Ransomware and USB attacks are hammering OT systems

Ransomware, trojans, and malware delivered through USB devices are putting growing pressure on industrial systems, according to the Honeywell 2025 Cyber Threat Report, which draws on data from monitoring tools deployed across industrial sites around the world. The findings highlight persistent and serious risks to OT environments that keep critical infrastructure running.

Findings from the Honeywell Advanced Monitoring and Incident Response (AMIR) service

The numbers aren’t great

Researchers recorded a 46 percent increase in ransomware extortion cases in late 2024 and early 2025. The Cl0p ransomware group was especially active. In just the first quarter of 2025, Honeywell tracked 2,472 ransomware victims globally, adding to the 6,130 incidents recorded in 2024.

USB-related threats are rising too. One out of every four incidents handled by Honeywell’s response team involved a USB plug-and-play event. These often involve someone plugging in a drive that spreads malware into the system. Worms like W32.Ramnit, a credential-stealing trojan originally tied to banking fraud, showed up in industrial networks with a 3,000 percent increase in detections.

Even older malware like Win32.Worm.Sohanad and vulnerabilities dating back over a decade are still being used, simply because they still work.

“Legacy risks are finding success in the industrial cybersecurity industry due to the nature of the space. In the industrial world, equipment was designed to last 30 to 40 years. This practice was in place from mechanical through pneumatics and on into the digital transformation era. However, on the enterprise IT side, shelf life is 3 – 5 years and with rapid innovation and technological advancements. Vulnerabilities are common day occurrence. The rate at which the Industrials innovates has not kept in lock step and because of this, threat actors can easily repurpose known exploits and easily target industrial customers knowing that these facilities and equipment are 10 to 20 years old and patching schedules are typically sub par,” Paul Smith, director of Honeywell OT Cybersecurity Engineering, told Help Net Security.

What’s getting hit?

More than half of the cybersecurity incidents self-reported to the U.S. SEC in 2024 involved OT systems directly. Energy, transportation, and manufacturing sectors were among the hardest hit. Water utilities were especially vulnerable.

In Japan, a cyberattack on an airline delayed more than 40 flights and affected baggage handling. In Pittsburgh, a ransomware attack disrupted payment systems for public transit riders. Agriculture and food production also saw a sharp increase in attacks. Honeywell described the growth as exponential, a worrying sign for supply chain resilience.

What CISOs can do

The researchers offer a long list of practical recommendations, but the key themes are simple. Know your environment. Segment your networks. Monitor what’s coming in and out. Scan removable media. Use MFA. Back up your data and test recovery regularly. Keep software updated. Track your assets. Apply standards like NIST 800-82 or IEC 62443.

The report emphasizes that even basic controls can go a long way. For USB threats in particular, the researchers recommend using physical scanning kiosks to stop malware before it enters the building. Their SMX system scanned more than 31 million files during the report period and blocked nearly 5,000 threats, including almost 700 instances of the Ramnit worm.

The bottom line

The report wraps up by pointing out something most security teams already know: every company is going to face an attack sooner or later. The real question is whether you’re ready for it. That means having the right tools, the right people, and a plan that works when things go sideways.

Old threats are still slipping through, which shows there’s still work to do on the basics. As the report says, “It’s never too late to start.”