Inside Q1 2026 Ransomware: What OT Environments Must Do Now

Background

Ransomware continued to pose a significant threat in Q1 2026, maintaining a persistently similar high level of activity comparable to the same period in 2025. Despite increased global awareness, regulatory efforts, and improved defensive capabilities, ransomware groups have demonstrated strong operational destructive power, sustaining both the volume and impact of attacks across multiple industries. Ransomware attack trends indicate that it is a persistent and organized threat.

Modern OT environments, particularly those undergoing digital transformation and IT/OT convergence, have become valuable targets. While many attacks still originate in IT networks, their potential to disrupt operations has elevated the risk profile of OT environments. The following are selected ransomware incidents from Q1 2026 that impacted operations:

• IntraCare, a healthcare provider, was impacted by a ransomware attack that forced its systems offline, resulting in the postponement of patient surgeries [Private healthcare provider IntraCare hit by cyber breach]. Hazeldenes, a major chicken meat processor in Australia, was compromised by a ransomware group, resulting in a shortage of chicken products across multiple businesses in the state. The attack caused significant disruptions to the regional supply chain [Attack Shuts Down Aussie Chicken Processor – ISSSource].
• The Metro in Los Angeles experienced unauthorized activity within internal systems by a ransomware group, leading to disruptions such as station monitors failing to display real-time arrival information [Metro restricts access to internal computer systems after breach].

In addition, ransomware groups also targeted semiconductor suppliers such as Advantest and Trio-Tech International in Q1 2026. Although these incidents mainly affected IT systems, these companies play an important role in industrial processes. Disruption to them may create ripple effects across the supply chain [Chip Testing Giant Advantest Hit by Ransomware][Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware].

Figure 1. Top 10 active ransomware groups in Q1 2026

Based on over 1,500 incidents claimed by ransomware groups in Q1 2026, we observed that the most active groups were Qilin, Thegentlemen, and Akira. Among them, Qilin clearly ranked first, as shown in Figure 1.

In general, ransomware groups often have a short period of high activity. Over time, their impact usually decreases due to law enforcement pressure, operational risks, or changes within related groups. However, Qilin has remained highly active from 2025 through Q1 2026, continuously targeting multiple industries, including manufacturing, automotive, energy, and healthcare.

To obtain ransoms, Qilin uses a range of techniques, including initial access, persistence, and defense evasion. These techniques are also effective in connected OT environments. In the next section, we will conduct a deep analysis of Qilin to better understand its strategy and impact on modern OT environments.

Deep Dive into Qilin Ransomware

Figure 2 shows the attack process of Qilin ransomware, based on recent incidents that impacted OT environments. First, Qilin gains access by exploiting vulnerabilities in network devices, including routers and firewalls, to enter the internal network. After establishing a foothold, it disperses the ransomware across the network at scale.

In environments with IT/OT convergence, OT systems can also be impacted during this process. Like most ransomware groups, Qilin also steals sensitive data from the victim organization and publishes it on leak sites to carry out double extortion.

Figure 2. The attack process of Qilin ransomware

Initial Access

From past incidents, we observed that the Qilin ransomware group frequently exploits vulnerabilities in network devices to gain initial access. This approach allows them to maintain a high level of impact. For example, Qilin has used vulnerabilities in Fortinet products, including CVE-2024-21762 and CVE-2024-55591, in large-scale attacks. These vulnerabilities allow attackers to bypass authentication and gain admin privilege access to affected devices.

After patches were released, the Cybersecurity and Infrastructure Security Agency (CISA) quickly added these vulnerabilities to the Known Exploited Vulnerabilities Catalog (KEV) and required federal agencies to secure all affected devices [CISA Adds One Known Exploited Vulnerability to Catalog | CISA]. This shows the wide impact of Qilins activities.

However, despite these warnings, many Fortinet devices remained unpatched and exposed. Qilin has also used existing vulnerabilities to launch partially automated attacks against these systems. High-value OT environments remain attractive targets.

Defense Evasion and Lateral Movement

After gaining access to the internal network, the Qilin ransomware group uses additional techniques to avoid endpoint protection. One method we observed is the use of Bring Your Own Vulnerable Driver (BYOVD).

This technique is highly effective because oftentimes trusted Windows drivers are not fully monitored by security controls. In past cases, Qilin used drivers such as eskle.sys, rwdrv.sys, hlpdrv.sys, and TPwSav.sys to disable antivirus and EDR solutions.

For example, TPwSav.sys is a legitimately signed driver that runs at the highest privilege level (ring 0) in the operating system. By abusing such drivers, attackers can directly access critical memory and system resources without triggering security alerts.

