Ransomware targeting manufacturing has shifted from opportunistic to deliberate. Recent campaigns show attackers conducting extended reconnaissance, weaponizing OT-adjacent systems, and exfiltrating production data before encrypting. The financial and safety stakes make your facility a high-value target.
Over the past eighteen months, we have observed LockBit, BlackCat, and a new group calling themselves "Cascade" specifically targeting food processing, metals, and automotive suppliers. These are not spray-and-pray campaigns. Attackers establish presence in IT networks for weeks, sometimes months, before pivoting toward control systems.
How Attackers Establish a Foothold
Initial access typically arrives via spear-phishing to procurement or engineering staff, or through unpatched edge devices exposed to the internet. Once inside, attackers move laterally using legitimate credentials harvested from development environments. They map your network, identify supervisory systems, and understand your production criticality.
The goal is leverage. Attackers know that encrypted production lines cost far more per hour than encrypted IT systems. They encrypt OT networks last—sometimes not at all—because the threat alone is negotiating leverage.
Detection Signals You Should Be Monitoring
- Unusual inter-network traffic: Sustained flows between IT and OT zones outside maintenance windows, especially to unusual ports.
- Credential usage anomalies: Engineering accounts logging in from unfamiliar geographies or at odd hours.
- Executable staging: Hands-on-keyboard activity moving known ransomware utilities to shared drives or temporary paths.
- Deletion volume: Large-scale deletion of shadow copies or backups, which indicates preparation for encryption.
Your Immediate Response Priority
If you suspect ransomware presence, isolate suspect systems from both IT and OT networks immediately. Do not wait for confirmation. Assume data exfiltration has occurred. Contact law enforcement and your cyber insurance carrier before negotiating with actors. Many manufacturers have recovered data via FBI coordination without paying the ransom.
The difference between a contained incident and a production halt comes down to early detection and isolation speed. If you'd like to discuss ransomware readiness or detection tuning for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.