Ransomware activity in industrial environments almost doubles, with over 70% focused on manufacturing sector

Ransomware attacks on industrial infrastructure organizations nearly doubled in 2022, with over 70 percent of all ransomware activity focused on manufacturing, industrial cybersecurity company Dragos disclosed in data released on Tuesday. Hackers also continue to broadly target many manufacturing sectors and subsectors. As ransomware activity increases, it results in more risk for OT (operational technology) networks, particularly networks with poor segmentation.

Dragos monitors and analyzes the activities of 57 different ransomware groups that target industrial organizations and infrastructures. Through publicly disclosed incidents, network telemetry, and dark web resources, Dragos observed that out of these 57 groups, only 39 were active in 2022 — showing a 30 percent increase year over year, the company highlighted in its latest report titled ‘ICS/OT Cybersecurity Year In Review 2022. Dragos tracked 605 ransomware attacks against industrial organizations in 2022, an increase of 87 percent over last year. There were multiple reasons for the increase in ransomware activity impacting industrial organizations, including political tensions, the introduction of Lockbit Builder, and the continued growth of ransomware-as-a-service (RaaS). 

The Hanover, Maryland-based company also observed ransomware trends tied to political and economic events, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions. Russia’s invasion of Ukraine on Feb. 24, 2022, increased the likelihood of impactful cyber activity against the industrial infrastructure of both combatants. Other indications of political partisanship (which may have impacted industrial organizations) include Conti’s declared alignment with the Russian Federation before it disbanded last May. RaaS continued to grow as an attack vector in 2022 with an even greater impact on ICS (industrial control systems) and OT. 

Ransomware activity disrupted the operations of multiple organizations, suppliers, and subsidiaries in 2022. There has been a surge of ransomware-related initial access campaigns, demonstrating that specific ransomware groups were more active in 2022 than in 2021. For example, remote desktop protocol (RDP) enables adversaries’ initial access and is used in typical Lockbit ransomware-as-a-service attacks.

Globally, 40 percent of the ransomware attacks targeted industrial organizations and infrastructures in North America, for a total of 247 incidents; Europe is second with 32 percent or 194 incidents; Asia with 18 percent or 109 incidents; South America with 5 percent; Middle East with 3 percent; Australia and Africa each had 1 percent. North America remains one of the most highly targeted regions by ransomware.

Analysis of ransomware data shows that Lockbit 2.0 and Lockbit 3.0 made 28 percent of the total ransomware attacks in 2022; Conti made 10 percent; Black Basta made 9 percent; AlphaV made seven percent; and Hive and Karakurt made five percent of ransomware activity each. Ransomware activity against manufacturing entities often impacts other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organizations.

Dragos identified multiple potential victims of Conti ransomware in the automotive manufacturing sector. In 2022, Dragos analyzed multiple variants of Lockbit ransomware, affecting many industries, including electric, manufacturing, construction, transportation, technology, consumer services, retail, and logistics —with many enabled by remote desktop software. Dragos discovered multiple ransomware variants/affiliates impacting food and beverage entities with ransomware variants executing ICS Cyber Kill Chain Stage 1 – Install/Modify, Act attacks. However, Dragos assesses with moderate confidence that the ransomware groups are not explicitly targeting this sector but going after low-hanging fruit. 

“Vulnerabilities saw an increase of 27 percent in 2022. This was a material increase, but a slowdown in the growth rate. Improvements in the rate of mistakes and risk ratings were a very positive signal,” according to the Dragos report. “The standard information technology (IT) approach to vulnerability mitigation is a patch. To patch in the OT world often requires system and plant shut-downs. ICS/OT relies on alternative mitigation to both reduce risk and maintain production. The 77 percent of vulnerabilities that lack that mitigation makes maintaining operations very challenging.”

The year witnessed the demise of Conti and the introduction of a new version of Lockbit, Lockbit 3.0. Black Basta and several other ransomware groups targeting ICS and OT were introduced this year. 

“While Conti led in ransomware activity through most of the first two quarters, it shut down its operations in mid-May 2022, two weeks after the U.S. State Department announced a reward for any information about Conti leadership and its affiliates,” Dragos reported. “Conti accounted for 9.6 percent of ransomware incidents targeting industrial organizations and infrastructures in 2022. A significant new ransomware group called Black Basta was responsible for 9 percent of ransomware incidents, including some of the most major ransomware incidents, such as the May 2022 incident that halted AGCO’s operations for weeks.”

It added that several new ransomware groups formed in Q3, including SPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANG. To date, Dragos cannot confirm whether these groups have reformed from other dissolved ransomware groups such as Conti. 

“The Lockbit ransomware group accounted for the largest number of ransomware incidents that targeted industrial organizations and infrastructures in the last year, at 28 percent,” Dragos said. Lockbit offers an exfiltration tool along with Lockbit 2.0, Stealbit, which it uses to steal data before executing Lockbit 2.0 ransomware. The adversaries added Lockbit Builder capabilities into their new Lockbit 3.0 strain. Anti-detection mechanisms, anti-debugging, and the ability to disable Windows Defender software are among the features that make Lockbit 3.0 one of the fastest-growing ransomware strains, it added.

