Dragos reports resurgence of ransomware attacks on industrial sectors, raising likelihood of targeting OT networks
Industrial cybersecurity firm Dragos disclosed that ransomware attacks significantly rose in the second quarter, as hacker groups recalibrated adversarial strategies. These groups demonstrated significant adaptability by rebranding and adopting new tactics, suggesting they will continue refining their operations using sophisticated methods like zero-day vulnerabilities to enhance their attacks. Data also revealed that the quarter saw a significant rise in the frequency and severity of attacks, reflecting the evolving threat landscape and the persistent risk posed by ransomware groups.
“As we move forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, characterized by the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors,” Abdulrahman H. Alamri, senior adversary hunter at Dragos, wrote in a Wednesday blog post. “Despite significant law enforcement actions, the observed resilience and adaptability of ransomware groups indicate a likely continuation of this trend.”
Alamri observed that despite declining incidents and the relatively low impact of ransomware attacks in the first quarter, the second quarter has shown a significant resurgence. “This recovery is particularly notable given major ransomware groups’ initial setbacks due to law enforcement operations in the first quarter,” he added.
The post mentioned that while these initial disruptions had temporarily curtailed the activities of several leading ransomware groups, the number of ransomware attacks almost doubled in the second quarter compared to the first quarter. “For instance, ALPHV (also known as BlackCat) was targeted by a U.S.-led law enforcement operation in December 2023, eventually leading to the group’s closure in March 2024. Following this, law enforcement actions against LockBit 3.0 in February 2024 led to a notable reduction in their operations.”
Dmitry Khoroshev, a key figure in the LockBit Ransomware Group, was placed on a wanted list with a reward for information leading to his capture. Despite these significant actions, these groups quickly adapted and recalibrated their strategies, substantially increasing incidents. This surge in activity brought ransomware operations to the next level, causing significant operational disruptions to industrial organizations.
Alamri noted that the rebranding of Royal ransomware to BlackSuit reflects a strategic adaptation of the ransomware group, showcasing enhanced capabilities such as more sophisticated encryption and improved lateral movement tactics. Similarly, Knight ransomware transformed into RansomHub. The resilience and adaptability of ransomware groups highlight their persistent threat to industrial sectors.
The quarter has also seen a notable shift in the Ransomware-as-a-Service (RaaS) landscape, with groups like BlackSuit and RansomHub emerging with updated tactics and techniques. These updates include more sophisticated encryption algorithms, improved lateral movement methods within networks, and more effective evasion of detection mechanisms.
Alamri also observed that the industrial sector remains a prime target for these groups due to the critical nature of its operations and the potentially high impact of disruptions. Ransomware’s impact on industrial organizations has increased, with ransomware groups focusing on high-impact operators to maximize profits. The risk posed by ransomware is further exacerbated as government-affiliated groups adopt ransomware tactics, and hacktivists increasingly utilize and even build their ransomware tools.
He noted that, for instance, the Ikaruz Red Team has been reported to be targeting critical infrastructure in the Philippines using ransomware, illustrating the convergence of ideological and financial motivations in the cyber threat landscape. This growing trend proves the evolving and escalating nature of the ransomware threat, which spans beyond traditional cybercriminal enterprises to include politically and ideologically driven actors.
Dragos continues to analyze ransomware variants used against industrial organizations worldwide, tracking ransomware information via public reports and data uploaded or appearing on dark websites. These sources report victims that were listed as targets and those that pay or otherwise ‘cooperate’ with the criminals, and they do not necessarily match one-to-one with all incidents that took place in this last quarter.
The Dragos post further revealed that the second quarter saw a notable increase in ransomware incidents and introduced new strategies employed by ransomware groups, compared to earlier quarters. “Specifically, while we saw a decline in the first quarter of this year in both the number of incidents and the impact of ransomware attacks, there was a marked increase in the second quarter. The total number of ransomware incidents almost doubled from the first quarter to the second quarter,” it added.
Among the 86 ransomware groups known for targeting industrial organizations, 29 remained active in the second quarter compared to 22 ransomware groups in the first quarter of 2024. However, the second quarter saw a resurgence with several rebranded groups and new entrants in the ransomware landscape. Groups such as BlackSuit (formerly Royal ransomware) and RansomHub (previously Knight ransomware) have shown notable activity, leveraging sophisticated tactics and techniques to enhance their operations.
Alamri observed that in addition to the resurgence, the overall impact of these ransomware attacks against industrial organizations remains a significant concern.
While Dragos did not identify any ransomware attacks targeting industrial control systems (ICS) or operational technology (OT) processes, ransomware groups have disrupted the IT systems of industrial organizations. Disruptions to OT networks have occurred, primarily due to the interdependencies between OT and IT systems. The rise in ransomware incidents during the second quarter of this year underscores the evolving threat landscape and the persistent risk posed by these groups.
In the second quarter of 2024, ransomware incidents exhibited a marked increase, impacting various regions differently. In North America, Dragos recorded 187 ransomware incidents (approximately 60 percent of the observed 312 global ransomware attacks) that impacted industrial organizations and infrastructure in North America, with a significant portion of these incidents occurring in the U.S.
In Europe, approximately 26 percent of global ransomware incidents (82 in total) impacted Europe; Asia experienced 10 percent of global ransomware incidents, with 29 incidents reported; two percent of global ransomware incidents (6 in total) impact South America; and the three regions of Middle East, Australia, and Africa had approximately one percent each of the global ransomware incidents, with eight incidents reported collectively in these regions.
Dragos data identified that the manufacturing sector was the most affected, with 210 observed incidents, accounting for approximately 67 percent of all ransomware incidents. In addition to the primary industries and sectors mentioned above, Dragos observed 23 unique manufacturing subsectors impacted by ransomware during the second quarter of 2024.
Developers and manufacturers of ICS equipment and software experienced 47 incidents, making up 15 percent of total incidents. The transportation sector was impacted 23 times, representing seven percent of all observed incidents; government entities faced 8 ransomware incidents, which is three percent of the total; and the oil and natural gas (ONG) sector had seven incidents, equating to two percent of the overall incidents.
Additionally, the communications sector was affected by five ransomware incidents, making up two percent of the total; and the mining, electric, renewables, and water sectors experienced three incidents, accounting for four percent of the total incidents each.
Looking forward, Alamri wrote that “Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, characterized by the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors. Despite significant law enforcement actions, the observed resilience and adaptability of ransomware groups indicate a likely continuation of this trend.”
He added that while Dragos did not identify any ransomware attacks directly targeting ICS/OT processes, the interconnected nature of IT and OT environments means that disruptions to IT systems can have significant downstream effects on OT operations. This interdependency suggests that ransomware groups may increasingly target OT networks to amplify the impact of their attacks, potentially compromising the safety and operational integrity of industrial organizations.
Related
