What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The VMware Pivot: How Every OT Ransomware Attack in 2025 Worked, and the Defensive Playbook to Stop It

← Defensive-Playbook

0 sources verified·13 min read

By Lyrie Research Division — Senior Analyst Desk·5/1/2026

TL;DR

Every OT ransomware incident Dragos responded to in 2025 followed an identical four-step pattern: breach an internet-facing remote access appliance, move laterally via standard IT protocols (RDP/SMB/WMI), pivot to VMware ESXi hypervisors hosting SCADA/HMI/Historian workloads, and destroy the virtualization layer. No ICS-specific malware required. No industrial protocol exploitation. Standard IT attack tools — standard IT impact — catastrophic OT operational consequences. The Lotus Wiper campaign against Venezuelan energy infrastructure demonstrated the terminal evolution of this model: a pre-positioned, zero-recovery wiper that compresses defender response time to near zero. This piece maps the complete attack chain documented in the Dragos 2026 OT/ICS Year in Review, explains why IT security controls miss it at every stage, and delivers a concrete detection and response playbook for industrial defenders.

Background: The Numbers Are No Longer Ambiguous

On February 17, 2026, Dragos published its ninth annual OT/ICS Cybersecurity Year in Review. The headline figure — 119 ransomware groups impacting 3,300+ industrial organizations in 2025, a 49% increase year-over-year — could be dismissed as marketing hyperbole. The operational metric cannot: Dragos Incident Response observed significant operational disruption in all OT ransomware cases responded to in 2025. Not most. Not many. All.

Manufacturing accounted for more than two-thirds of victims. Three new OT-focused threat groups emerged in 2025 alone:

SYLVANITE — An initial access broker that weaponizes edge device vulnerabilities at speed, specifically designed to hand footholds to ICS-capable Stage 2 actors. Its primary hand-off partner is VOLTZITE (overlapping with Volt Typhoon), which then conducts deeper OT intrusions including control loop mapping.
PYROXENE — An IRGC-backed Iranian group that deployed destructive wiper malware against critical infrastructure during the June 2025 Iran-Israel escalation. PYROXENE operates at the geopolitical boundary between cybercrime and warfare.
AZURITE — Operationally overlapping with Flax Typhoon. Specializes in long-term data exfiltration and sustained surveillance of OT systems across the US, Europe, and Asia-Pacific. Not for immediate impact; for future leverage.

The total tracked OT threat group count reached 26, with 11 active in 2025. Adversaries have moved from opportunistic targeting of industrial organizations to a professional ecosystem with specialized roles: access brokers, lateral movement specialists, OT reconnaissance teams, and destruction-capable final-stage actors.

The convergence is real, the maturation is complete, and the playbook is documented. Now we need to build the counter-playbook.

The Attack Chain: Four Steps That Work Every Time

Step 1: Initial Access via Internet-Facing Remote Access Infrastructure

The entry point is never the PLC. It is never the HMI. It is the Citrix NetScaler, the Fortinet FortiGate, the Ivanti Pulse Secure, or the vendor-specific remote access gateway that every industrial organization operates for legitimate operational reasons.

Dragos found that 82% of verified OT intrusions in 2025 used internet-facing remote access as the initial vector (corroborated by Claroty). The credentials used came from one of three sources:

1. Commodity infostealers — Lumma, Vidar, Redline, and their derivatives sold on Telegram and dark-web markets for $10–$50 per log

2. Initial Access Broker (IAB) sales — SYLVANITE and similar groups sell pre-validated VPN/RDP footholds to ransomware affiliates within 24–72 hours of exploitation

3. Credential stuffing — Using enterprise credential dumps from unrelated breaches against VPN portals that lack MFA enforcement

The critical observation: every major remote access appliance used in industrial environments — Citrix NetScaler (CVE-2023-3519, CVE-2024-8963), Fortinet (CVE-2024-21762, CVE-2024-55591), Ivanti Connect Secure (CVE-2025-0282, CVE-2025-22457) — has had critical unauthenticated RCE or authentication bypass CVEs in the 24 months preceding this report. The vulnerability exposure is not a gap. It is a sustained attack surface maintained by operational necessity and patch lag.

Step 2: Lateral Movement via Standard IT Protocols

Once inside the enterprise network, attackers follow the connectivity that OT operations require. They do not need OT knowledge. They need to follow the pipes.

