In 2021, Babuk ransomware burst onto the scene and quickly made headlines for its disruptive attacks. Like other modern ransomware groups, Babuk used a double extortion strategy: locking up data while also threatening to leak it publicly. Its victims ranged from government agencies to healthcare and manufacturing. The tool is efficient and robust to attempts to stop its execution.

What made users of Babuk particularly dangerous isn’t just their ability to break systems—it was how easily they could slip past trusted endpoint security tools and then move deeper into critical environments. For organizations that run both IT (information technology) and OT (operational technology) networks, the lesson is clear: relying on a single layer of protection between IT and OT, such as EDR, leaves you open to compromise. Strong segmentation between IT and OT continues to be a key tool. Without it, ransomware can jump from office systems into the plant floor or industrial controls, with devastating consequences.

How Babuk Slipped Past Defenses

In 2025, researchers discovered threat actors successfully deploying Babuk despite the presence of SentinelOne’s Endpoint Detection and Response (“EDR”). Attackers used a mix of built-in Windows tools and custom malware, making them harder to spot.

Here’s how:

• Everyday Tools as Weapons: Instead of dropping obvious malware, Babuk leaned on legitimate system utilities already present on Windows machines. These tools often fly under the radar of security solutions.
• Human-Driven Intrusions: Attackers leveraged steps of legitimate EDR upgrade processes to disable EDR without having to exploit any vulnerability.
• Custom-Built Payloads: Each attack was tailored to the victim. That meant traditional signature-based detection methods were far less effective.

In short: The users of Babuk played smart, blending in until it was too late.

Why IT/OT Segmentation Matters

The real danger comes when ransomware in IT systems makes its way into OT networks, the ones running manufacturing lines, utilities, or industrial controls.

Why is this so risky?

• OT systems are often fragile: Many run on outdated operating systems or firmware and weren’t designed with modern cybersecurity in mind. Patching or running antivirus isn’t always possible without disrupting operations.
• The stakes are higher: If an email server goes down, work slows. When the server is restored, work resumes. If a batch server or control workstation goes down, production halts — or worse, safety is compromised. When the server or workstation is restored, production does not necessarily restart. Failed products may need to be cleared, equipment shutdown and startup timers must reset, and other physical-world constraints must be satisfied.
• Flat networks are an open door: Without barriers like an industrial DMZ (iDMZ), ransomware can spread from corporate laptops to fragile OT systems in a matter of minutes.

Segmentation — creating strict boundaries between IT and OT — ensures that even if IT is compromised, OT remains shielded.

Practical Steps to Strengthen Defenses

So, what does good defense look like? A layered approach that recognizes both IT and OT:

• For IT environments:
  • Use strong endpoint protection, but don’t rely on it alone.
  • Enforce multi-factor authentication and role-based access.
  • Watch closely for unusual privilege escalations or lateral movement.
• For OT environments, all of the above should be utilized whenever possible. However, since OT applications and endpoints may not support all of these, ensure the following additional layers are in place:
  • Build a strong industrial DMZ to act as a buffer zone between IT and OT. The iDMZ can provide a layer to enforce MFA for the OT network as a whole even if individual OT privileged functions cannot support it.
  • Deploy firewalls and access controls that only allow the absolute minimum communication between networks. This reduces the attack surface for any propagation from IT to OT and is especially important so that there is some layer for assets that have a limitation around endpoint protection.
  • For assets that do support endpoint protections, utilize whitelisting to ensure that installers are not run except during planned patching activities. This protects both from malicious installers and from legitimate installers that may be used maliciously or before an approval process is complete.
  • Maintain offline or immutable backups of critical data and configurations.

Final Thoughts

Users of Babuk ransomware showed the industry a hard truth: even the best endpoint protection can be bypassed. The real safeguard lies in segmentation and layered defense.

For engineers and security teams, the key takeaway is this: focus not just on stopping ransomware at the front door, but also on containing it if it gets inside. By putting a strong wall between IT and OT, organizations can prevent cyberattacks in the office from turning into a shutdown on the factory floor.

Learn more about our Cybersecurity Solutions or Contact an ACE Cybersecurity Expert.