119 Ransomware Groups. 3,300 Industrial Organizations. The Shift Is Complete.
On February 17, 2026, Dragos published its ninth annual OT/ICS Cybersecurity Year in Review. The numbers confirmed what industrial CISOs have suspected for two years: OT is no longer a secondary target. It is the primary one.
Dragos tracked 119 ransomware groups impacting more than 3,300 industrial organizations in 2025 – a 49% increase from 80 groups in 2024. Manufacturing accounted for more than two-thirds of observed victims. Dragos Incident Response observed significant operational disruption in all OT ransomware cases responded to in 2025. Not some. All.
Three new OT-focused threat groups emerged in 2025: SYLVANITE (initial access broker handing footholds to VOLTZITE/Volt Typhoon for deeper OT intrusions), PYROXENE (deployed destructive wiper malware against critical infrastructure during the June 2025 Iran-Israel escalation), and AZURITE (operational overlaps with Flax Typhoon, sustained operations across the US, Europe, and Asia-Pacific). The total number of tracked OT threat groups reached 26, with 11 active in 2025 alone.
The adversary ecosystem has matured. Specialized groups establish access; more capable groups exploit it for OT effects. As Dragos CEO Robert Lee stated: “Adversaries are mapping how control systems work, understanding where commands originate, how they propagate, and where physical effects can be induced.”
For CISOs responsible for industrial environments, this article breaks down the specific attack patterns documented in 2025, explains why traditional IT security controls miss them, identifies the architectural gap that enables every OT ransomware incident, and maps the connectivity controls that close that gap.
The Attack Pattern That Defined OT Ransomware in 2025
The Dragos 2026 report documented a consistent attack pattern across all OT ransomware incidents responded to in 2025. This pattern does not require ICS-specific malware, OT protocol exploitation, or specialized industrial knowledge. It uses standard IT protocols against the infrastructure that OT depends on.
Step 1 – Initial Access via Remote Access Infrastructure
Ransomware affiliates authenticated into VPN portals, firewall interfaces, or vendor tunnels using credentials harvested from commodity infostealers or purchased from Initial Access Brokers (IABs). Claroty corroborated: 82% of verified OT intrusions used internet-facing remote access as the initial vector.
The entry point is not the OT network. It is the internet-facing remote access appliance that every industrial organization operates – the Citrix NetScaler, the Fortinet VPN, the Ivanti Pulse Secure, or the vendor-specific tunnel. Every one of these appliances has been the subject of critical CVEs in 2024–2025.
Step 2 – Lateral Movement via Standard IT Protocols
Once inside the enterprise network, attackers leveraged RDP, SMB/PsExec, WinRM, WMI, and SSH to move laterally toward OT boundary systems. No OT-specific tools. No industrial protocol exploitation. Standard Windows administration protocols – the same tools that IT administrators and OT vendors use every day.
The lateral movement path follows the connectivity that OT operations require: the Historian server that connects to both enterprise IT and OT PLCs, the engineering workstation with both email access and PLC programming capability, the patch distribution server in the IDMZ, and the vendor remote access gateway that bridges the boundary.
Step 3 – The VMware Pivot: Encrypting the Virtualization Layer
This is the step that most industrial CISOs underestimate. The ransomware did not target PLCs. It did not target HMIs. It targeted VMware ESXi hypervisors and OT-support servers hosting SCADA, HMI, Historian, and engineering workloads.
When the virtualization infrastructure is encrypted, operators lose visibility and control even though physical equipment remains functional. The turbine still spins. The valve is still positioned. But the operator cannot see the process, cannot issue commands, and cannot verify that the physical system is operating within safe parameters.
The operational impact is identical to attacking the OT system directly – but the attack surface is a standard VMware server on the IT/OT boundary, reachable through standard IT protocols, with standard IT credentials.
Step 4 – The Misclassification That Hides the True Impact
Dragos documented a systemic misclassification problem: when Windows servers, VMware hypervisors, or engineering workstations hosting SCADA/HMI software are impacted, organizations or incident responders without OT context call these “IT incidents.” This mislabeling understates the operational risk, mis-prioritizes mitigations, and distorts legal and regulatory reporting.