The lateral movement sequence documented across Dragos IR cases:

VPN/RDP entry → Enterprise IT workstation → 
Jump server / Bastion host → 
Historian server (dual-homed IT + OT) → 
Engineering workstation (email + PLC programming capability) → 
IDMZ patch distribution server → 
Vendor remote access gateway → 
VMware ESXi host

The tools used at each hop: RDP, SMB/PsExec, WinRM, WMI, SSH. These are the same tools that IT administrators use daily. They generate the same log types. They look identical in SIEM detections designed for IT environments. Which is why they work.

The average dwell time before detection in OT ransomware incidents is measured in weeks to months. In 30% of Dragos IR cases in 2025, the first indication of compromise came from operational staff reporting abnormal behavior — not from any security tool. The telemetry required to determine whether cyber activity was involved had never been collected.

Step 3: The VMware Pivot — The Step Industrial CISOs Underestimate

This is the decisive move, and it is invisible to most industrial security programs.

Ransomware groups in 2025 did not target PLCs. They did not need to understand Modbus, DNP3, or PROFINET. They targeted VMware ESXi hypervisors hosting the Windows VMs that run SCADA applications, HMI software, Historian databases, and engineering workstations.

The encryption sequence on ESXi:

1. Identify ESXi host via network scan (nmap or built-in Windows discovery)

2. Authenticate via ESXi management interface (credentials harvested from IT lateral movement)

3. Deploy ESXi locker — variants of Akira ESXi, Qilin ESXi, RansomHub ESXi encryptors — via SSH

4. Enumerate and power off all VMs: esxcli vm process kill --type=force --world-id=<id>

5. Encrypt all .vmdk, .vmx, .vmsn, .nvram files with AES-256

6. Drop ransom note in /vmfs/volumes/

When the hypervisor is encrypted, the operator cannot see the process, issue commands, or verify that physical systems are operating within safe parameters. The turbine keeps spinning. The valve holds its position. But the control room is blind, and the HMI is a black screen. The operational impact is identical to a direct attack on the physical control system.

The attack does not require any OT-specific knowledge. The ESXi host is a standard enterprise server, reachable via standard network protocols, with standard credentials. It sits in the IT/OT boundary zone because it has to — because OT operations depend on Windows-based SCADA and HMI software that runs on it.

Step 4: The Misclassification That Hides the True Damage

When engineering workstations, Historian servers, and VMware hypervisors are encrypted, incident responders without OT context classify the incident as "IT ransomware." This is not a semantic error. It is a systemic failure with three consequences:

1. Mitigation deprioritization — IT ransomware recovery focuses on restoring servers. OT ransomware recovery requires restoring visibility and control plane before any physical system can be validated as safe.

2. Regulatory misreporting — Under NERC CIP, TSA Pipeline Security directives, and NIS2, OT cyber incidents have different reporting timelines and notification obligations. Misclassification means non-compliance.

3. Actuarial distortion — Dragos estimates misclassification represents tens of billions in understated OT impact annually. Insurance policies may not cover correctly due to IT/OT incident category disputes.

The Lotus Wiper Case: The Terminal Evolution

In late 2025 and early 2026, a previously undocumented destructive wiper designated Lotus Wiper was deployed against energy and utilities organizations in Venezuela. Lotus Wiper represents the next phase of the OT attack evolution: no ransomware, no negotiation, no recovery path.

Technical architecture:

Compiled September 2025, staged months before detonation on domain-joined hosts
Trigger mechanism: a single control file (OHSync.xml) placed in the NETLOGON share
Simultaneous execution across all domain-joined hosts when triggered — network-wide destruction in a single file write
Designed explicitly for legacy Windows environments common in OT: Windows 7, Server 2008, Server 2012
Execution sequence: destroys restore points → zeros physical drives → erases file system artifacts → disables network interfaces → locks out accounts

The 90-day lookback window: Lotus Wiper was pre-positioned for approximately three months before detonation. Standard IR lookback windows (14–30 days) would miss the staging entirely. The 90-day lookback is not a best practice suggestion. It is the minimum required to detect this class of threat.

MITRE ATT&CK ICS mapping:

T0879 Damage to Property — Physical operational impact through destruction of OT-supporting Windows infrastructure
T0803 Block Command Message — Loss of operator visibility achieved through HMI/SCADA VM destruction
T0835 Manipulate I/O Image — Indirectly, through historian and SCADA destruction removing the ground-truth process record

Attribution is unconfirmed in open reporting, but the campaign profile — months of prior domain access, environmental specificity, single-trigger simultaneous execution, state-strategic timing — is consistent with nation-state offensive cyber operations timed to a geopolitical objective.

