Security researchers at Dragos and CrowdStrike have jointly disclosed a new ransomware campaign—code-named VoltZite—engineered to target operational technology (OT) environments within North American electric utilities and power grid operators. Unlike typical ransomware focused on IT networks, VoltZite demonstrates deep understanding of industrial control system (ICS) architectures.
Technical Capabilities
VoltZite propagates across IT networks before pivoting into OT environments through exposed engineering workstations and historian servers. Once inside, it identifies and interacts with SCADA software including OSIsoft PI System, GE iFIX, and Wonderware AVEVA before deploying its encryption payload. Critically, the malware delays encryption on safety-critical systems, suggesting operators want disruption without triggering physical damage.
Known Victims
Three North American utilities have confirmed they were affected:
Attribution
Dragos has linked VoltZite infrastructure to a financially-motivated threat actor. Initial access vectors include exploitation of CVE-2024-21887 (Ivanti Connect Secure) and spear-phishing targeting utility operations staff.
Government Response
CISA, the FBI, and the Department of Energy issued a joint advisory urging all electric sector entities to immediately audit internet-facing OT assets, enforce IT/OT network segmentation, and apply all pending patches to Ivanti and Fortinet VPN appliances.
Ransom Demands
VoltZite operators have demanded ransoms ranging from $1.5 million to $8 million depending on victim size. The group operates a data-leak site where they publish operational documents and employee data from victims who decline to pay.
Broader Context
This campaign arrives amid heightened concern over US critical infrastructure security. Security experts note that the line between financially-motivated cybercrime targeting critical infrastructure and state-sponsored sabotage is increasingly blurred.