Dragos: Ransomware attacks on industrial entities, critical infrastructure continue to disrupt operations

Industrial cybersecurity firm Dragos disclosed that ransomware groups continued to target industrial entities and critical infrastructure, causing disruptions in operations during the third quarter. While there has been a slight decrease in reported ransomware incidents compared to the previous quarter, the impact remains significant. These incidents are known to harm the affected industrial entities as well as to have ripple effects on related sectors and affiliated companies.

Additionally, even when the primary objective is not operational technology (OT) systems, ransomware breaches into enterprise IT infrastructures, which OT systems rely on, can have adverse effects on OT operations.

“Dragos assesses with high confidence that in Q4 of 2023, ransomware will continue to opportunistically attack industrial organizations, which will have varying operational disruptions,” Abdulrahman H. Alamri, senior adversary hunter at Dragos, wrote in a company Thursday blog post. “However, direct impacts to OT networks and processes will largely depend on the victim organization’s architecture and whether their OT systems are properly segmented or if the network architecture is flat and can be easily enumerated and traversed.” 

Lastly, Alamri said that Dragos assesses with moderate confidence that new ransomware variants will pop up in the coming quarters and ransomware groups will likely continue to prioritize zero-day vulnerabilities in their attack operations.

In August, Dragos assessed that the third quarter of this year would see increased business-impacting ransomware attacks against industrial organizations. This assessment was validated as the subsequent ransomware incidents exhibited more severe impacts than in the first or second quarters of 2023. 

Alamri said that a prime illustration of ransomware’s far-reaching impact was the Lockbit attack that occurred in July 2023 against the Port of Nagoya’s Unified Terminal System. “The Port of Nagoya, which handles almost 10% of Japan’s trade volume, experienced a significant disruption, bringing container operations across all its terminals to a standstill for several days. This caused considerable operational delays and sent economic shockwaves throughout Japan’s complex supply chain,” he added. 

Like many ransomware attacks, cascading downstream impacts were significant, including Toyota Motor Corporation shutting down operations at a packaging line that exports various products, the post identified. In addition, Dragos’s ransomware analysis revealed other incidents that impacted the operations of multiple organizations, such as Johnson Controls International and its subsidiaries operations; Norwegian recycling giant Tomra; trucking and fleet management solutions provider ORBCOMM; and the Russian medical laboratory Helix.

Dragos data identified two interesting observations from the third quarter of 2023 compared to the previous quarters observable decreases in active ransomware groups and ransomware incidents impacting industrial organizations. “Specifically, of the 72 ransomware groups that have historically attacked industrial organizations and infrastructure, only 30 of the groups were active, and the number of ransomware incidents was 231 compared to 253 in the second quarter of 2023.” 

As of this blog, “Dragos is uncertain about the reason for the decrease in ransomware incidents between the second and third quarters of 2023,” Alamri wrote. “Although the number of ransomware incidents in the third quarter of 2023 was slightly less than in the second quarter of 2023, the overall impact of these ransomware attacks against industrial organizations remains significant.”

Dragos data disclosed that 91 ransomware incidents impacted industrial organizations and infrastructure in North America. This figure represents roughly 39.4 percent of the observed 231 global ransomware attacks. This was a 25 percent decrease compared to Q2 of 2023. Within North America, the U.S. received over 37 percent of all ransomware incidents, compared to 43 percent last quarter.

Approximately 32 percent of global ransomware incidents (74 in total) impacted Europe, roughly the same as observed in Q2 of 2023. (30.5 percent and 77 incidents), with Asia next with 11.3 percent or 26 incidents. The Middle East region saw an increase in the number of incidents in the third quarter of 2023 compared to the previous quarter – 6 percent (14 incidents) and 3 percent (8 incidents), respectively, while South America had 4.8 percent, totaling 11 incidents and Africa had 3.5 percent, totaling eight incidents. Also, Australia saw an increase in observed ransomware incidents, with 3 percent or seven incidents, compared to 1 percent or three incidents last quarter.

Manufacturing was the most impacted industry during the third quarter with 158 observed incidents in total, or 68.4 percent. The next most impacted industry was companies that engineer and create industrial control systems (ICS) equipment (29 observed incidents, or 12.6 percent), transportation sector was impacted 17 times, for a total of 7.4 percent of all observed incidents, while the oil and natural gas sector had 3.9 percent of alleged attacks (9 incidents) and the electric sector was impacted by three percent of the alleged attacks (7 incidents). 

Additionally, the mining sector was impacted by 1.7 percent of the incidents (4 incidents), and renewable energy, defense, and water sectors each had one percent of the global alleged attacks. Furthermore, Dragos also observed 19 unique manufacturing sub-sectors that were impacted by ransomware during the third quarter.

Dragos’ analysis of ransomware data from the third quarter reveals that the Cl0p ransomware group accounted for the highest number of attacks against industrial organizations, with 19.5 percent (45 incidents) of observed ransomware events. The Lockbit 3.0 ransomware ranked second, with 19 percent (44 incidents). 

Other notable ransomware groups during this period include 8base, responsible for 7.8 percent of incidents (18 incidents); Play and Cactus, each accounting for 6.9 percent of incidents (16 incidents each); Blackbasta, AlphaV, and Akira, each contributing to 4.3 percent of incidents (10 incidents each); and Noescape, Moneymessage, and Cloak, each responsible for 3.9 percent of incidents (9 incidents each). Additionally, the Medusablog accounted for 2.2 percent of incidents (5 incidents); Ragnarlocker for 1.7 percent (4 incidents); Stormous, Ciphbit, and Bianlian for 1.3 percent each (3 incidents each); and Rancoz, Qilin, and Incransom for 0.9 percent each (2 incidents each).

Alamri wrote that the groups that Dragos observed in the second quarter but not in the third quarter of 2023 are Royal, Blackbyte, Unsafe, Dunghill Leak, Black Suit, Vice Society, Ransome House, and Nokoyawa. “Dragos observed the following ransomware groups for the first time in the third quarter of this year: Cactus, Incransom, and Ransomed. It is still being determined if these new groups are new or reformed from other groups,” he added. 

One interesting Dragos observation was that various ransomware groups appeared to only be used against specific industries and regions in the third quarter of 2023. Although these findings are interesting, they do not necessarily suggest that ransomware groups are focused on specific organizations or industries because victimology often changes, and a vast majority of ransomware operations are opportunistic.

The Moneymessage ransomware group has only been observed attacking defense sector organizations, while Rancoz and Akira ransomware groups appear to only attack entities in the United States, Alamri wrote. “Ransomware groups Qilin, Incransom, Ciphbit, and Blackbasta have only been observed targeting the manufacturing sector. Cybercriminals seem to primarily leverage Play ransomware against entities in the US and Europe. Metaencryptor has only been observed being used against the European manufacturing sector.”

He added that Cactus, AlphaV, and Bianlian ransomware groups have only impacted manufacturing and ICS equipment and engineering sectors.

Recent cybersecurity advisories released by U.S. security agencies suggest an escalating threat landscape for critical infrastructure organizations. This week, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released guidance covering information about the Rhysida ransomware, including Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) that have been identified through recent investigations conducted as recently as September.

The FBI and CISA also collaborated to warn of the Scattered Spider, a cybercriminal group that targets commercial facilities sectors and subsectors. In their advisory, the agencies offer insights into the tactics, techniques, and procedures (TTPs) employed by the group, which have been gathered through recent FBI investigations, including those conducted this month. Scattered Spider hackers are known for their involvement in data theft for extortion, utilizing various social engineering techniques.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.