Dragos Industrial Ransomware Analysis: Q2 2024

Dragos Industrial Ransomware Analysis: Q2 2024

The ransomware landscape demonstrates its dynamic and rapidly changing nature, as evidenced by the sharp increase in incidents and impact during the second quarter of 2024.

Despite the decline in incidents and the relatively low impact of ransomware attacks in the first quarter, this second quarter has shown a significant resurgence.

This recovery is particularly notable given the initial setbacks of major ransomware groups due to law enforcement operations in the first quarter. While these initial outages had temporarily restricted the activities of several leading ransomware groups, the number of ransomware attacks nearly doubled in the second quarter compared to the first, causing significant operational disruptions to industrial organizations.

Both the resilience and adaptability of ransomware groups highlight their persistent threat to industry sectors, including a notable shift in the ransomware-as-a-service landscape, with groups like BlackSuit and RansomHub emerging with updated tactics and techniques. These updates include more sophisticated encryption algorithms, improved lateral movement methods within networks, and more effective detection evasion mechanisms.

Critical industrial operations are the primary target of ransomware activity

The industrial sector remains a prime target for ransomware groups due to the critical nature of their operations and the potentially high impact of disruptions, with ransomware groups targeting high-impact operators to maximize their profits. The risk posed by ransomware is further compounded as Government-affiliated groups adopt ransomware tacticsand hacktivists are increasingly using and even building their own ransomware tools, illustrating the convergence of ideological and financial motivations in the cyber threat landscape. This growing trend demonstrates the changing and growing nature of the ransomware threat, which goes beyond traditional cybercriminal enterprises and includes politically and ideologically driven adversaries.

In the second quarter, Dragos’ assessment of the most business-impacting ransomware attacks against industrial organizations was validated, with incidents showing more severe impacts than in previous quarters. This quarter saw a significant increase in the frequency and severity of attacks, reflecting the evolving threat landscape and the persistent risk posed by ransomware groups. For example, in May, Frontier Communications was affected by RansomHub, causing certain systems to shut down, causing a major operational disruption.

Current Ransomware Trends, Patterns, and Observations

Globally, Dragos continues to analyze ransomware variants used against industrial organizations, tracking ransomware information through public reports and data uploaded or appearing on dark websites. These sources report victims who were listed as targets and those who pay or otherwise “cooperate” with criminals, and do not necessarily match one-to-one with all incidents that took place in this last quarter. Several notable observations from the second quarter include a significant resurgence in ransomware activity and the emergence of new tactics by ransomware groups. Although we saw a decrease in the first quarter in both the number of incidents and the impact of ransomware attacks, there was a marked increase in the second quarter, with the total number of ransomware incidents almost doubling.

Among the 86 ransomware groups known to target industrial organizations, 29 remained active in the second quarter, up from 22 in the first quarter. However, the second quarter saw a resurgence with several renowned groups and new entrants to the ransomware landscape. Groups like BlackSuit (formerly Royal ransomware) and RansomHub (formerly Knight ransomware) have shown notable activity, leveraging sophisticated tactics and techniques to improve their operations.

In addition to the resurgence, the overall impact of these ransomware attacks against industrial organizations remains a major concern. While Dragos did not identify any ransomware attacks targeting industrial control systems (ICS) or operational technology (OT) processes, ransomware groups have disrupted the IT systems of industrial organizations. Disruptions have occurred in OT networks, primarily due to interdependencies between OT and IT systems. The increase in ransomware incidents during the second quarter underscores the evolving threat landscape and the persistent risk these groups pose.

Regional and industry impact observations

Ransomware incidents showed a sharp increase and affected various regions differently. North America experienced 187 ransomware incidents (approximately 60 percent of the 312 global ransomware attacks observed), followed by Europe with 82 incidents or approximately 26 percent. Asia experienced 10 percent of global ransomware incidents (29 reported incidents) and South America, 2 percent of global ransomware incidents (six incidents). The Middle East, Australia and Africa accounted for approximately 1 percent of each of the global ransomware incidents, and only eight incidents reported together.

The manufacturing sector was the most affected, with 210 incidents observed, or approximately 67 percent of all ransomware incidents, and ICS experienced 47 incidents or 15 percent of total incidents. The transportation sector was affected 23 times (7 percent), followed by government entities, oil and natural gas, communications and mining, electricity, renewable energy and water. In addition to primary industries and sectors, Dragos observed 23 unique manufacturing subsectors affected by ransomware in the second quarter, with construction (33 incidents) and consumer and food and beverage (27 incidents each) being the most affected.

Ransomware aggregates trends, patterns and observations

Dragos’ analysis of numerous ransomware data from the second quarter indicates that the LockBit group was behind the majority of attacks against industrial organizations, with approximately 21 percent (or 66 incidents) of the ransomware events observed. Play ransomware came in second, with approximately 10 percent (or 31 incidents).

Ransomware incidents by ransomware group, Q2 2024

Dragos observed the activity of 12 ransomware groups in the second quarter that were not active or observed in the first quarter, such as RA Group and DragonForce. Its presence in the second quarter highlights the changing nature of the ransomware group’s activities and the constant changes within the ransomware ecosystem.

Looking forward

Ransomware groups will continue to refine their operations, leveraging sophisticated methods, such as zero-day vulnerabilities, to enhance their attacks. Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, characterized by the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors. Despite significant law enforcement actions, the observed resilience and adaptability of ransomware groups indicates a likely continuation of this trend.

While Dragos did not identify any ransomware attacks directly targeting ICS/OT processes, the interconnected nature of IT and OT environments means that disruptions to IT systems can have significant downstream effects on OT operations. This interdependence suggests that ransomware groups may increasingly target OT networks to amplify the impact of their attacks, potentially compromising the security and operational integrity of industrial organizations. A more detailed analysis of the second quarter is available here.

Leave a Reply

Your email address will not be published. Required fields are marked *