IOCs / Indicators

Lotus Wiper campaign artifacts (TLP:WHITE):

Trigger file: OHSync.xml placed in \\<domain>\NETLOGON\
Compilation timestamp: September 2025 (exact date redacted in public reporting)
Target OS: Windows 7, Windows Server 2008 R2, Windows Server 2012 R2
Behavior: NTFS MFT zeroing, VSS deletion via vssadmin delete shadows /all, NIC disable via netsh interface set interface
File extension: No encryption extension — files zeroed in place
Persistence: None (single execution, designed to self-terminate post-destruction)

OT Ransomware Common IOCs (infrastructure patterns):

ESXi management interface accessed from non-management VLAN IP ranges
esxcli vm process kill in ESXi shell logs at unusual hours
Mass .vmdk extension rename activity in ESXi datastore logs
VPN authentication from ASN ranges associated with residential proxy providers (Bright Data, Oxylabs, IPRoyal)
Infostealer C2 domains: Lumma Stealer uses domain generation algorithms; pivot on short-lived .ru, .su, .pw TLDs
SYLVANITE IAB infrastructure: Proxyware exit nodes used for persistence callbacks; rotates every 48–72 hours

Lyrie Take: The Control Plane Is the Target

Here is what the Dragos data tells us when you strip the vendor language: adversaries have discovered that you do not need to know how a refinery works to shut it down. You just need to destroy the Windows servers that the refinery's operators depend on.

This is strategically rational and operationally devastating. OT environments adopted Windows-based SCADA and HMI software because Windows was the dominant enterprise operating system when these systems were deployed — often in the 1990s and 2000s. Those same legacy Windows systems, running on virtualization infrastructure that was added later to consolidate hardware, are now the chokepoint through which all physical control flows.

The adversary has figured this out. The defender community has been slower to internalize it.

The Lyrie angle: autonomous defense systems cannot afford to draw a hard line between IT and OT telemetry. The attack crosses that line. The defense must too. Detection models that treat ESXi management plane activity as "IT" and PLC polling as "OT" will miss every attack in the documented playbook. The correlation must happen across the IT/OT boundary in real time, not in a post-incident tabletop.

SYLVANITE represents a new kind of threat: an access broker that specifically targets the remote access infrastructure of industrial organizations and hands validated footholds to ICS-capable Stage 2 actors. This is supply chain logic applied to initial access. The primary target of SYLVANITE's customers is not data theft. It is operational disruption timed to geopolitical leverage.

Autonomous defense must be capable of detecting the SYLVANITE hand-off — the transition from commodity infostealer-sourced credential use to ICS-specific lateral movement behavior — and containing it before Stage 2 actors begin OT reconnaissance.

Defender Playbook

Priority 1: Harden the Initial Access Vector (Week 1)

Inventory every internet-facing remote access appliance. Citrix, Fortinet, Ivanti, Palo Alto GlobalProtect, Cisco ASA. Every one. If you do not know what is exposed, you cannot patch or monitor it.
Enforce MFA on all VPN and remote access portals without exception. Credential stuffing is not sophisticated. It works because MFA is not universal.
Patch critical CVEs in remote access appliances within 48 hours of public disclosure. SYLVANITE weaponizes edge device CVEs before patches are widely applied. The 48-hour window is not aspirational. It is the adversarial tempo.
Subscribe to credential breach monitoring. Services like Flare, SpyCloud, or Have I Been Pwned Enterprise will surface employee credentials before attackers use them. Alert on any match for accounts with VPN access.

Priority 2: Instrument the Lateral Movement Path (Weeks 2–3)

Enable enhanced logging on all Windows systems in the IT/OT boundary zone: Historian servers, engineering workstations, jump servers, IDMZ systems. Process creation (Sysmon Event ID 1), network connections (Event ID 3), PowerShell script block logging (Event ID 4104), service installation (Event ID 7045).
Create detection rules for the documented lateral movement sequence:

- RDP authentication to Historian server from non-standard source IP

- PsExec or WMIC execution on engineering workstation from remote session

- SMB tree connect to \\<hostname>\IPC$ followed immediately by service installation

- WinRM session from IT zone to IDMZ within 24 hours of VPN authentication from residential ASN

Deploy deception assets in the OT boundary zone: Fake Historian servers, decoy engineering workstations, honeypot SCADA credentials. Lateral movement toward OT triggers these assets reliably; legitimate traffic does not.

