Ransomware Is Coming For Your Facilities, Not Just Your Files

Claude can be your analyst, editor, and strategist.
But most professionals are using it to fix grammar.

These 200+ Claude prompts take it from grammar tool to your most powerful AI work assistant.

Sign up for Superhuman AI and get:

Claim your free prompts

Look, here is the thing. Foxconn got hit again. On May 11, the Nitrogen ransomware group dropped them on its leak site, claiming 8 terabytes of data and over 11 million files. Foxconn has confirmed the attack on its North American factories, said the response team activated, and reports indicate production is resuming after a roughly week-long disruption. The Mount Pleasant, Wisconsin plant appears to be ground zero. Wi-Fi was cut at 7 AM ET on May 1, the core plant infrastructure went down by 11 AM, and workers were filling out paper timesheets because the timecard terminals were dead.

That is the news. Now let me tell you why this matters, because when a manufacturer that size takes a hit, it should force every facilities, OT, and operations leader to look in the mirror.

This is not just an IT security story. It is an operational story.

Foxconn is not new to this. In 2020, DoppelPaymer hit a Foxconn facility in Mexico and reportedly demanded the bitcoin equivalent of roughly 34 million dollars at the time. In 2022, LockBit went after another Foxconn plant. In 2024, LockBit hit Foxsemicon, a Foxconn subsidiary. Now a newer group, Nitrogen, with reported ties to the old ALPHV/BlackCat crew, is taking its shot.

And it is not just Foxconn. Swap the logo and the pattern looks the same:

·      Colonial Pipeline shut down fuel delivery across the U.S. East Coast after ransomware hit IT systems and leadership pulled the plug to keep things from getting worse.

·      JBS, one of the largest meat processors in the world, halted plants and scrambled to get production running again after a ransomware attack.

·      Norsk Hydro operated in manual mode across multiple sites after LockerGoga hit them, losing tens of millions as they fought through the recovery.

·      JLR (Jaguar Land Rover) absorbed an estimated £1.9 billion in damage and rippled through 5,000 supply chain businesses after a five-week shutdown last year.

All of these are organizations with serious funding, insurance, mature compliance programs, auditors, and boards that talk about risk. The fact that they still got hit and still had to shut down operations tells you something important.

Budget does not automatically equal resilience. Especially in OT.

Most companies still treat ransomware as a data problem. The thinking goes like this: encrypt my files, leak some data, hurt my brand, maybe get my lawyers and PR team involved.

That mindset is dangerous inside plants, campuses, hospitals, data centers, and smart buildings. OT and facilities environments are built for uptime and safety, not security by default. They typically include:

·      Legacy PLCs, BMS, and SCADA systems that cannot be easily patched or replaced.

·      Flat networks where a compromised workstation can see way too much.

·      Shared or weak remote access paths into critical systems.

·      Limited monitoring on the OT side compared to IT.

When ransomware gets into that world, the impact is not just files unavailable. It is:

·      Lines stopped.

·      Chillers and HVAC under manual control.

·      Access control systems unreliable.

·      Safety margins getting uncomfortably thin.

That is exactly why Foxconn workers were filling out paper timesheets, and why production lines paused. The actual PLCs and control logic may not have been encrypted, but the IT systems that support operations got pulled, and the whole thing went with them. We saw the same dynamic at Colonial Pipeline. Their OT was not directly compromised. They shut down the pipeline because they lost confidence in the boundary between IT and OT, and they could not bill customers. Different attack, same lesson.

I have said this on the podcast many times. OT is different, not harder. The components are often the same hardware, same operating systems, same protocols. The risk profile is not. A Windows XP box in an enterprise environment gets booted off the network the second a SOC analyst sees it. A Windows XP box in a power plant might be controlling the turbine. You cannot just kick it off the network without taking the unit offline. Different rules. Different playbook.

Dragos has reported hundreds of industrial ransomware incidents in a single recent quarter, with manufacturing taking the majority of the hits. Manufacturing has now been the most-targeted industry for four years running, accounting for 26 percent of all documented ransomware incidents per IBM X-Force. Average cost of a manufacturing ransomware incident hit $8.7 million in 2024. This is not random malware splash. It is deliberate targeting of operations.

If you want a deeper look at how OT changes the playbook, start here:

·      Episode 48: Rethinking IT and OT - Lessons from Colonial Pipeline and Other Cyber Incidents https://protectitallpod.com/ep048/?utm_source=newsletter.protectitallpod.com&utm_medium=newsletter&utm_campaign=foxconn-ransomware

Let me walk you through how Nitrogen typically gets in, because their playbook is a tour of why fundamentals matter more than fancy tools.

