Sydney, 1 August 2023:ย Quarter two 2023 proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organisations and infrastructure, according to Dragosโ latest ransomware attack analysis.ย ย
The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives. In Q2 2023, Dragos observed that out of 66 groups monitored, 33 continued to impact industrial organisations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities,ย [https://Theย Play ransomware attack suffered by the IT services provider Xplain also impacted the national railway company of Switzerland (FSS) and the canton of Aargau.]leveraging social engineering, targeting public-facing services, and compromising IT service providers.ย ย
Inย Q1 2023, Dragos assessed with moderate confidence that ransomware groups would intensify their efforts to impact industrial organisationsย to meet their financial goals, given theirย dwindling revenues.ย This assessment proved accurate when analysing the activities of these ransomware groups in the current quarter.ย
Dragos identified 253 ransomware incidents in Q2 2023, an 18% increase from the previous quarter.ย Dragos analyses ransomware variants impacting industrial organisations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. By their very nature, these sources report victims that allegedly pay or otherwise โcooperateโ with the criminals. However, there is no 1:1 correlation between total incidents and those that elicit victim cooperation.ย ย
Industrial Ransomware Activitiesย
Globally, 47.5% of the 253 ransomware alleged attacks recorded impacted industrial organisations and infrastructure in North America, for a total of 120 incidents, an increase of approximately 27% over the number reported the previous quarter. Europe recorded 30.5% of the global total and 77 incidents, followed by Asia with 14% or 35 incidents. Notably, Australia only had 1% or three incidents.ย
Ransomware by Sector and Subsector
Seventy per cent of all alleged ransomware attacks impacted the manufacturing sector (177 incidents total). Next was the industrial control systems (ICS) equipment and engineering sector, with 16% of attacks (41 incidents), where 30 incidents impacted ICS equipment entities and 11 incidents impacted ICS engineering entities. The transportation sector was targeted with 5.5% (14 incidents), and Oil and Natural Gas sector around 4% of attacks (10 incidents). The mining sector was impacted by 2% of the attacks (five incidents), renewable energy sector (three incidents), water sector (two incidents), and one incident impacted the electric sector. The industrial ransomware incidents that Dragos tracked last quarter impacted 20 unique manufacturing subsectors. Top was equipment manufacturing with around 15% (26 attacks), followed by the electronic manufacturing sector with 13% or 23 incidents.ย ย
Ransomware by Groups
In Q2 2023, Dragos tracked the activity of 33 ransomware groups compared to 20 in Q1.ย ย Analysis of ransomware data shows Lockbit 3.0 was responsible for 19% of the total alleged ransomware attacks, accounting for 48 incidents, nearly a 38% decrease compared to the Q1 incidents; AlphaV was responsible for 12% of attacks (31 incidents), Black Basta for 10% of attacks (26 incidents); 8base and Bianlian were next with 15% (or 19 incidents each). Theย groups we observed in Q1 but not in Q2 areย Dark Power, Everest, Lorenz, and Daixin Team.ย We also observed 15 additional ransomware groups for the first time in Q2 and it is still being determined if these new groups are new or reformed from other groups.ย ย
Whatโs Next?
Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems. Due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ones will continue to appear as either new or reformed ones in the next quarter. As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organisations in an attempt to fulfill their financial objectives.ย