According to Drago’s quarterly industrial ransomware analysis for the critical infrastructure sector, there were 214 ransomware incidents globally in the first quarter of 2023, a 13% increase from Q4 2022. The company also observed two new and significant trends, the use of zero-day vulnerabilities and the exploitation of recently discovered vulnerabilities — the Clop ransomware group claimed the use of the GoAnywhere zero-day vulnerability (CVE-2023-0669) to impact 130 organisations in February 2023. Other ransomware groups, such as Cuba and Play, used a zero-day exploit dubbed OWASSRF to target CVE-2022-41080 and compromise unpatched Microsoft Exchange servers in January 2023.
“Ransomware attacks continued to be a significant threat to industrial organisations and infrastructure in the first quarter of 2023. This trend underscores the growing sophistication and opportunism of ransomware groups, making it crucial for industrial organisations to remain vigilant and adopt robust cybersecurity measures to protect their operations and infrastructure. Twenty of the 61 ransomware groups that we track caused significant damage to industrial organisations through continually evolving tactics,” said Abdulrahman Alamri, Senior Adversary Hunter at Dragos.
Dragos’ breakdowns of ransomware activities for this quarter are as follows:
Ransomware by region
- 44% of the 214 ransomware attacks recorded globally impacted industrial organisations and infrastructure in North America, for a total of 95 incidents, which is twice the number Dragos reported last quarter for North America.
- Within North America, the U.S. sustained over 41% of all ransomware attacks.
- Europe came in second with 28% of the global total and 59 incidents.
- Asia is next with 15% or 33 incidents.
- South America had 5%, totalling ten incidents.
- The Middle East had 4% or eight incidents.
- Africa had 3%, totalling six incidents.
- Australia had 1% or three incidents.
Ransomware by sector and sub-sector
Sixty-seven per cent of ransomware attacks impacted the manufacturing sector (143 incidents total), the same number of incidents in the last quarter. Next was food and beverage, with 13% of attacks (28 incidents), roughly double the incidents in the previous quarter. The energy sector was targeted with seven per cent of the attacks (15 incidents), and the pharmaceuticals sector had five per cent (10 incidents). Oil and gas showed three per cent (seven incidents, up from four last quarter), and the transportation sector had around three per cent of attacks (six incidents). Mining and water sectors were impacted with one per cent of total attacks in the first quarter of 2023.
Ransomware by groups
In Q1 of 2023, Dragos tracked the activity of 20 ransomware groups, compared to 24 in Q4 of 2022. Analysis of ransomware data shows Lockbit 3.0 was responsible for 36% of the total ransomware attacks, accounting for 77 incidents, nearly double the incidents in the last quarter; AlphaV was responsible for 13% of attacks; Royal came in next with 12%; Black Basta and Clop next with 7 per cent each.
Ransomware victimology trends
During the first quarter of 2023, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Dragos observed three more ransomware groups impacting industrial sectors and regions of the world in this last quarter than in Q4 of 2022. Based on the analysis of the Q1 2023 timeframe, Dragos observed some of the most active ransomware groups impacting the following industries and geographies:
- Abyss, Bianlian, and Everest: manufacturing in North America.
- Avos locker, Royal, Unsafe, Lorenz: food & beverage and manufacturing.
- Play and Stormous: manufacturing and energy.
- CL0P leaks: transportation
- DAIXIN team: food & beverage in North America.
- Mallox: manufacturing and oil & gas.
- Black Basta: North America and Europe.
- Blackbyte: North America.
Looking ahead to Q2 2023
Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems. Due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ransomware groups will continue to appear as either new or reformed ones in the next quarter.
As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organisations to fulfil their financial objectives.