In the third quarter, an unknown adversary claimed they had hacked Lockbit servers and leaked Lockbit 3.0 builder, allowing anyone access to their ransomware creation feature. 

Dragos assesses with moderate confidence that Lockbit 3.0 will continue to target industrial organizations and will pose a threat to industrial operations into 2023, whether through the Lockbit gang itself, or others creating their own version of Lockbit ransomware. Lockbit led with the most ransomware activity of all ransomware groups last year.

Last January, Dragos analyzed multiple variants of Lockbit RaaS, impacting many industries, including electric, manufacturing, construction, wholesale, finance, professional services, legal, transportation, technology, consumer services, retail, and logistics. “Remote desktop protocols could enable initial access in a typical Lockbit attack. Exfiltration tool, Stealbit, steals data before executing the Lockbit ransomware. A Lockbit attack could disable Microsoft Windows assets, potentially impacting remote access to OT networks through lateral movement across networks,” the report said.

The Conti-related ransomware attack in February last year targeted Kojima, a supplier of Toyota’s plastic parts and electronic components. The incident suspended Toyota plant operations for several days. Concurrently, Dragos observed internet telemetry of a common Conti-controlled Emotet Tier 2 node in Command and Control (C2) with networks of several other global automakers. 

Dragos observed numerous automotive organizations across North America and Japan frequently communicating with the Emotet C2 servers. Emotet is a malware strain and cybercrime operation that has precipitated ransomware events. Around the same time, a ransomware variant called ‘HermeticRansom’  was discovered with destructive capabilities targeting multiple Ukrainian entities. Dragos assesses with moderate confidence that adversaries will use HermeticRansom to target other entities. 

Foxconn confirmed that a late-May 2022 ransomware attack impacted operations at one of the company’s manufacturing locations in Tijuana, Mexico. Foxconn is a Taiwanese multinational electronics contract manufacturer headquartered in Tucheng, New Taipei City, Taiwan. The RaaS group Lockbit 2.0 claimed responsibility for the attack. 

In mid-August 2022, the UK water company, SSW, disclosed that it had been the victim of a ‘criminal cyber-attack’ that disrupted its IT network but did not impact its ability to supply clean water to the public. Cl0p claimed responsibility for this ICS Cyber Kill Chain Stage attack, which could manipulate process chemicals. This may have been an attempt to exaggerate the attack, cause reputational damage, and encourage them to pay. 

In August, DESFA, a Greek natural gas company, released an official statement that a cyber attack impacted the availability of certain systems with the possible leakage of several files and data after the ransomware group, Ragnar Locker posted information to their dark web resources. DESFA also stated that their natural gas system operations were not impacted. However, Dragos analyzed network telemetry, examined alleged stolen information, and found occurrences of documents and manuals related to SCADA and PLCs from this ICS Cyber Kill Chain Stage: Stage 1 breach.

In September, Modular Mining, a large-scale mining technology solutions provider, was possibly impacted by BianLian ransomware. Consequently, the victim shut down its impacted servers to contain the incident. This compromise could facilitate a supply chain attack and enable an adversary to leverage existing third-party connections into customer environments. Because customer data is on the list of impacted data, the unauthorized acquisition of this data by a third party could facilitate Stage 1 of the ICS Kill Chain through the disclosure of this sensitive technical customer data. 

Dragos discovered last December Trickbot infrastructure, and subsequently identified three victims – two mining and metals companies and one food and beverage company – communicating with this threat group infrastructure. Two of these three companies have publicly noted that some aspects of their OT operations were impacted in October and November 2022. Dragos assesses with moderate confidence that cybercrime groups will use Trickbot and similar bots to drop ransomware and impact the operations of mining and metals companies. 

On Dec. 27, 2022, CMMC reported that adversaries targeted their corporate offices with an enterprise IT systems-based ransomware attack. The attack forced CMMC to preventatively shut down the mill at their open pit mine near Princeton, British Columbia, Canada. Dragos has not identified the ransomware group claiming responsibility for the attack but continues to monitor for additional information. 

The SANS Institute identified five critical controls for ICS/OT cybersecurity. These include an ICS incident response plan, defensible architecture, visibility and monitoring, secure remote access, and risk-based vulnerability management. 

Dragos also detected escalation in adversarial capabilities, as Pipedream threat group widens attack competence. It noted that 2022 saw a breakthrough in escalation capabilities by a new modular ICS malware, Pipedream, developed by the Chernovite threat group. The Pipedream toolkit has the capabilities that led to the initial ‘cross-industry disruptive/destructive’ ICS/OT malware impacting tens of thousands of industrial devices that control critical infrastructure – devices that manage the electrical grid, oil and gas pipelines, water systems, and manufacturing plants.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.