T0828: Loss of Productivity and Revenue
Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments.
In cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences.
A ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. [1] The company announced the potential for temporary shortages of their products following the attack. [1] [2]
In the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. [3]
Analyst context for executives and security teams
Loss of Productivity and Revenue is an ICS impact technique describing when cyber activity disrupts control system operations enough to halt or degrade production, transport, or service delivery. For leaders, the key issue is not only malware presence but whether IT/OT disruption can stop revenue-generating operations, create shortages, or force precautionary shutdowns.
Executive priority
Treat this as a business-continuity and resilience question: which operational processes would lose revenue if control, visibility, or availability were interrupted, and how quickly could they be restored? MITRE’s examples and relationships connect this impact to ransomware, destructive malware, worms, and ICS-focused campaigns, so executives should prioritize recovery evidence, incident decision authority, and tested backup/restore capability for critical systems.
Technical view
ATT&CK provides no platform, tactic, or official detection text for this technique, so SOC and IR teams should validate impact-oriented monitoring rather than rely on a single technical indicator. Use the DET0757 relationship as the relevant detection-strategy anchor, then correlate cyber events with operational symptoms: loss of system availability, process disruption, halted sites, unavailable HMI/SCADA functions, affected servers/end-user systems, and business records showing production or transport interruption. Relationship context includes multiple Windows-associated ransomware or disruptive malware entries, but the technique itself is not platform-scoped.
Likely telemetry
- Operational availability and production/throughput records
- Control system, HMI, SCADA, engineering workstation, and critical server health/status logs where available
- ICS alarm, historian, and process-integrity data relevant to service interruption
- Endpoint and server security logs from IT and OT-adjacent systems
- Backup job status, restore test results, and gold-image/configuration inventories
Detection direction
- Validate that DET0757-style detection can connect cyber activity to operational impact, not just alert on malware or endpoint events.
- Tune correlation between IT incidents and OT consequences, especially where environments are not segregated, as MITRE notes IT-targeting attacks may tangentially affect ICS operations.
- Distinguish adversary-driven disruption from maintenance, safety shutdowns, precautionary halts, and business-directed production stops.
- Confirm monitoring covers both technical outage evidence and business impact evidence such as halted manufacturing, transport interruption, or service unavailability.
Mitigation priorities
- Prioritize M0953 Data Backup: maintain hardened backups for end-user systems and critical servers, separate backup/storage systems from the corporate network, and protect gold-copy images and configurations for key systems.
- Exercise incident response and restoration plans so recovery time assumptions are evidence-based rather than theoretical.
- Review IT/OT dependency and segregation assumptions, because non-segregated environments can allow IT-targeting incidents to create ICS operational impact.
- Use tabletop and recovery testing to define who can authorize precautionary halts, restoration sequencing, and business communications during revenue-impacting disruption.
Analyst notes and limits
This object is best used as an impact and resilience lens. It helps translate technical incidents into business consequences: halted operations, disrupted supply chains, shortages, and revenue loss. The relationship set links the technique to notable ICS campaigns and disruptive malware families, supporting prioritization of backup, restoration, and cross-functional IR readiness.
Official ATT&CK detection text, tactics, and platforms are not provided for T0828. Local architecture, operational dependencies, production data, and logging coverage are required to assess exposure or detection maturity. The related software entries include Windows platforms, but the technique itself is not limited to Windows.
Loss of Productivity and Revenue
Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments.
In cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences.
A ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. [1] The company announced the potential for temporary shortages of their products following the attack. [1] [2]
In the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0446: Ryuk
S0372: LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]
S0608: Conficker
S0368: NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][2][3][4]
S0605: EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[1][2]
S0496: REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
S0606: Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
C0028: 2015 Ukraine Electric Power Attack
2015 Ukraine Electric Power Attack was a Sandworm Team campaign during which they used BlackEnergy (specifically BlackEnergy3) and KillDisk to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.
C0030: Triton Safety Instrumented System Attack
Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]
C0031: Unitronics Defacement Campaign
The Unitronics Defacement Campaign was a collection of intrusions across multiple sectors by the CyberAv3ngers, where threat actors engaged in a seemingly opportunistic and global targeting and defacement of Unitronics Vision Series Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). The sectors that these PLCs can be commonly found in are water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the PLCs' HMIs.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 21a2136eb4be… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Paganini, Pierluigi June 2020
Paganini, Pierluigi 2020, June 14 Ransomware attack disrupts operations at Australian beverage company Lion Retrieved. 2021/10/08
Open source URL -
[2]
Lion Corporation June 2020
Lion Corporation 2020, June 26 Lion Cyber incident update: 26 June 2020 Retrieved. 2021/10/08
Open source URL -
[3]
Colonial Pipeline Company May 2021
Colonial Pipeline Company 2021, May Media Statement Update: Colonial Pipeline System Disruption Retrieved. 2021/10/08
Open source URL -
[4]
mitre-attack T0828Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.