Dragos Releases Industrial Ransomware Analysis For Q3 2022

A new report from Dragos examining threats to industrial systems found that ransomware continues to be one of the most threatening financial and operational risks to industrial organizations worldwide during the third quarter of 2022.

“Dragos monitors and analyses the activities of 48 different ransomware groups that target industrial organizations and infrastructures,” commented Abdulrahman Alamri, Senior Adversary Hunter at Dragos, who authored the report. “Dragos observed through publicly disclosed incidents, network telemetry, and dark web posting that out of these 48 groups, only 25 have been active during Q3 of 2022. Dragos is aware of 128 ransomware incidents in the third quarter of 2022 compared to 125 in the previous quarter. The Lockbit ransomware family account for 33 per cent and 35 per cent, respectively of the total ransomware incidents that target industrial organisations and infrastructures in the last two quarters, as the groups added new capabilities in their new Lockbit 3.0 strain.”

Dragos’ breakdowns of ransomware activities for this quarter are as follows:

Ransomware By Region

  • Thirty-six per cent of the 128 ransomware attacks target industrial organizations and infrastructures in North America, for a total of 46 incidents, as shown above.
  • Europe comes in second with 33 per cent, 42 incidents.
  • Asia with 22 per cent or 28 incidents.
  • South America with 6 per cent, or eight incidents.
  • Africa and Australia with two per cent each, two incidents each.

Ransomware by sector and sub-sector

Sixty-eight per cent of ransomware attacks targeted the manufacturing sector (88 incidents), the same percentage reported in Q2. Nine per cent of attacks targeted the food and beverage sector (12 incidents) compared to eight per cent in the last quarter. The oil and natural gas sector was targeted with six per cent of the attacks (eight incidents) and the energy and pharmaceuticals sectors with 10 per cent of attacks, with seven and six incidents, respectively. The sectors of chemical, mining, engineering, and water and wastewater systems were targeted with one per cent or one incident each.

The ransomware attacks that Dragos tracked this quarter targeted 40 unique manufacturing subsectors. These manufacturing subsectors break down as follows:

  • Fourteen per cent of victims were in metal products manufacturing (12 incidents).
  • Eight per cent were in industrial solutions (seven incidents).
  • Seven per cent were in packaging, with six incidents.
  • The Electronics and semiconductor manufacturing sectors and plastic accounted for six per cent of attacks each, with five incidents each.
  • Automotive and cosmetics each made up ten per cent of incidents, four incidents each.

Ransomware by groups

Analysis of ransomware data shows Lockbit 3.0 made 35 per cent of the total ransomware attacks in Q3, accounting for 45 incidents; Black Basta comes in next with 11 per cent (16 incidents); Hive made seven per cent (nine incidents); KARAKURT made six per cent (eight incidents); Avos Locker and Lorenz made five incidents each or foue per cent. Lockbit 3.0 maintained the same level of operation as Lockbit 2.0 last quarter. Ransomware attacks against manufacturing entities also impact other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organizations.

Ransomware victimology trends

During Q3 of 2022, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Three more ransomware groups were observed targeting industrial sectors and regions of the world in this last quarter than in Q2 of 2022. Based on our analysis of the Q3 2022 timeframe, Dragos observed that:

  • Ragnar Locker has been targeting mainly the Energy sector.
  • Cl0p Leaks has been targeting only Water and Wastewater sector.
  • KARAKURT has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
  • Lockbit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
  • Stormous has only targeted Vietnam.
  • Lorenz has only targeted the United States.
  • Sparta blog has only targeted Spain.
  • Black Basta and Hive targeted the transportation sector.

“In Q4 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear in the next quarter, as either new or reformed ones,” concluded Alamri.