Ransomware remains a critical and escalating threat to organizations globally, significantly impacting operational technology (OT) environments and critical infrastructure. The frequency and sophistication of ransomware attacks continue to grow, and new variants are introduced regularly. The latest Dragos Knowledge Pack includes specialized and high-fidelity threat detection capabilities, based on up-to-date adversary research, to defend against ransomware attacks impacting OT.
What Are Knowledge Packs?
Knowledge Packs are the mechanism Dragos uses to continuously deliver essential cybersecurity content directly to the Platform. They contain codified threat intelligence and expert guidance from Dragos’s operational technology (OT) security professionals.
As OT threats evolve rapidly, Knowledge Packs ensure the Dragos Platform remains current and effective. Weekly updates deliver the latest indicators of compromise (IOCs), vulnerabilities, threat detections, protocol dissections, incident response playbooks, and informative dashboards.
Immediate OT Threat Landscape: Ransomware
Recent threat intelligence research in the 2025 Dragos OT Cybersecurity Report highlights increasingly aggressive ransomware operations targeting industrial organizations and OT environments. In 2024, Dragos identified 1693 ransomware attacks targeting industrial organizations, nearly double the number of attacks in 2023.
Dragos tracked nearly 80 ransomware groups in 2024, a 60 percent increase from the 50 groups observed in 2023. Collectively, these groups attacked an average of 34 industrial organizations per week during the first half of 2024, which more than doubled during the second half of the year. They have repeatedly demonstrated their capability to rapidly compromise systems, escalate privileges, move laterally, exfiltrate sensitive data, and deploy ransomware payloads, resulting in severe operational disruptions and financial losses.
The Knowledge Pack focuses specifically on these ransomware threats, offering urgent detection and response capabilities to neutralize and mitigate these advanced threats before significant damage occurs.
Critical Ransomware Detection Enhancements
Organizations today face an unprecedented and escalating risk from ransomware threats targeting operational technology (OT) and critical infrastructure. Cyber criminals continue to evolve their tactics, employing increasingly sophisticated and elusive methods to infiltrate environments, disrupt operations, and cause severe financial and operational impacts.
To counter this growing threat, the latest Dragos Knowledge Pack delivers advanced, continuously refined detection capabilities that empower defenders to identify malicious behaviors associated with ransomware attacks quickly. This Knowledge Pack significantly strengthens detection across various ransomware attack stages—including initial access, lateral movement, reconnaissance, and final payload deployment—allowing organizations to swiftly detect and disrupt malicious activities at their earliest possible stages.
At the heart of this Knowledge Pack is an innovative detection methodology developed by the Dragos Intel Detection team to identify rapidly evolving ransomware attacks, particularly those executed programmatically using attacker-defined scripts. This advanced approach introduces a novel composite detection mechanism built upon more than 1500 atomic analytics, dynamically assessed in real-time.
When these atomic analytics detect suspicious activity, the composite detection evaluates them collectively, triggering an elevated severity alert—known as a “super-detection”—once predefined thresholds are reached. This method identifies subtle, seemingly benign activities characteristic of living-off-the-land attack techniques by applying a rigorous “preponderance of the evidence” approach. Crucially, stronger attack indicators are carefully factored into this evaluation, ensuring alerts accurately reflect the severity and urgency of the situation.
To empower security teams with actionable insights, each triggered composite analytic includes a detailed sequential narrative within its “What Happened” field. This feature provides analysts with clear, step-by-step visibility into the host’s activities, significantly enhancing their ability to understand the attack progression and respond quickly and effectively.
Leveraging Dragos’s industry-leading threat intelligence and extensive analysis of real-world ransomware intrusions, these detections pinpoint suspicious file transfers, anomalous remote access patterns, unauthorized enumeration and reconnaissance behaviors, and attempts at credential harvesting and misuse.
This Knowledge Pack includes precise detections and analytics to counter adversaries using remote tools such as AnyDesk and TeamViewer. Several ransomware groups employ these tools for persistence and command-and-control (C2). Used outside their expected operational patterns, they generate behavioral anomalies that stand out in well-monitored systems. It includes specially crafted rules that detect the unusual patterns and signatures of standard remote tools misused in ransomware operations. It provides critical visibility and allows defenders to act decisively at the earliest stages of an attack.