Priority 3: Protect the VMware Control Plane (Weeks 3–4)

This is the most under-resourced control in industrial environments. The ESXi hypervisors hosting OT workloads are often managed without the same rigor as enterprise IT VMware infrastructure.

Isolate ESXi management interfaces to a dedicated management VLAN. Management UI (HTTPS/443) and SSH (22) should be reachable only from a bastion host or jump server with PAM controls. No lateral path from the enterprise IT zone directly to ESXi management.
Enable ESXi shell logging and ship logs to SIEM. ESXi logs are rarely collected. They are also the only record of encryptor deployment. Log path: /var/log/shell.log, /var/log/hostd.log.
Alert on: esxcli vm process kill, vmkfstools -c (datastore operations), SSH authentication to ESXi from non-management IP, chmod +x followed by executable write to /vmfs/volumes/.
Implement VMware vSphere Native Key Provider or external KMS for VM-level encryption. This does not prevent encryptors from overwriting VMDK files, but it prevents lateral decryption of already-encrypted VMs.
Test offline backup integrity for all OT workloads hosted on VMware every 30 days. Ransomware groups now routinely identify and destroy backup infrastructure before encryptor deployment. Immutable, air-gapped backups are the only resilience control that survives a VMware-layer attack.

Priority 4: Detection Rules Specific to Lotus Wiper / Pre-positioned Wipers (Ongoing)

Monitor NETLOGON share for unexpected file creation. The NETLOGON share (\\<domain>\NETLOGON) is used for logon scripts. New .xml, .bat, .ps1, or .exe files created by non-administrator accounts are high-confidence indicators of pre-positioning. Alert immediately.
Detect VSS deletion chains: vssadmin delete shadows /all /quiet or PowerShell equivalents (Get-WmiObject Win32_ShadowCopy | Remove-WmiObject) are the first step in any wiper or ransomware payload. These commands have no legitimate operational purpose in production OT environments.
Extend IR lookback to 90 days minimum. Lotus Wiper was staged three months before detonation. Standard 14–30 day lookback windows produce false-clean verdicts. Configure SIEM retention and threat hunting queries to cover the full 90-day window.
Deploy Windows Defender Application Control (WDAC) or AppLocker on OT-adjacent Windows hosts. Engineering workstations and Historian servers have narrow legitimate software profiles. Block unsigned binaries by default.

Priority 5: Incident Classification Discipline

Create an OT Incident Checklist that every IR team member must complete before classifying an incident as "IT only." Questions: Does any impacted system have connections to OT networks? Does any impacted system host SCADA, HMI, Historian, or engineering software? Does loss of the system affect operator visibility or control?
If yes to any: classify as OT incident, escalate to OT security team and plant operations immediately. Do not deprioritize because the physical equipment is still running. The VMware-layer attack pattern means equipment continues operating while operator control is lost.
Report under OT cyber incident frameworks (NERC CIP incident reporting, TSA SD-02D/SD-02E, NIS2 Article 23) even when the direct impact appears confined to IT systems.

Sources

1. Dragos. "2026 OT/ICS Cybersecurity Year in Review." Published February 17, 2026. dragos.com/blog/dragos-2026-ot-cybersecurity-year-in-review

2. TerraZone. "OT Is Now the Primary Ransomware Target: What the Dragos 2026 Report Means for Industrial CISOs." April 28, 2026. terrazone.io/ot-is-now/

3. PhishCloud. "Threat Bulletin: Lotus Wiper — Long-Dwell Destructive Wiper Against Venezuelan Energy Infrastructure." April 2026. phishcloud.com/threat-bulletin-lotus-wiper/

4. ReliaQuest. "Ransomware and Cyber Extortion in Q1 2026." April 27, 2026. reliaquest.com/blog/threat-spotlight-ransomware-and-cyber-extortion-in-q1-2026/

5. INE Security. "INE Highlights Escalating Cost of Ransomware Downtime in Industrial Environments." April 30, 2026. globenewswire.com/news-release/2026/04/30/3285316/

6. Dragos. "OT Threat Landscape 2026." dragos.com/blog/ot-threat-landscape-2026

7. ARC Advisory Group. "Dragos 2026 OT Cybersecurity Report Notes Disturbing Shifts." arcweb.com/blog/dragos-2026-ot-cybersecurity-report-notes-disturbing-shifts

8. MITRE ATT&CK for ICS. v19 — T0879 Damage to Property; T0803 Block Command Message; T0835 Manipulate I/O Image. attack.mitre.org/techniques/enterprise/ics/

Lyrie.ai Cyber Research Division — Senior Analyst Desk