Honeywell Report Highlights Surge in Malware Threats to Industrial Systems
Industrial giant Honeywell has released its 2025 Cybersecurity Threat Report, revealing a sharp rise in ransomware and malware attacks across the industrial sector.
Drawing from open-source intelligence and industry data, the report confirms a notable increase in ransomware attacks on industrial organizations. Although not all of these attacks directly affected operational technology (OT) systems, more than half of the 55 cybersecurity incidents reported to the U.S. Securities and Exchange Commission in 2024 had an impact on OT environments.
More compelling insights in the report come from Honeywell’s own cybersecurity tools, which monitor industrial networks, scan USB drives for threats, and provide real-time threat intelligence. These internal systems have offered a clearer view of the current threat landscape.
According to Honeywell, its SMX USB scanning solution analyzed more than 31 million files between the fourth quarter of 2024 and the first quarter of 2025. The system blocked nearly 5,000 files and identified over 1,800 unique threats, including 124 that had never been seen before.
Among the top malware families detected were Win32.Worm.Ramnit, Trojan.scar/shyape, Trojan.lokibot/stealer, and Win32.Worm.Sohanad. Together, these accounted for 42 percent of all malware detections.
Ramnit stood out as the most significant threat. This long-established Windows malware family includes worms that spread through USB drives and trojans capable of granting attackers remote control over infected machines. These variants can steal sensitive data such as login credentials and banking information.
Honeywell reported a staggering 3,000 percent increase in Ramnit detections in the fourth quarter of 2024 compared to the second quarter.
“W32.Rmnit is primarily known as a banking trojan used to steal account credentials. However, due to its widespread presence in our customers’ environments, it is reasonable to assume it may now be targeting control system credentials,” Honeywell explained.
Paul Smith, Director of OT Cybersecurity Engineering at Honeywell and the report’s lead author stated that this assumption is based on internal findings. The company recorded no Ramnit activity in the first quarter of 2024, yet it quickly became the most detected threat in subsequent months.
“We have identified and blocked thousands of malicious tools, including trojans, spyware, ransomware, and crypto lockers. These threats often enter organizations through careless employee actions, penetration testers, red and blue team exercises, and even advanced nation-state actors,” Smith said.
He added that Ramnit’s consistent dominance in recent quarters raises questions about whether this is part of a targeted campaign or simply a widely used tool for extracting credentials.
Smith also emphasized that many industrial control systems operate on Windows platforms. This makes them especially vulnerable to malware like Ramnit, which takes advantage of living-off-the-land binaries already present in the system. These tools allow attackers to conduct malicious actions without deploying additional code, making detection more difficult.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
