Dragos reports increase in industrial ransomware attacks
The second quarter of calendar year 2023 proved to be a highly active period for ransomware groups, posing significant threats to industrial organisations and infrastructure, according to Dragos’s latest ransomware attack analysis.
The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques and procedures by these groups to achieve their objectives. In Q2 2023, Dragos observed that out of 66 groups monitored, 33 continued to impact industrial organisations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities, leveraging social engineering, targeting public-facing services and compromising IT service providers.
Dragos said that in Q1 2023 it assessed with moderate confidence that ransomware groups would intensify their efforts to impact industrial organisations to meet their financial goals, given their dwindling revenues, due to the falling number of victims willing to pay ransoms. This assessment proved accurate when analysing the activities of these ransomware groups in the current quarter.
Notably, Dragos witnessed a significant surge in utilising various initial access techniques. For instance, the Clop group employed new zero-day vulnerabilities in MOVEit Transfer software to target numerous organisations, including major industrial vendors and oil and gas companies.
Additionally, BianLian utilised remote monitoring and management software, such as AnyDisk. BianLian focused on the data-centric extortion model, while others moved to the double extortion model. Dragos also observed an overlap in victim profiles between some ransomware-as-a-service (RaaS) groups, initial access brokers and phishing-as-a-service groups.
Dragos assessed with moderate confidence that Q3 2023 will witness increased business-impacting ransomware attacks against industrial organisations for two reasons. First, the prevailing political tension between NATO countries and Russia motivates Russian-aligned ransomware groups to continue targeting and disrupting critical infrastructure in NATO countries. Second, as the number of victims willing to pay ransoms diminishes, RaaS groups have shifted their focus towards larger organisations, resorting to widespread ransomware distribution attacks to sustain their revenues.
One notable Q2 incident was the attack on the Port of Nagoya in Japan, which impacted the port’s operations and subsequently affected the supply chains of other industrial organisations, including the Toyota packaging line. Another notable incident was the ransomware attack on the pharmaceutical company Eisai that disrupted their logistics systems, leading to operational disruptions.
Dragos said it identified 253 ransomware incidents in Q2 2023, an 18% increase from the previous quarter. Dragos analyses ransomware variants impacting industrial organisations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. By their very nature, these sources report victims that allegedly pay or otherwise ‘cooperate’ with the criminals. However, there is no 1:1 correlation between total incidents and those that elicit victim cooperation.
Ransomware by sector and subsector
Seventy per cent of all alleged ransomware attacks impacted the manufacturing sector (177 incidents total). Next was the industrial control systems (ICS) equipment and engineering sector, with 16% of attacks (41 incidents), where 30 incidents impacted ICS equipment entities and 11 incidents impacted ICS engineering entities. The transportation sector was targeted with 5.5% (14 incidents), and the oil and natural gas sector around 4% of attacks (10 incidents). The mining sector was impacted by 2% of the attacks (five incidents), followed by the renewable energy sector (three incidents), water sector (two incidents), and one incident impacting the electric sector. The industrial ransomware incidents that Dragos tracked last quarter impacted 20 unique manufacturing subsectors. Top was equipment manufacturing with around 15% (26 attacks), followed by the electronic manufacturing sector with 13% or 23 incidents.
More detailed analysis is available here.
Endress+Hauser receives IEC 62443-4-1 cybersecurity certification
Endress+Hauser has received the globally recognised IEC 62443-4-1...
Seeq and AVEVA partner to better integrate software suites
The partnership builds on Seeq Industrial Analytics and AI Suite and CONNECT to improve data...
ACSC releases guidance on cybersecurity for operational technology
ASD's Australian Cyber Security Centre (ACSC) has released new guidance to help critical...