They did not burn a zero-day. They did not write a custom exploit. They ran malvertising campaigns, dropped fake installers for IT tools like FileZilla, WinSCP, and Advanced IP Scanner, and got their initial foothold when a business user clicked a poisoned Google or Bing ad looking for legitimate software. From there, they used DLL sideloading to load NitrogenLoader, pulled in Cobalt Strike, moved laterally, and spent weeks quietly staging data before they triggered the disruptive phase. Double extortion. Exfiltrate first, encrypt second.

Sound familiar? That is the living-off-the-land pattern Dean Parsons and I dug into on a recent episode. The adversaries are not always burning fancy exploits. They are abusing legitimate tools, legitimate access, and legitimate credentials. PowerShell, RDP, VPN, valid accounts, IT utilities downloaded by your own people. Manufacturing environments tend to have flat networks, a lot of implicit trust between IT and OT zones, and a workforce that downloads IT tools to do its job. That is the surface attackers target.

And here is the kicker. Researchers at Coveware found that Nitrogen’s ESXi encryptor has a programming flaw that makes recovery impossible, even if you pay. So if you are sitting there thinking, well, we have cyber insurance and we will just pay if we have to, that is a flawed plan. Paying the ransom may not get your files back. Recovery means good backups, tested restoration, and a real incident response plan. There is no shortcut.

Foxconn is not just another company on a list. They sit in the middle of the electronics supply chain, building components and devices for many of the brands you probably have in your pocket or on your desk. The Nitrogen group claims the stolen data includes confidential instructions, projects, and drawings from Apple, Google, Dell, Intel, and Nvidia.

One analyst quoted in WIRED put it bluntly: the topology specs for Google and Intel data centers are the real concern, because those are architectural maps of live infrastructure that attackers could use to identify vulnerabilities in data centers around the world.

Stop and sit with that for a second. When you hit a Tier 1 contract manufacturer, you do not just take down their facility. You potentially get a peek inside the secrets of every customer they serve. That is why threat actors love these targets.

So what does this mean for you?

·      If Foxconn has a bad day, a lot of other companies have a bad quarter.

·      Attackers know that disrupting a central player creates pressure to pay quickly.

·      Centralized manufacturing concentrates both data and operational risk.

You are not just protecting your own building or plant. You are protecting everyone who depends on it. And you should be asking the same questions about your own suppliers.

Most facilities and OT teams feel this pain every time someone says we will patch that at the next maintenance window and that window never comes. Ransomware shifts the conversation:

·      IT can often rebuild from backups and keep people on laptops while recovery runs in the background.

·      OT and facilities cannot ship product if a production cell is down, or if a critical system is in an unknown state.

·      Manual workarounds exist in some cases, but they are slow, expensive, and stressful, and they burn through your operators.

If your incident response plan ends at “call IT” or “fail over the VM,” you are not ready.

Your playbook needs an OT chapter, written by people who actually know how the plant runs.

For real OT-attack case studies that show what this looks like in practice:

·      Episode 96: Poland’s Power Grid Cyberattack: What It Teaches Us About OT Security https://protectitallpod.com/ep096/?utm_source=newsletter.protectitallpod.com&utm_medium=newsletter&utm_campaign=foxconn-ransomware

·      Episode 98: The Striker Attack: What It Reveals About OT Cybersecurity and Why Tabletop Exercises Matter https://protectitallpod.com/ep098/?utm_source=newsletter.protectitallpod.com&utm_medium=newsletter&utm_campaign=foxconn-ransomware

Look, I know how easy it is to read a story like this and feel overwhelmed. The plant team is small. The budget is tight. The asset inventory is incomplete. You do not know where to start. I get it. I have been in those rooms.

Here is where I keep coming back to the SANS Five ICS Cybersecurity Critical Controls, because they are threat-driven and they actually work:

·      ICS-specific incident response plan and tabletop. Not a generic IT playbook copied over. A real OT scenario where production stops, the historian goes down, the engineering workstation gets locked. Define who is in charge when operations are impacted, how to safely shut down or move to manual mode, and how you communicate internally and externally while systems are offline. Run it. Find one gap. Fix it. Run it again next quarter.

·      Defensible architecture. Real network segmentation aligned to Purdue model zones and conduits, not just VLANs. Actual firewalls between IT and OT, ICS-aware where it matters. The Foxconn attack started in IT and impacted operations. That hand-off boundary is where you live or die.

·      ICS network visibility. You cannot protect devices you cannot see. Passive monitoring at the right Purdue levels gives you asset inventory, vulnerability context, and the ability to do root cause analysis on a process upset. This is the highest-ROI control I see organizations implement.

·      Secure remote access. Vendors, integrators, and internal teams all love remote access. That convenience is also one of the most abused paths into critical systems. Not flat VPN tunnels into the plant floor. MFA, jump hosts, session recording, time-bound access. The Resilience 2026 report found misconfigured MFA was the single most expensive point of failure in 2025, tied to 26 percent of total losses.

