Ransomware campaigns are evolving. Attackers increasingly rely on social engineering and the misuse of remote management tools to gain trusted access, bypassing traditional defenses. Instead of exploiting vulnerabilities, adversaries overwhelm employees with spam or fraudulent calls, persuading them to install or approve remote access software. From this initial foothold in IT, they move laterally with credential theft and legitimate administration tools, preparing the ground for ransomware deployment.

For industrial organizations, the risk is amplified by the growing convergence of IT and OT networks. Dual-use engineering laptops, jump servers, and weak segmentation provide adversaries with potential pathways from corporate systems into operational environments. What begins as a nuisance in IT can quickly escalate into production downtime or disruption of critical services.

This session will present a case study of ransomware operators abusing remote management tools to demonstrate how IT intrusions can cascade into OT impact. We will also show how threat intelligence can uncover early warning signs—spam floods, anomalous RMM usage, or low-severity alerts—and map them against MITRE ATT&CK for ICS to guide risk-based defenses.

Key Takeaways:

How ransomware groups are shifting from exploits to social engineering and RMM abuse

Why IT compromises represent growing risks to OT environments

How to use threat intelligence to connect weak IT signals into early OT warnings

Practical defenses: limiting RMM tools, tightening segmentation, and intelligence-led monitoring