Insurance actuarial data cited by Dragos suggests this misclassification represents tens of billions of dollars annually in understated OT impact. 30% of Dragos incident response cases in 2025 began with operational staff reporting abnormal behavior – not with alerts or confirmed detection. The telemetry required to determine whether cyber activity was involved had never been collected.
Robert Lee summarized: “Industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it’s ‘just IT.'”
The Numbers That Define the 2025 OT Threat Landscape
Metric | 2024 | 2025 | Change | Source |
Ransomware groups targeting industrial orgs | 80 | 119 | +49% | Dragos 2026 |
Industrial organizations impacted | ~2,200 | 3,300 | +50% | Dragos 2026 |
OT-focused threat groups tracked | 23 | 26 | +3 new groups | Dragos 2026 |
Active threat groups in year | 9 | 11 | +22% | Dragos 2026 |
OT intrusions via internet-facing remote access | – | 82% | – | Claroty |
Avg detection time (industry-wide) | – | 42 days | – | Dragos 2026 |
Avg detection time (comprehensive OT visibility) | – | 5 days | – | Dragos 2026 |
IR cases starting from operational staff reports | – | 30% | – | Dragos 2026 |
OT networks with comprehensive visibility | – | <10% | – | Dragos 2026 |
Ransomware in system-intrusion breaches | – | 75% | – | Verizon 2025 |
The 42-day vs. 5-day detection gap is the most consequential number in the report. Organizations with comprehensive OT visibility contained incidents in 5 days. The industry average was 42 days. That is not a marginal improvement – it is an 88% reduction in dwell time. And fewer than 10% of OT networks have the visibility to achieve it.
Why Traditional IT Security Controls Miss OT Ransomware
CISOs who have deployed EDR, SIEM, firewalls, and VPN MFA reasonably ask: if we have these controls, why does OT ransomware still succeed? The answer is architectural. IT security controls protect IT assets. OT ransomware targets the boundary between IT and OT – the space where IT controls end and OT controls have not yet begun.
Gap 1: VPN Provides Network Access, Not Application Access
A VPN authenticates a user and grants network-level access. Once “on the network,” the user – or the attacker with the user’s credentials – can reach any system the network configuration permits. There is no per-application authorization, no per-session MFA, and no continuous verification. The VPN trusts the network, and the network trusts the session.
Zero Trust replaces this with application-level access: each session authorized individually, each application accessed directly without network-level reachability, each session verified continuously. The lateral movement path that defines every 2025 OT ransomware incident – VPN → RDP → SMB → VMware – is architecturally eliminated because the attacker never gets network-level access.
A detailed analysis of microsegmentation vs. VLAN segmentation for OT documents why VLANs alone fail to prevent this lateral movement and what architectural alternatives close the gap.
Gap 2: No Content Inspection on IT-to-OT File Transfers
Firmware updates, configuration backups, Historian data, and engineering project files cross between IT and OT networks over SMB file shares – with no content inspection, no CDR scanning, and no per-operation policy enforcement. Ransomware executables, malicious scripts, and weaponized configuration files use the same SMB path as legitimate operations.
Standard SMB provides no mechanism to distinguish a legitimate firmware file from a ransomware payload. Content Disarm and Reconstruction (CDR) addresses this by rebuilding files from scratch, stripping anything that should not be present. This is not antivirus scanning for known signatures – it is structural analysis that eliminates unknown threats.
Gap 3: No Session Recording on OT-Boundary Connections
When Dragos says that 30% of their IR cases began with operational staff reporting abnormal behavior – not with alerts – the implication is clear. The connections between IT and OT boundary systems were not being recorded. The privileged sessions to engineering workstations, Historian servers, and VMware hosts had no video recording, no keystroke logging, and no file transfer attribution.
Without session recording, post-incident investigation is reconstruction from fragments – firewall logs that show a connection but not what happened during it, AD logs that show authentication but not what was accessed after it. Session recording transforms investigation from guesswork to replay.
Gap 4: Engineering Workstations Are the Unprotected Bridge
The engineering workstation is the highest-value target in OT because it sits in both worlds: it has PLC programming capability and IT access (email, web browsing, file sharing). Dragos identified engineering workstations as primary targets for data exfiltration – attackers sought CAD drawings, alarm configurations, PLC programs, and system architecture documents.
