Fall in industrial ransomware incidents as Conti shuts down, though OT operations will remain under threat

Industrial cybersecurity company Dragos disclosed on Tuesday a drop in industrial ransomware incidents for the year’s second quarter, as ransomware groups continued to target industrial organizations and infrastructures, disrupting OT operations. The fall is likely to have come as a result of the closure of the Conti hacker group which led to most of the ransomware attacks in the previous two quarters.

Dragos said that it is aware of 125 ransomware incidents in the second quarter of 2022, compared to 158 in the last quarter. It also pegs the quarter’s decline due to the shutdown of Conti operations in mid-May, as the hacker group accounted for 25 percent and 18 percent of the total ransomware incidents targeting industrial organizations and infrastructures in the last two quarters. Conti shut down its operations two weeks after the U.S State Department announced rewards for any information about Conti leadership and its affiliates.

The data analyzes and monitors the activities of 43 ransomware groups that target industrial organizations and infrastructures. It observed through publicly disclosed incidents, network telemetry, and dark web posting that out of 43 groups, only 23 groups have been active during the second quarter. 

“Even though the number of reported ransomware incidents is slightly less than the numbers we reported in the last quarter, the impact of those attacks remains significant to the targeted industrial organizations, dependent sectors, and their subsidiaries,” Abdulrahman H. Alamri, a senior threat intelligence analyst at Dragos, wrote in a company blog post. “Even in instances where OT is not the intended target, ransomware attacks on enterprise IT where OT is present can negatively impact OT operations.”

Alamri also said that the quarter witnessed the birth of a significant new threatening ransomware group called Black Basta, responsible for the halt of AGCO’s operations for weeks. “While security researchers are trying to learn more about Black Basta, some suggested that former Conti and REvil group members are running this new ransomware group due to the nature of the operation and the victim selections,” he added.

Based on its analysis for the quarter, Dragos observed that Karakurt has been targeting mainly transportation entities, VICE SOCIETY has been targeting only automotive manufacturing entities, while Lockbit 2.0 is the only group that targeted the pharmaceutical, mining, and water treatment sectors. Additionally, Moses Staff has only targeted Israel, and it published a video demonstrating their activities, while Black Basta, Ransomhouse, and Everest have only targeted entities in the U.S. and Europe.

The Hanover, Maryland-based company also revealed that Quantum and Lorenzo have only targeted North American-based entities. “The groups observed in Q1 and not in Q2 are LAPSUS$, CL0P LEAKS, and Rook. Groups that were observed in Q2 but not in Q1: Black Basta, Midas Leaks, Pandora, and Ransomhouse,” it added.

Dragos data revealed that eight percent of attacks targeted both the food and beverage and energy sectors, five percent targeted the transportation sector, four percent targeted the pharmaceuticals sector, and two percent targeted the oil and natural gas sector. It also showed that 69 percent of all ransomware attacks that Dragos tracked in the second quarter targeted 42 unique manufacturing subsectors. Eight percent of victims were in automotive manufacturing, seven percent were in metal products, five percent were in electronics, building materials, and clothing manufacturing, and four percent were in plastics.

Alamri said that globally, 37 percent of the ransomware attacks target industrial organizations and infrastructures in Europe, for a total of 46 incidents; North America comes second with 29 percent or 36 incidents; Asia with 26 percent or 32 incidents; South America with five percent; the Middle East with three percent; and Africa with one percent. 

“While the 29 percent of the ransomware attacks targeting industrial organizations in North America is less than last quarter (42 percent), the number of occurrences in industrial infrastructure, 36, is still concerningly high,” Alamri wrote. “North America remains one of the most highly targeted regions by ransomware. Noticeably, the percentage of the reported cases in Asia jumped to 26 percent compared to 9 percent in the last quarter.”

Analysis of ransomware data shows Lockbit 2.0 made 33 percent of the total ransomware attacks in Q2, Conti comes in next with 13 percent, Black Basta made 12 percent, Quantum made seven percent; AlphaV and Hive made four percent each, Alamri disclosed. “Lockbit 2.0 maintained the same number of ransomware incidents as last quarter, showing that the group continues to maintain the same level of operation. Whereas the Conti, Lockbit 2.0, and Black Basta groups continue to target different sectors of industrial organizations, most of the victims are within the manufacturing sector.” 

Ransomware attacks against manufacturing entities have sometimes impacted other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organizations, Alamri added.

For the next quarter, Dragos assesses with high confidence that ransomware will continue to disrupt OT operations. These attacks may take place through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT (operational technology) environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems.

“Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence that new ransomware groups will appear in the next quarter, whether as new or reformed ones,” Alamri said. Dragos assesses with moderate confidence that ransomware with destructive capability will continue to target OT operations, given the continuous political tension between Russia and western countries,’ he added.

In April, Dragos assessed with high confidence that the biggest cybersecurity weaknesses European industrial infrastructure asset owners currently face are lack of asset visibility into their network and weak network authentication policies. In addition, the company gauges with low confidence that Europe is at low risk for localized or small-scale disruption or destruction, as motivated state-executed adversaries may perform low-stakes operations when deemed politically or economically advantageous.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.