Full Report
This quarter, the percentage of ICS computers on which spyware and ransomware were blocked increased significantly in the region.
Analysis Summary
# Industry News: Rising Ransomware and Spyware Threats in Russian ICS Environments
## Summary
The latest threat landscape report from Kaspersky ICS CERT reveals a significant uptick in protected industrial control system (ICS) computers encountering ransomware and spyware during Q3 2025 in the Russian region. The data suggests an intensifying targeting of critical infrastructure and manufacturing sectors, shifting from opportunistic attacks to more persistent, data-exfiltrating campaigns.
## Key Details
- **Date:** December 22, 2025
- **Companies Involved:** Kaspersky (Research Lead), various Industrial Automation entities.
- **Category:** Market Analysis / Threat Intelligence Report
## The Story
In the third quarter of 2025, security monitors recorded a notable spike in blocked malicious activity on ICS computers across Russia. Unlike previous quarters where general malware dominated, Q3 saw a focused increase in two high-impact categories: spyware and ransomware. Spyware is increasingly being used for corporate espionage and the harvesting of credentials needed for deeper network penetration, while ransomware remains the primary tool for direct financial extortion and operational disruption. The convergence of these two threats suggests that attackers are spending more time inside industrial networks—first stealing data (spyware) before deploying disruptive payloads (ransomware).
## Business Impact
### For the Companies Involved (Kaspersky)
- **Market Leadership:** Reinforces Kaspersky’s position as a dominant provider of telemetry and threat intelligence within the Eurasian industrial sector.
- **Service Demand:** Validates the demand for Managed Detection and Response (MDR) services specifically tailored for OT (Operational Technology) environments.
### For Competitors
- **Regional Opportunity:** Competitors (such as Positive Technologies or Rostelecom-Solar) face increased pressure to demonstrate comparable visibility into the OT threat landscape.
- **Product Differentiation:** Rivals may pivot to marketing "proactive hunting" tools to counter the "dwell time" associated with the reported spyware increase.
### For Customers
- **Operational Risk:** Industrial firms face higher potential for downtime, which can lead to supply chain penalties and lost revenue.
- **Budgetary Pressure:** Companies must likely reallocate CAPEX/OPEX toward hardening ICS networks and legacy system isolation.
### For the Market
- **Insurance Hardening:** The surge in ransomware may lead to higher premiums for cyber insurance in the industrial sector or more stringent "minimum security baseline" requirements.
- **Security Spending:** Continued growth in the Russian ICS security market, driven by both the threat landscape and ongoing import substitution mandates.
## Technical Implications
The report highlights an evolution in attack chains. The use of spyware on ICS computers indicates that attackers are bypassing traditional IT/OT "air gaps" via compromised remote access tools or engineering workstations. Technically, this necessitates a shift toward **Zero Trust Architecture** at the PLC/HMI level and more robust monitoring of "living off the land" (LotL) techniques that spyware often employs to remain undetected.
## Strategic Analysis
- **Market Positioning:** Threat intelligence reports of this nature position security vendors as essential strategic partners rather than just software providers.
- **Competitive Advantage:** Real-time telemetry from ICS environments provides a data moat that is difficult for pure-play IT security firms to replicate.
- **Challenges:** The geopolitical climate and sanctions continue to fragment the global threat intelligence sharing community, potentially leading to "blind spots" in international cooperation.
## Industry Reactions
- **Analyst Opinion:** Market analysts suggest that the rise in spyware indicates a shift toward "long-game" industrial espionage, possibly state-sponsored or high-end cybercriminal cartels.
- **Market Response:** Industrial firms are expected to accelerate the replacement of legacy industrial software with modern, "secure-by-design" alternatives.
## Future Outlook
- **Predictions:** Expect a "double extortion" trend to dominate 2026, where stolen industrial IP is leaked alongside operational shutdowns.
- **What to watch for:** Watch for increased regulatory intervention requiring mandatory reporting of spyware detections on critical infrastructure, not just successful ransomware breaches.
## For Security Professionals
Practitioners should prioritize **Credential Hygiene** and **Network Segmentation**. Given the increase in spyware, focus should shift from "blocking the breach" to "detecting the presence." Implementation of EDR (Endpoint Detection and Response) on engineering workstations and HMIs is no longer optional but a critical requirement for early warning of ransomware precursors.