Most organizations protect engineering workstations with the same controls as general IT endpoints: EDR, domain authentication, VLAN membership. But the engineering workstation’s access to PLCs, HMIs, and safety systems makes it a fundamentally different risk profile. Microsegmentation that isolates the engineering workstation from other devices in the same Purdue zone – including other engineering workstations – contains a compromise that VLAN segmentation cannot.
Gap 5: The IDMZ Is a Target, Not a Buffer
The Industrial Demilitarized Zone was designed as a buffer between IT and OT. In practice, it contains the Historian relay, the patch distribution server, the access gateway, and the remote access landing zone – exactly the systems attackers target first. Dragos documented that most OT incidents do not begin in OT networks; adversaries gain access through infrastructure that sits between enterprise and operational environments.
A three-layer approach to securing IT-to-OT connectivity addresses the IDMZ as a controlled boundary rather than a collection of servers that happen to exist between IT and OT.
The Five Architectural Controls That Stop OT Ransomware
Each gap identified above has a corresponding architectural control. Together, these five controls address the complete OT ransomware attack chain documented by Dragos in 2025.
Control 1: Zero Inbound Ports on OT Network Boundaries
The initial access vector in 82% of OT intrusions is internet-facing remote access. Eliminating internet-facing ports eliminates the initial access vector. Reverse Access architecture inverts the connection: the internal component initiates an encrypted outbound connection to a gateway. No ports are opened inbound. The OT network boundary is architecturally invisible from the internet.
There is nothing to scan. Nothing to find. Nothing to exploit. The attack chain fails at Step 1.
Control 2: Application-Level Access Instead of Network-Level VPN
Replace VPN with per-application Zero Trust access. A user authorized for RDP to a specific engineering workstation cannot reach the VMware host, the Historian server, or any other system on the network. If the user’s credentials are compromised, the attacker’s access is limited to the specific application session – not the network. The RDP → SMB → VMware lateral movement chain fails at Step 2.
Control 3: CDR-Scanned File Transfer Between IT and OT
Every file crossing between IT and OT passes through Content Disarm and Reconstruction. CDR does not scan for known malware – it rebuilds files from scratch, eliminating active content, embedded scripts, exploit structures, and anything that does not conform to the expected file structure. Legitimate firmware files pass through intact. Ransomware payloads are stripped.
Control 4: Per-Session MFA with Identity-Based Policy
Every session – RDP to SCADA workstations, SSH to engineering servers, vendor access to OT systems, file transfers between zones – requires fresh MFA verification against verified identity. Compromised credentials without the MFA token are useless. Compromised MFA without authorization policy match is useless. The authentication model assumes breach and verifies every request.
Control 5: Integrated Session Recording with SIEM Export
Every interactive session is recorded – video, keystrokes, file transfers – with identity attribution and device attribution. The audit trail exports to the enterprise SIEM in real time. The 30% of incidents that begin with operational staff noticing abnormal behavior now have forensic evidence from the moment of compromise – not from the moment of detection days later.
Organizations implementing the Zero Trust approach to the Purdue Model apply these controls at the specific Purdue level boundaries where Dragos documented the most frequent attack crossover – particularly the Level 3–4 transition where IT protocols cross into OT networks.
How truePass Gravity Addresses the Dragos 2026 Attack Pattern
The attack pattern documented by Dragos – VPN credentials → lateral movement via RDP/SMB → VMware encryption → OT shutdown – requires a platform that addresses all five controls from a single architecture. Separate products for each control create integration gaps, separate audit trails, and the vendor sprawl that Dragos identified as a contributing factor to the 42-day detection average.
truePass Gravity provides all five controls through its three-layer architecture:
Layer 1 – Reverse Access (Zero Inbound Ports). Patented technology eliminates the internet-facing VPN appliance that 82% of OT intrusions exploit. The internal Access Controller initiates outbound connections. The OT boundary has no listening services, no open ports, and no scannable attack surface. Step 1 of the Dragos attack chain is architecturally eliminated.
