Ransomware groups will continue to disrupt industrial operations, as ‘outright ban’ on payment plays a role

Industrial cybersecurity vendor Dragos assessed with high confidence that ransomware groups will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems.

“Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that new ransomware groups will appear as either new or reformed ones in the next quarter,” Abdulrahman H. Alamri, senior adversary hunter at Dragos, wrote in a blog post released Monday. “As some governments are considering an outright ban on ransomware payment, Dragos assesses with moderate confidence that the ransomware groups’ activities will decrease in the countries where the payment is banned and increase in other countries where they can achieve their financial objectives,” he added.

Dragos data showed that Alphav and Vice Society, Cuba and Karakurt, and LockBit3 and Everest claimed the same victims in the third quarter of last year. Lockbit 3.0 accounted for 21 percent of the 189 total ransomware incidents that impacted industrial organizations and infrastructure in the last quarter, down from an annual high of 31 percent last quarter when they introduced its Lockbit 3.0 builder and other new capabilities.

The Hanover, Maryland-headquartered company said that during the fourth quarter of last year, ransomware continued to pose substantial financial and operational risk to industrial organizations worldwide. Dragos actively monitors and analyzes the activities of 57 different ransomware groups that have impacted industrial organizations and infrastructure. 

Globally, 52 percent of the 189 ransomware attacks impacted industrial organizations and infrastructure in North America, for a total of 98 incidents, more than doubling the number of attacks in the region last quarter, Dragos disclosed. Within North America, the U.S. received 44 percent of all ransomware attacks, followed by Canada with 8 percent of ransomware attacks.

Dragos metrics identified that Europe comes in second with 21 percent and 40 incidents, with Asia next with 20 percent or 37 incidents. South America had 5 percent, totaling nine incidents, the Middle East registered two percent or three incidents, Australia had one percent or two incidents, and Africa had no incidents.

Alamri said that Dragos observed through publicly disclosed incidents, network telemetry, and dark web postings that out of these 57 groups, only 24 were active during the quarter. “During this time, Dragos became aware of 189 ransomware incidents, a 30 percent increase from the 128 incidents in the previous quarter,” he added.

Dragos’ ransomware data shows that 76 percent of ransomware attacks impacted the manufacturing sector (143 incidents in total), a 38 percent increase over the last quarter. This was followed by the food and beverage with 8 percent of attacks (15 incidents), which is roughly on par with last quarter. The energy sector was targeted with 7 percent of the attacks (14 incidents), and the pharmaceuticals sector had 5 percent of attacks (9 incidents). Oil and gas showed two percent (four incidents). The other manufacturing sectors were targeted with one percent or one or less of total attacks in the fourth quarter of 2022. There were no attacks this last quarter on transportation or construction.

The ransomware incidents that Dragos tracked last quarter impacted 147 unique manufacturing subsectors. At the top of the list automotive manufacturing had 12 percent (17 attacks), followed closely by industrial equipment and supplies with 10 percent or 14 attacks. 

The remaining manufacturing subsectors that were impacted last quarter break down include electronics at six percent, machinery and plastics at five percent each, building supplies, furniture, metal products, and packaging at four percent, each, aerospace at 3.5 percent of attacks, automation and technology at three percent each, and agriculture at two percent of attacks.

Many ransomware groups rewrote their malware in Rust programming language, including RansomExx, ALPHV, Hive, Luna, and Qilin. Alamri wrote that “Because Rust is a relatively new programming language, anti-virus solutions are unable to understand and analyze it as well as older programming languages, which can provide adversaries with a longer time to impact victim systems before they are detected.”

Dragos also added that a growing number of ransomware groups like Black Basta, ALPHV, PLAY, Qilin, and Qyick adopted a new tactic called ‘intermittent encryption,’ which relies on encrypting only parts of the targeted files’ content, enabling faster encryption time. This reduction in encryption decreases the chances of being detected by automated detection tools that rely on detecting abnormal file information operation activities.

During the fourth quarter, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Dragos observed seven more ransomware groups impacting industrial sectors and regions of the world in this last quarter than in the third quarter of last year. 

Dragos observed that AlphaV ransomware targeted the energy, food and beverage, oil and gas, and manufacturing sectors; BIANLIAN ransomware struck energy, engineering, food and beverage, mining, pharmaceuticals, and manufacturing sectors; and Black Basta picked out the food and beverage, and manufacturing sectors. 

Additionally, Karakurt ransomware affected energy, food and beverage, oil and gas, pharmaceutical and manufacturing sectors, Lockbit 3.0 focused on food and beverage and manufacturing sectors. 

In the case of Royal ransomware, Dragos said that it affected the energy, food and beverage, oil and gas, pharmaceutical, and manufacturing sectors. Avos Locker only impacted Paraguay, while DAIXIN TEAM only impacted Indonesia and DONUT impacted the U.S.

“Groups that we observed in Q3 but not in Q4 are Cl0p Leak, Yanluowang, Onxy, Everest, Revel, Stormous, Medusalocker, and Lorenzo,” according to Alamri. “The following groups were observed in Q4 but not in Q3: Qilin, Mallox, Royal, Project Relic, Play, and The DataLeak,” he added.

Furthermore, Dragos has observed multiple victims who were impacted by two or more ransomware groups last quarter, which indicates the groups may have bought the initial access from the same initial access brokers (IABs) and wholesale access markets (WAM). IABs and WAM are known to use this tactic, in particular, in the initial access that they sell to ransomware groups, raising the risk level that industrial organizations face from ransomware. 

Dragos analyzes ransomware variants impacting industrial organizations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. By their very nature, these sources report victims that allegedly pay or otherwise ‘cooperate’ with the criminals. There is, however, no 1:1 correlation between total targeted attacks and those attacks that elicit victim cooperation.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.