Dragos Industrial Ransomware Attack Analysis


Quarter two 2023 proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organisations and infrastructure, according to Dragos’ latest ransomware attack analysis.  

The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives. 

In Q2 2023, Dragos observed that out of 66 groups monitored, 33 continued to impact industrial organisations. 

In Q1 2023, Dragos assessed with moderate confidence that ransomware groups would intensify their efforts to impact industrial organisations to meet their financial goals, given their dwindling revenues

This assessment proved accurate when analysing the activities of these ransomware groups in the current quarter.

Notably, Dragos witnessed a significant surge in utilising various initial access techniques.

For instance, the Clop group employed new zero-day vulnerabilities in MOVEit Transfer software to target numerous organisations, including major industrial vendors and oil and gas companies

Additionally, BianLian utilised remote monitoring and management software, such as AnyDisk

BianLian focused on the data-centric extortion model, while others moved to the double extortion model. 

Dragos also observed an overlap in victim profiles between some ransomware-as-a-service (RaaS) groups, initial access brokers, and phishing-as-a-service groups. 

Dragos assesses with moderate confidence that Q3 2023 will witness increased business-impacting ransomware attacks against industrial organisations for two reasons. 

First, the prevailing political tension between NATO countries and Russia motivates Russian-aligned ransomware groups to continue targeting and disrupting critical infrastructure in NATO countries

Second, as the number of victims willing to pay ransoms diminishes, RaaS groups have shifted their focus towards larger organisations, resorting to widespread ransomware distribution attacks to sustain their revenues. 

One notable Q2 incident was the attack on the Port of Nagoya in Japan, which impacted the port’s operations and subsequently affected the supply chains of other industrial organisations, including the Toyota packaging line. 

Another notable incident was the ransomware attack on the pharmaceutical company Eisai that disrupted their logistics systems, leading to operational disruptions. 

Dragos identified 253 ransomware incidents in Q2 2023, an 18% increase from the previous quarter. 

Dragos analyses ransomware variants impacting industrial organisations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. 

By their very nature, these sources report victims that allegedly pay or otherwise “cooperate” with the criminals. However, there is no 1:1 correlation between total incidents and those that elicit victim cooperation.  

Industrial Ransomware Activities 

Globally, 47.5% of the 253 ransomware alleged attacks recorded impacted industrial organisations and infrastructure in North America, for a total of 120 incidents, an increase of approximately 27% over the number reported the previous quarter. 

Europe recorded 30.5% of the global total and 77 incidents, followed by Asia with 14% or 35 incidents. Notably, Australia only had 1% or three incidents. 

Ransomware by Sector and Subsector 

Seventy per cent of all alleged ransomware attacks impacted the manufacturing sector (177 incidents total). Next was the industrial control systems (ICS) equipment and engineering sector, with 16% of attacks (41 incidents), where 30 incidents impacted ICS equipment entities and 11 incidents impacted ICS engineering entities. 

The transportation sector was targeted with 5.5% (14 incidents), and Oil and Natural Gas sector around 4% of attacks (10 incidents). The mining sector was impacted by 2% of the attacks (five incidents), renewable energy sector (three incidents), water sector (two incidents), and one incident impacted the electric sector. 

The industrial ransomware incidents that Dragos tracked last quarter impacted 20 unique manufacturing subsectors. Top was equipment manufacturing with around 15% (26 attacks), followed by the electronic manufacturing sector with 13% or 23 incidents.  

Ransomware by Groups 

In Q2 2023, Dragos tracked the activity of 33 ransomware groups compared to 20 in Q1.  

Analysis of ransomware data shows Lockbit 3.0 was responsible for 19% of the total alleged ransomware attacks, accounting for 48 incidents, nearly a 38% decrease compared to the Q1 incidents; AlphaV was responsible for 12% of attacks (31 incidents), Black Basta for 10% of attacks (26 incidents); 8base and Bianlian were next with 15% (or 19 incidents each). 

The groups we observed in Q1 but not in Q2 are Dark Power, Everest, Lorenz, and Daixin Team. We also observed 15 additional ransomware groups for the first time in Q2 and it is still being determined if these new groups are new or reformed from other groups.  

What’s Next? 

Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems. 

Due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ones will continue to appear as either new or reformed ones in the next quarter.

As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organisations in an attempt to fulfill their financial objectives.