Layer 2 – Heimdall SMB Proxy with CDR. Every file crossing between IT and OT passes through Content Disarm and Reconstruction. Identity-based access with MFA at the SMB layer. Per-operation policy enforcement (create, modify, view, delete) per user, per device, per file type. Ransomware cannot propagate via SMB writes because every write operation is policy-evaluated and every file is CDR-scanned.
Layer 3 – Zero Trust Application Access with Session Recording. Per-session RDP, SSH, HTTP, and TCP access with MFA, device posture verification, and integrated video + keystroke recording. Application-level isolation prevents lateral movement. Session recording provides the forensic evidence that transforms the 42-day detection average into the 5-day containment that Dragos documented for organizations with comprehensive visibility.
The three layers together map directly to the Dragos attack chain:
Dragos Attack Step | What Happens | truePass Gravity Control | Result |
Step 1 – VPN credential exploitation | Attacker authenticates to internet-facing appliance | Layer 1: Reverse Access – no internet-facing appliance exists | Attack fails at initial access |
Step 2 – Lateral movement via RDP/SMB | Attacker uses RDP and SMB to traverse network | Layer 3: Application-level access – no network reachability | Lateral movement eliminated |
Step 3 – VMware encryption | Attacker encrypts virtualization infrastructure | Layer 2+3: CDR blocks malicious files; per-application access blocks VMware reachability | Encryption payload cannot reach target |
Step 4 – Misclassification | Incident classified as “IT only” | Layer 3: Session recording provides OT-attributed forensic evidence | Correct classification from hour one |
For organizations applying identity-based segmentation across OT environments, the containment extends beyond access control to per-device isolation – each engineering workstation, each HMI, each Historian server operates in its own security zone. A compromise of any single device is contained to that device. The VLAN-wide exposure that enables the Dragos attack chain is architecturally eliminated.
What Industrial CISOs Should Do in Response to the Dragos 2026 Report
The Dragos report is not a forecast. It is a field report documenting what already happened. The 119 ransomware groups are already operating. The 3,300 impacted organizations were already impacted. The attack pattern is already documented and repeatable.
Priority 1: Map Your IT-to-OT Lateral Movement Paths
Identify every connection path between IT and OT networks. The Historian server, the engineering workstations, the patch distribution server, the vendor remote access gateway, the VMware infrastructure hosting OT applications. Each is a lateral movement path documented in the Dragos report.
Priority 2: Inventory Internet-Facing OT Boundary Infrastructure
Every VPN concentrator, remote desktop gateway, and web application on the OT network boundary is a potential initial access point – the same infrastructure that 82% of OT intrusions exploited in 2025. Document it. Assess it. Plan to eliminate it or isolate it.
Organizations evaluating the broader ransomware defense strategy with microsegmentation for government and critical infrastructure can apply the same containment principles to industrial OT environments.
Priority 3: Deploy Per-Session MFA on Every OT Access Path
Not VPN-level MFA. Per-session MFA on every RDP session to SCADA workstations, every SSH session to engineering servers, every vendor connection, and every file transfer between zones. Coalition’s 2024 data confirmed that 82% of denied insurance claims lacked MFA – and most lacked MFA specifically on the OT access paths that the Dragos attack chain exploits.
Priority 4: Implement CDR on IT-to-OT File Transfers
Every file crossing the IT/OT boundary should pass through Content Disarm and Reconstruction. Firmware updates, configuration files, engineering project files, and Historian data – all of them. Standard SMB with no content inspection is the file-based propagation path that ransomware uses.
Priority 5: Establish Session Recording on OT Boundary Systems
Dragos documented that 30% of IR cases began with operational staff noticing abnormal behavior – not with security alerts. Session recording on every connection to OT boundary systems provides the forensic evidence that transforms reactive investigation into proactive containment.
Industrial organizations exploring how to implement these controls through a unified microsegmentation approach can evaluate the specific per-device isolation architecture that contains the lateral movement Dragos documented.
Frequently Asked Questions
Did any OT ransomware in 2025 use ICS-specific malware?
No. Dragos Incident Response observed that the operational impact stemmed not from ICS-specific malware but from the encryption or corruption of the virtualization infrastructure on which OT depends. Attackers used standard IT protocols – RDP, SMB/PsExec, WinRM, WMI, SSH – to reach VMware ESXi hypervisors and OT-support servers. The attack tools were commodity IT tools. The impact was OT operational disruption.