After disabling security protections, threat actors can further move within the network. They can steal remote access credentials or use other methods based on the victim’s environment to perform lateral movement.

Impact

After Qilin ransomware is deployed across victim endpoints, it typically executes comprehensive persistence mechanisms and advanced antivirus evasion techniques. The main execution flow is shown in Figure 3.

Figure 3. Qilin execution flow

Simply put, Qilin begins by invoking three core modules (ShadowsRemover, ProcessKiller, and ServicesKiller) that collectively prepare the system for encryption. Qilin then registers an auto-start entry under the Windows Registry RunOnce key. (See Figure 4 and 5)

Figure 4. Qilin invokes ShadowsRemover, ProcessKiller, and ServicesKiller

Figure 5. Executes registry modification to create a RunOnce entry

In the next stage, Qilin leverages DLL injection to load the malicious library into svchost.exe. However, injecting into the svchost.exe requires access to a high-privilege security token. To obtain this, Qilin typically manipulates its own process token and invokes the AdjustTokenPrivileges API call to enable SeDebugPrivilege, thereby granting the capability to inject code into protected system processes. Once SeDebugPrivilege has been enabled, Qilin initiates a standard DLL injection routine against the running svchost.exe process, ultimately enabling the ransomware to achieve persistent and stealthy code execution, as shown in Figure 6.

Figure 6. Conducts DLL injection against the running svchost.exe

Finally, Qilin initiates the encryption process. The ransomware employs AES-256 to encrypt file contents and then uses an RSA public key to encrypt the AES keys, ensuring that decryption is infeasible without the corresponding private key. After completing encryption, Qilin places a ransom note titled -RECOVER-README.txt in every directory.

Actionable Security Enhancements for OT Environments

In light of the above threats, here are some actionable security enhancements and recommendations for defending against ransomware attacks.

1. Organizations should understand the expected behavior of each device to detect unexpected changes that may impact operations.

The BYOVD technique is not just a single vulnerability exploit. It usually occurs after threat actors have already gained admin privileges on an endpoint. Therefore, mitigation should focus on the entire attack chain and apply layered security controls. For example, endpoint systems should restrict access to specific source IP and authorized users, and tools such as Mimikatz and similar post-exploitation activities should not be used.

In OT environments, systems usually operate in a limited and stable manner. Because of this, critical endpoints are well-suited for TXOne Stellar’s Cyber-Physical Systems Detection and Response (CPSDR) solutions. Stellar CPSDR enables a deep understanding of what the expected behaviors for each device are. The Operations Behavior Anomaly Detection feature applies least-privilege controls and establishes each device’s unique behavioral baseline. It isolates unexpected changes to keep autonomous operations running and give operators time to evaluate whether those changes constitute a threat.

As shown in Figures 7 and 8, in Qilin ransomware attacks, attackers use compromised credentials to remotely access endpoint systems, then spread and execute ransomware across the environment. Operations Behavior Anomaly Detection identifies the abnormal user and network activity characteristic of this lateral movement in real time.

Figure 7. Operations Behavior Anomaly Detection settings

Figure 8. Results of Operations Behavior Anomaly Detection

2. Organizations should have clear protection strategies to prevent ransomware from executing on OT endpoints.

In ransomware attacks targeting OT environments, the goal is to execute ransomware on endpoint systems, making endpoint protection the critical last line of defense. But when selecting endpoint protection solutions, organizations must weigh two factors: whether the software’s performance overhead might disrupt operations, and how to manage variant ransomware strains in environments where signature updates can’t keep pace.

Stellar – Endpoint Protection is an endpoint security solution designed for OT environments and installed on endpoint devices. Instead of waiting for a threat to be identified and analyzed before responding, Stellar uses CPSDR to prevent unexpected system changes from impacting operations.

As shown in Figures 9, 10, and 11, one of Stellar’s core protection capabilities is Multi-Method Threat Prevention. TXOne integrates signature-based and AI-based antivirus software to provide real-time scanning of files and processes. When ransomware is deployed to endpoint systems, Multi-Method Threat Prevention can immediately quarantine the ransomware.

Figure 9. Multi-Method Threat Prevention settings

Figure 10. Qilin detection and quarantine results via Multi-Method Threat Prevention

Figure 11. Qilin quarantine event details

Another feature is Ransomware Behavior Monitor, which detects and prevents potential ransomware activity by monitoring system behaviors for patterns commonly associated with ransomware. As shown in Figures 12, 13, and 14, even without signature-based detection, Stellar’s Ransomware Behavior Monitor can detect Qilin ransomware.

