Dragos reports increase in industrial ransomware attacks


Friday, 04 August, 2023

Dragos reports increase in industrial ransomware attacks

The second quarter of calendar year 2023 proved to be a highly active period for ransomware groups, posing significant threats to industrial organisations and infrastructure, according to Dragos’s latest ransomware attack analysis.

The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques and procedures by these groups to achieve their objectives. In Q2 2023, Dragos observed that out of 66 groups monitored, 33 continued to impact industrial organisations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities, leveraging social engineering, targeting public-facing services and compromising IT service providers.

Dragos said that in Q1 2023 it assessed with moderate confidence that ransomware groups would intensify their efforts to impact industrial organisations to meet their financial goals, given their dwindling revenues, due to the falling number of victims willing to pay ransoms. This assessment proved accurate when analysing the activities of these ransomware groups in the current quarter.

Notably, Dragos witnessed a significant surge in utilising various initial access techniques. For instance, the Clop group employed new zero-day vulnerabilities in MOVEit Transfer software to target numerous organisations, including major industrial vendors and oil and gas companies.

Additionally, BianLian utilised remote monitoring and management software, such as AnyDisk. BianLian focused on the data-centric extortion model, while others moved to the double extortion model. Dragos also observed an overlap in victim profiles between some ransomware-as-a-service (RaaS) groups, initial access brokers and phishing-as-a-service groups.

Dragos assessed with moderate confidence that Q3 2023 will witness increased business-impacting ransomware attacks against industrial organisations for two reasons. First, the prevailing political tension between NATO countries and Russia motivates Russian-aligned ransomware groups to continue targeting and disrupting critical infrastructure in NATO countries. Second, as the number of victims willing to pay ransoms diminishes, RaaS groups have shifted their focus towards larger organisations, resorting to widespread ransomware distribution attacks to sustain their revenues.

One notable Q2 incident was the attack on the Port of Nagoya in Japan, which impacted the port’s operations and subsequently affected the supply chains of other industrial organisations, including the Toyota packaging line. Another notable incident was the ransomware attack on the pharmaceutical company Eisai that disrupted their logistics systems, leading to operational disruptions.

Dragos said it identified 253 ransomware incidents in Q2 2023, an 18% increase from the previous quarter. Dragos analyses ransomware variants impacting industrial organisations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. By their very nature, these sources report victims that allegedly pay or otherwise ‘cooperate’ with the criminals. However, there is no 1:1 correlation between total incidents and those that elicit victim cooperation.

Ransomware by sector and subsector

Ransomware attacks by ICS sector and manufacturing subsctor, Q2 3023.

Ransomware attacks by ICS sector and manufacturing subsctor, Q2 3023. For a larger image click here.

Seventy per cent of all alleged ransomware attacks impacted the manufacturing sector (177 incidents total). Next was the industrial control systems (ICS) equipment and engineering sector, with 16% of attacks (41 incidents), where 30 incidents impacted ICS equipment entities and 11 incidents impacted ICS engineering entities. The transportation sector was targeted with 5.5% (14 incidents), and the oil and natural gas sector around 4% of attacks (10 incidents). The mining sector was impacted by 2% of the attacks (five incidents), followed by the renewable energy sector (three incidents), water sector (two incidents), and one incident impacting the electric sector. The industrial ransomware incidents that Dragos tracked last quarter impacted 20 unique manufacturing subsectors. Top was equipment manufacturing with around 15% (26 attacks), followed by the electronic manufacturing sector with 13% or 23 incidents.

More detailed analysis is available here.

Top image: iStock.com/WhataWin

Related News

Claroty appoints Wavelink as sole distributor for entire Australian business

Wavelink has announced that cybersecurity solutions company Claroty has awarded Wavelink the sole...

Nozomi Networks extends partnership with Yokogawa

Nozomi Networks OT and IoT visibility and threat detection capabilities are now part of...

Nozomi Networks secures funding from Mitsubishi and Schneider Electric

Nozomi Networks has secured $100 million to accelerate OT cyber-defence technology.

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd