Dragos analysis shows industrial ransomware will continue to disrupt operations, as overlaps in victim profiles observed

Industrial cybersecurity vendor Dragos revealed that the second quarter of this year proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organizations and infrastructure. Data identified a 27 percent jump in incidents in North America over the previous quarter, posing significant threats to critical infrastructure.

“The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives,” Abdulrahman H. Alamri, senior adversary hunter at Dragos, wrote in a Monday blog post. 

The Hanover, Maryland-headquartered company yet again disclosed that it expects ransomware to persist in disrupting industrial operations using various techniques, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems (ICS).

Alamri disclosed that in the second quarter, “Dragos observed that out of the 66 groups we monitor, 33 continued to impact industrial organizations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities, leveraging social engineering, targeting public-facing services, and compromising IT service providers.”

He added that Dragos witnessed a significant surge in utilizing various initial access techniques. “For instance, the Clop group employed new zero-day vulnerabilities in MOVEit Transfer software to target numerous organizations, including major industrial vendors and oil and gas companies. Additionally, BianLian utilized remote monitoring and management (RMM) software, such as AnyDisk. BianLian focused on the data-centric extortion model, while others moved to the double extortion model.”

In the second quarter of this year, Dragos identified 253 ransomware incidents, representing an 18 percent increase compared to the previous quarter, as it observed an overlap in victim profiles among certain groups, such as ransomware-as-a-service (RaaS), initial access brokers (IABs), and phishing-as-a-service (PhaaS) groups. Data also showed that the quarter proved to be an ‘exceptionally active period’ for ransomware groups, posing significant threats to industrial organizations and infrastructure.

Dragos assesses with moderate confidence that the third quarter of this year will witness increased business-impacting ransomware attacks against industrial organizations for two reasons. 

“Firstly, the prevailing political tension between NATO countries and Russia motivates Russian-aligned ransomware groups to continue targeting and disrupting critical infrastructure in NATO countries,” Alamri identified. “Secondly, as the number of victims willing to pay ransoms diminishes, RaaS groups have shifted their focus towards larger organizations, resorting to widespread ransomware distribution attacks to sustain their revenues.” 

Alamri identified that one notable incident in the second quarter was the attack on the Port of Nagoya in Japan, which impacted the port’s operations and subsequently affected the supply chains of other industrial organizations, including the Toyota packaging line. Another notable incident was the ransomware attack on the pharmaceutical company Eisai that disrupted their logistics systems, leading to operational disruptions.

He also added that due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ones will continue to appear as either new or reformed ones in the next quarter. “As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organizations in an attempt to fulfill their financial objectives.”

Dragos disclosed that 47.5 percent of the 253 ransomware alleged attacks recorded globally impacted industrial organizations and infrastructure in North America, for a total of 120 incidents, which is approximately a 27 percent jump over the number reported last quarter for North America. Within North America, the U.S. received over 43 percent of all ransomware incidents, compared to 41 percent last quarter.

Europe comes in second with 30.5 percent of the global total and 77 incidents, compared to 28 percent or 59 incidents last quarter; Asia is next with 14 percent or 35 incidents; South America had 4 percent, totaling ten incidents; Africa and the Middle East had 3 percent, totaling eight incidents; and Australia had 1 percent or three incidents.

Data released also identified that 70 percent of all alleged ransomware attacks impacted the manufacturing sector (177 incidents total). Next was the ICS equipment and engineering sector, with 16 percent of attacks (41 incidents), where 30 incidents impacted ICS equipment entities and 11 incidents impacted ICS engineering entities. The transportation sector was targeted with 5.5 percent (14 incidents). 

Dragos revealed that the oil and natural gas sector had around four percent of attacks (10 incidents). The mining sector was impacted by two percent of the attacks (5 incidents). The renewable energy sector had three incidents, the water sector had two incidents, and one incident impacted the electric sector.

The industrial ransomware incidents that Dragos tracked last quarter impacted 20 unique manufacturing subsectors. At the top of the list, equipment manufacturing had around 15 percent (26 attacks), followed by the electronic manufacturing sector with 13 percent or 23 incidents. 

The remaining manufacturing sub-sectors that were impacted last quarter can be broken down as follows: food and beverage with 14 incidents, construction with 13 incidents, consumer products and pharmaceuticals with 12 incidents each, and metal with 11 incidents. There were 10 incidents related to chemicals, nine incidents related to packaging, eight incidents related to automotive, seven incidents related to healthcare, six incidents related to aerospace, and five incidents each related to plastics and textiles. Additionally, there were three incidents related to maritime, two incidents each related to semiconductors and paper, and one incident each related to defense and rubber.

Dragos also disclosed that during the quarter it tracked the activity of 33 ransomware groups, compared to 20 during the first quarter of this year. “Analysis of ransomware data shows Lockbit 3.0 was responsible for 19 percent of the total alleged ransomware attacks, accounting for 48 incidents, nearly a 38 percent decrease compared to the incidents in the last quarter; AlphaV was responsible for 12 percent of attacks (31 incidents); Black Basta was responsible for 10 percent of attacks (26 incidents); 8base and Bianlian next with 15 percent (or 19 incidents each),” the post added.

“The groups we observed in Q1 but not in Q2 2023 are Dark Power, Everest, Lorenz, and Daixin Team,” Alamri revealed. “We observed the following ransomware groups for the first time in Q2 2023: 8base, Akira, Rhysida, Blacksuit, Dunghillleak, Moneymessage, Noescape, Nokoyawa, Ragroup, Rancoz, Darkrace, Lapiovra, Malas, Monti, and Trigona. It is still being determined if these new groups are new or reformed from other groups.”

Last month, Dragos expanded its presence in Europe by providing the region with the Dragos Platform, threat intelligence, and services including incident response to industrial and critical infrastructure organizations.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.