Figure 12. Ransomware Behavior Monitor settings

Figure 13. Stellar Ransomware Behavior Monitor detects Qilin

Figure 14. Qilin detection event details via Ransomware Behavior Monitor

In cases where critical endpoint systems cannot have endpoint protection software installed on them, TXOne has an alternate solution:

Element – Security Inspection

TXOne Portable Inspector is a USB-based solution that delivers portable, installation-free security. It inspects new equipment before sending it to production, performs regular auditing and inventory management functions, and provides advanced security for out-of-band and isolated devices.

To address the risk of ransomware being introduced through authorized external devices into OT environments (corresponding to MITRE ATT&CK for ICS: Initial Access – Transient Cyber Asset), Portable Inspector can quickly scan these devices and quarantine ransomware threats before they enter the network. In addition, for endpoint systems where no installation or configuration changes are allowed, Portable Inspector can still provide protection without requiring any software deployment.

Figure 15. Portable Inspector scan results for Qilin

Similarly, to address the risk of authorized external USB devices being introduced into OT environments, TXOne Safe Port provides proactive protection by identifying and eliminating malware introduced through USB devices. It helps protect OT system stability and ensures uninterrupted performance.

Figure 16. Safe Port scan results for Qilin

Edge – Network Defense

Built on a zero-disruption design principle, it safeguards OT networks while maintaining uptime and performance, TXOne EdgeIPS Pro delivers comprehensive network security tailored for OT. As mentioned earlier, Qilin exploits CVE-2024-21762 and CVE-2024-55591 to compromise network devices. With EdgeIPS Pro, threats can be detected and malicious packets can be blocked during the initial access stage of ransomware attacks.

Figure 17. EdgeIPS Pro prevents Qilin attacks during the initial access stage

Moreover, EdgeIPS Pro safeguards OT environments from evolving malware, spyware, and ransomware. During the lateral movement stage, it uses signature-based detection to block known Qilin variants before they execute on endpoints. Figures 18 and 19 show how to create and apply Antivirus Profiles, while Figure 20 shows detection results across multiple Qilin variants.

Figure 18. Creating Antivirus Profiles

Figure 19. Preventing ransomware spreading via Antivirus Profiles

Figure 20. EdgeIPS Pro detects Qilin variants

Takeaway

Given the constantly evolving threat landscape with new ransomware variants and changing attack strategies, a single security approach is not enough. TXOne Networks provides OT-Native all-terrain solutions capable of meeting the needs of diverse ICS verticals in device inspection, endpoint protection, and network defense.

Figure 21. TXOne OT-native all-terrain solutions

As shown in Figure 21, TXOne solutions are designed to deploy on Level 1 (basic control), Level 2 (supervisory control) and Level 3 (site manufacturing operations and control) of the Purdue model.

Element – Security Inspection

Organizations can prevent ransomware from entering OT environments via removable devices and third-party assets. Element also provides protection for endpoint devices where no installation or configuration changes are allowed. With Element, ransomware is quarantined before it can deploy on endpoint devices.

Edge – Network Defense

Designed specifically for OT networks, Edge prevents ransomware from spreading laterally by using signatures to detect known variants and inline prevention to block them before they can traverse the network.

Stellar – Endpoint Protection

Even if ransomware reaches OT endpoints, Stellar’s CPSDR blocks unexpected system changes before they impact operations by allowing only trustlisted processes to run. Its Multi-Method Threat Prevention layer adds real-time scanning using signature-based and AI-based antivirus to detect ransomware and its behaviors, as shown in Figures 10 and 13.

Note: The experiments in this blog are based on the following versions:

Portable Inspector

• Firmware: V1.0.1044

Safe Port

• Firmware: V1.0.1018

EdgeIPS Pro

• Firmware: V2.2.13
• CPSDR Pattern: TX_CPSDR_ND_PRO_260330_1
• IPS Patten: TXv2_PRO_260330_1
• AV Pattern: V3.042

StellarOne

• Firmware: V3.2.1372
• Agent Version: V3.2.1192
• Virus Pattern: V20.899.00
• Damage Cleanup Template: V0.016.34
• IntelliTrap Exception Pattern: V2.439.00
• IntelliTrap Pattern: V0.253.00
• Spyware/Grayware Pattern: V2.937.00
• Digital Signature Pattern: V2.112.00
• Behavior Monitoring Configuration Pattern: V1.235.00
• Program Inspection Pattern: V1.137.01
• Damage Cleanup Engine Configuration: V0.001.34
• Advanced Threat Correlation Pattern: V1.655.00
• Predictive Machine Learning Local File Model: V3.593.00
• OT Vault pattern: V1.1.20251212
• TXOne Grey-Detection pattern: V1.4001.0000
• TXOne Threat-Detection Pattern: V1.2.0000