·      Risk-based vulnerability management. You are never going to patch your way out of this. Prioritize the patches that actually matter to your environment, and put compensating controls around the assets you cannot touch. The PLC running the ice machine in the break room and the PLC running the turbine are not the same risk, even if they share the same CVE.

And one more that is not always called out: recovery that is tested, not assumed. Backups of OT and facility systems are only useful if you can restore them in hours, not weeks, and if they are not encrypted alongside everything else. Tabletop the restore. Time it. Find out the hard truth before an attacker forces it on you.

These are not exciting. They are not the AI-powered shiny object you saw at RSA. But every assessment I do, and every incident I respond to, comes back to whether the basics were in place. The basics are the difference between containing an incident in 18 hours and being down for five weeks.

For asset visibility and risk quantification specifically:

·      Episode 101: OT Risk Management That Works: Asset Visibility, Risk Quantification, and CISO-Level Strategy with Nicholas Friedman https://protectitallpod.com/ep101/?utm_source=newsletter.protectitallpod.com&utm_medium=newsletter&utm_campaign=foxconn-ransomware

The last piece, and this is the drum I keep banging, is that all business is a people business. The companies that respond well to incidents like Foxconn are the ones where IT and OT teams already trust each other. They have had coffee. They have walked the plant floor together. The engineer knows the SOC analyst by name. The CISO has been in the control room and put a hard hat on.

When an incident hits a company that has infighting, where IT and OT are still pointing fingers about who owns ICS security, the adversaries win every time. They sit back and watch the internal politics while they expand their access. I have seen it firsthand on multiple engagements, and it is one of the most preventable problems in this entire industry.

So if you take one thing away from the Foxconn story, let it be this. Go to the plant. Bring donuts. Listen more than you talk. Ask the engineer what a bad day looks like for them, and shut up while they answer. Earn the trust before you need it, because you will need it, and trust is not something you can buy on a purchase order.

Baby steps. Pick one thing this week.

1.        Tag your assets by operational criticality, not just CVSS. If your inventory does not distinguish the ice machine PLC from the turbine PLC, that is where to start.

2.        Audit your remote access. Every VPN tunnel, every vendor connection, every temporary rule from three years ago. Cut what you do not need. Put MFA on what is left.

3.        Run a tabletop. Pick one scenario this quarter. Run it with IT and OT in the same room. Find one gap. Fix it. Run a different one next quarter.

4.        Test a restore. Pick one OT-adjacent system and actually restore it from backup in a sandbox. Time how long it takes. That number will change how you think about recovery.

5.        Walk the plant floor. Bring food. Ask questions. Build the relationships you will need when something actually happens.

Foxconn is a reminder, not an exception. It shows that:

·      Size does not equal safety.

·      Big brand logos do not scare ransomware operators.

·      OT, facilities, and supply chain concentration make you more attractive, not less.

Ransomware has evolved from “annoying IT problem” to a tool for shutting down physical operations and extracting maximum leverage. If you are responsible for the buildings, plants, lines, campuses, or critical services that keep your organization running, you are now on the front line.

This is doable. It is not rocket science. It is people, process, and the basics done well. The adversaries are not magicians. They are opportunists, and they target the gaps. Close the gaps, build the relationships, run the fundamentals, and you make yourself a much harder target.

You do not have to be perfect. You do need to be prepared.

That is how we protect what matters most.

Listen to the episodes referenced in this article:

·      Episode 48: Rethinking IT and OT - Lessons from Colonial Pipeline

·      Episode 96: Poland’s Power Grid Cyberattack

·      Episode 98: The Striker Attack and Why Tabletops Matter

·      Episode 101: OT Risk Management That Works with Nicholas Friedman

Want to keep the conversation going? Subscribe to the PrOTect IT All Podcast at protectitallpod.com for weekly conversations with the OT, ICS, IT, AI, and cloud security practitioners actually doing this work. Reach out at [email protected] if you want to come on the show, suggest a guest, or just share what you are seeing in your environment.

Subscribe: Apple Podcasts | Spotify | YouTube

Aaron Crow aaroncrow.ai · protectitallpod.com · LinkedIn

Sources - Foxconn confirmation, North American factory disruption: BleepingComputer, May 2026 - Nitrogen leak-site claim, 8 TB / 11M files: DataBreaches.net, May 12, 2026 - Mount Pleasant timeline (Wi-Fi 7 AM, infra 11 AM, paper timesheets): Local Wisconsin reporting - Foxconn 2020 DoppelPaymer / 2022 LockBit / 2024 Foxsemicon: BleepingComputer archives - ESXi encryptor recovery flaw: Coveware research, 2025 - Manufacturing ransomware stats: IBM X-Force Threat Intelligence Index 2025; Dragos Year in Review - WIRED commentary on Apple, Google, Dell, Intel, Nvidia data center topology specs - SANS Five ICS Cybersecurity Critical Controls (Robert M. Lee et al.) - Resilience 2026 Cyber Insurance Loss Trends Report