Industrial Control System (ICS) is widely used in critical infrastructure projects related to the national economy and people's livelihood such as power generation, transmission and distribution, petrochemical industry, water treatment and transmission. Large-scale attack on ICS is a huge threat to critical infrastructure. At present, the proposed ransomware worm for ICS is limited by the isolation characteristics of industrial control network, and it is difficult to spread on a large scale. Based on the observed actual development scene of ICS, in order to solve the problem of high isolation for ICS, a novel ransomware worm threat model with a new attack path was proposed. Firstly, the engineer station was taken as the primary infection target. Then, the engineer station was used as the springboard to attack the industrial control devices in the internal network. Finally, the worm infection and ransom were realized. Based on the proposed threat model, ICSGhost, which was a ransomware worm prototype, was implemented. In the closed experimental environment, ICSGhost can realize worm infection for ICS with a predetermined attack path. At the same time, for the ransomware worm threat, the defense plan was discussed. The experimental results show that such threat exists, and because its propagation path is based on the actual development scene of ICS, it is difficult to detect and guard against.