This proactive approach to ransomware detection significantly reduces response times, mitigates potential impacts, and enhances overall operational resilience, providing critical infrastructure organizations with the tools to stay ahead of the ransomware threat landscape.
Proactive Threat Hunting Capabilities
Dragos WorldView publishes a weekly analysis of the tactics and tools used by ransomware groups targeting industrial organizations with guidance on reducing the risks of an attack. Recent threat intelligence revealed that there has been a rise in ransomware operations leveraging standard tools and protocols for lateral movement and exfiltration. Detections of suspicious SMB file transfers, anomalous DNS queries targeting cloud storage services, and unauthorized remote desktop software activities provide early warnings and critical indicators of potential ransomware activities. Moreover, specific analytic rules targeting post-compromise reconnaissance and lateral movement techniques employed by adversaries offer proactive threat detection capabilities that significantly shorten response times and reduce the window for adversary activities.
Integrated Incident Response Playbooks
Playbooks in each Dragos Knowledge Pack offer structured, actionable guidance explicitly tailored to operational technology (OT) environments. These playbooks outline clear response steps, recommended investigative procedures, containment strategies, and remediation actions for handling specific threats and vulnerabilities detected by the Platform. Designed to accelerate incident response, they equip security teams with concise instructions, context on threat behaviors, and recommended follow-up measures—enabling quicker containment, more informed decision-making, and a more effective overall cybersecurity response.
Expanded & Improved Asset Identification
Recognizing the diversity in OT ecosystems, the Knowledge Pack improves asset characterization accuracy across multiple vendor-specific platforms, including Cisco, Honeywell, Eaton, Phoenix Contact, and Rockwell Automation. Dragos provides insight into industrial asset details like firmware versions, device types, and manufacturer specifics by enhancing identification accuracy through advanced parsing and characterization techniques, such as leveraging SNMP, LLDP, HTTP, and CDP.
These enhanced characterization capabilities significantly improve the speed and accuracy of asset discovery, allowing security teams to quickly and confidently validate the legitimacy of network devices and pinpoint unauthorized or potentially compromised assets swiftly.
Enhanced Protocol Dissectors
The Knowledge Pack incorporates substantial improvements in protocol dissectors, notably for critical protocols such as SEL, S7comm, and ENIP/CIP. These updates extract detailed module and chassis information from connected devices, providing enriched asset visibility crucial for threat detection and asset management.
- The updated SEL dissector leverages insights from TCP handshake processes to identify nested SEL devices accurately, substantially improving visibility into complex ICS environments. Similarly, enhancements in S7comm dissectors precisely identify asset rack and slot details.
- The ENIP/CIP dissector updates significantly advance visibility into industrial automation environments by reliably tracing response paths, tracking communication through Forward Open and Forward Close requests, and accurately identifying complex parent-child relationships within assets.
- Additional support for protocols like SLMP, CAMP, DHIP, IEC 101, Tristation, and GE SDI further complements these advancements. It ensures that even less standard industrial protocols are reliably parsed and monitored, significantly boosting overall asset awareness and operational integrity.
Continuous Knowledge Delivery Commitment
Dragos is dedicated to continuously delivering knowledge in the Dragos Platform, enhancing detection and defense capabilities aligned with evolving threat dynamics. This proactive and ongoing commitment ensures customers maintain superior situational awareness and responsive capabilities against threats to operational technology and industrial control systems. Organizations leveraging this Knowledge Pack significantly enhance their defenses, ensuring operational resilience and continuity amidst an escalating ransomware threat landscape.
We recommend that Dragos Platform customers deploy the latest Knowledge Pack today and fortify their defenses against sophisticated ransomware attacks, protecting their critical infrastructure and operational integrity from urgent cyber threats.
Not Yet a Customer?
Ready to put your insights into action?
Take the next steps and contact our team today.