Ramnit Malware Infections Spike in OT as Evidence Suggests ICS Shift

Industrial giant Honeywell on Wednesday published its 2025 Cybersecurity Threat Report, which shows that ransomware and other malware attacks have surged in the industrial sector.

Honeywell’s report shows — based on OSINT and industry sources — that there has been a significant increase in ransomware attacks on industrial organizations. While these attacks did not necessarily impact operational technology (OT) systems, more than half of the 55 cybersecurity incidents reported to the SEC in 2024 did affect OT.

However, the most interesting findings in Honeywell’s latest report are based on data collected by the company’s own industrial cybersecurity products, which monitor networks for attacks, scan USB drives for malware, and provide threat and risk intelligence.

The company’s SMX USB scanning solution checked over 31 million files in Q4 2024 and Q1 2025, blocking nearly 5,000 files and detecting more than 1,800 unique threats, including 124 that were not previously seen.

The most commonly detected malware, which accounted for 42% of detections, were Win32.Worm.Ramnit, Trojan.scar/shyape, Trojan.lokibot/stealer, and Win32.Worm.Sohanad.

The one that stands out the most is Ramnit, a piece of Windows malware that has been around for many years and which has several variants. There are Ramnit worms and viruses that spread through USB flash drives, as well as trojans that give attackers control of the victim’s PC and enable them to steal sensitive information such as banking data and credentials.

Honeywell saw a whopping 3,000% increase in Ramnit infections in the fourth quarter of 2024, compared to the second quarter of the same year. 

“W32.Rmnit is primarily a banking trojan used to steal account credentials; however, given its saturated presence in Honeywell industrial customers’ ecosystems, it can likely be assumed it has been repurposed to extract control system credentials,” Honeywell explained.

Paul Smith, director of Honeywell OT Cybersecurity Engineering and author of the report, told SecurityWeek that the assumption of a shift towards industrial control system (ICS) credentials is based on the fact that the company detected no Ramnit infections in Q1 2024, but it soon became the threat with the highest number of detections. 

“We have discovered and blocked thousands of tools, trojans, spyware, ransomware, crypto lockers, and many iterations and variants of nasty files that creep into organizations either by absentminded employees, pentesters, red teamers, blue teamers, and yes even nation state level threat actors,” Smith said.

“With the current trend and Ramnit being the leader for the last three quarters, one has to wonder if this is a directed attack or simply an efficient credential extraction tool that is easily distributed,” Smith explained.

The expert pointed out that many ICS products run on Windows devices, and it wouldn’t be surprising that such a piece of malware, which leverages living-off-the-land (LOL) binaries to carry out malicious activities, would be the weapon of choice for threat actors looking for control system credentials, considering that the targeted systems are likely already hosting the required LOL tools.