

Postal Code: 100040

Leave a Comment