What is the VMware ESXi pivot and why does it matter for OT?
Ransomware groups target VMware ESXi hypervisors that host SCADA, HMI, Historian, and engineering workloads. When the hypervisor is encrypted, every virtual machine it hosts becomes inaccessible – even though the physical OT equipment remains functional. Operators lose visibility and control. The physical process continues unmonitored. This is why Dragos emphasizes that ransomware’s reach into OT is systematically underestimated: the VMware host is technically an IT server, but its function is OT-critical.
What are SYLVANITE, PYROXENE, and AZURITE?
These are three new OT-focused threat groups identified by Dragos in 2025. SYLVANITE operates as an initial access broker, exploiting vulnerabilities in Ivanti, F5, SAP, and ConnectWise products, then handing established footholds to VOLTZITE (linked to Volt Typhoon) for deeper OT intrusions. PYROXENE deployed destructive wiper malware against critical infrastructure during the June 2025 Iran-Israel escalation. AZURITE showed operational overlaps with Flax Typhoon and conducted sustained operations across the US, Europe, and Asia-Pacific. The division of labor – access brokers feeding capability groups – is now the dominant adversary model for OT.
Why is the 42-day vs. 5-day detection gap so important?
Organizations with comprehensive OT visibility detected and contained ransomware incidents in an average of 5 days. The industry-wide average was 42 days. That 37-day difference represents the window during which ransomware can propagate, exfiltrate data, encrypt infrastructure, and cause operational disruption. Fewer than 10% of OT networks have the comprehensive visibility required to achieve the 5-day benchmark. Closing this gap requires not just monitoring tools but architectural controls – per-session recording, unified audit trails, and SIEM integration that provides real-time correlation across IT and OT boundaries.
How does ransomware misclassification affect industrial organizations?
When ransomware encrypts a Windows server hosting SCADA software, incident responders without OT context may classify it as an IT incident. This misclassification understates the operational impact, delays OT-specific recovery procedures (which require verifying control system configurations, safety system integrity, and process parameter validity before restart), and distorts insurance claims, regulatory reporting, and risk assessments. Dragos and insurance actuarial data suggest this misclassification represents tens of billions of dollars annually in understated OT impact.
What should industrial CISOs prioritize first?
Based on the Dragos 2026 findings, the highest-impact first step is eliminating internet-facing remote access infrastructure on OT boundaries – the vector that 82% of OT intrusions exploit. Replace VPN with Zero Trust Application Access that provides zero inbound ports, per-session MFA, and session recording. This single architectural change addresses Steps 1 and 2 of the documented attack chain. CDR for file transfers (Step 3 prevention) and microsegmentation (containment) follow as second and third priorities.
Conclusion
The Dragos 2026 OT Cybersecurity Report documented a threat landscape that industrial CISOs can no longer treat as emerging. 119 ransomware groups. 3,300 impacted organizations. 49% year-over-year increase. Operational disruption in every OT ransomware case Dragos responded to. Three new threat groups mapping control loops and positioning for physical effects.
The attack pattern is documented, repeatable, and uses standard IT protocols: stolen VPN credentials → RDP/SMB lateral movement → VMware encryption → OT shutdown. No ICS-specific malware required. The gap is architectural – the space between IT security controls and OT operational systems where lateral movement happens unchallenged.
Five architectural controls close this gap: zero inbound ports on OT boundaries, application-level access instead of network-level VPN, CDR-scanned file transfers between IT and OT, per-session MFA on every OT access path, and integrated session recording with SIEM export. These are not aspirational recommendations. They are the specific controls that map to the specific attack steps that defined OT ransomware in 2025.
The 42-day detection average exists because fewer than 10% of OT networks have comprehensive visibility. The 5-day containment benchmark proves that architectural controls work. The gap between 42 and 5 is the gap between reactive investigation after operational disruption and proactive containment before physical impact.
119 groups are operating. The attack pattern is known. The controls are available. The question for industrial CISOs is not whether to deploy them – the Dragos data settled that question. The question is which quarter deployment begins.
