Dragos releases its Industrial Ransomware Analysis for Q3 2022

Ransomware continues to be one of the most threatening financial and operational risks to industrial organisations worldwide during the third quarter of 2022.

Last quarter, Dragos assessed with high confidence that Q3 would witness an increase in ransomware groups’ evolving activities, the disruption of industrial operations and the appearance of new or reforming ransomware groups. The assessment remains correct, except that Dragos is unaware of any significant industrial disruptions in Q3. Dragos is aware of multiple new ransomware groups targeting industrial entities during Q3, like SPARTA BLOG, BIANLIAN, Donuts, ONYX and YANLUOWANG. Until now, Dragos cannot confirm if these groups are reformed from other dissolved ransomware groups, such as Conti, who shut down their operation last quarter. In addition, Dragos observed ransomware trends tied to political and economic reasons, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions. Dragos observed another trend related to the global crisis of energy supplies and prices, which may have caused Ragnar Locker, AlphaV and possibly other ransomware groups to increase their activities targeting energy sectors.

Dragos monitors and analyses the activities of 48 different ransomware groups that target industrial organisations and infrastructures. Dragos observed through publicly disclosed incidents, network telemetry and dark web posting that out of these 48 groups, only 25 have been active during Q3 of 2022. Dragos is aware of 128 ransomware incidents in the third quarter of 2022 compared to 125 in the previous quarter.

The Lockbit ransomware family account for 33% and 35% respectively of the total ransomware incidents that target industrial organisations and infrastructures in the last two quarters, as the groups added new capabilities in their new Lockbit 3.0 strain. Anti-detection mechanisms, anti-debugging and disabling Windows defenders are among the features that make Lockbit one of the fastest growing ransomware strains. Last month, an unknown person claimed he had hacked Lockbit servers and leaked Lockbit 3.0 builder, allowing anyone to create ransomware. Dragos predicts with moderate confidence that Lockbit 3.0 will continue to target industrial organisations and pose threats to industrial operations in the last quarter of 2022, whether by the Lockbit gang itself or others who can create their own version of the Lockbit ransomware.

Ransomware by region

Globally, 36% of the 128 ransomware attacks targeted industrial organisations and infrastructures in North America, for a total of 46 incidents, as shown in Figure 1. Europe came in second with 33% (42 incidents). Asia experienced 22% or 28 incidents, South America had 6% (8 incidents) and Africa and Australia each experienced two incidents (2%).

Figure 1: Ransomware incidents by region. For a larger image click here.

Noticeably, the percentage of reported cases in North America jumped to 36% compared to 26% in the last quarter.

Ransomware by sector and subsector

Figure 2 shows that 68% of ransomware attacks target the manufacturing sector, the same percentage reported in Q2. Nine per cent of attacks targeted the food and beverage sector compared to 8% in the last quarter, while the oil and natural gas sector was targeted with 6% of the attacks and the energy and pharmaceuticals sectors with 10% of attacks. The sectors of chemical, mining, engineering, and water and wastewater systems were targeted with 1% or one incident each.

Figure 2: Ransomware incidents by sector and subsector. For a larger image click here.

The ransomware attacks that Dragos tracked this quarter targeted 40 unique manufacturing subsectors. These manufacturing subsectors break down as follows:

• 14% of victims were in metal products manufacturing.
• 8% were in industrial solutions.
• 7% were in packaging.
• The electronics and semiconductor manufacturing sectors and plastic accounted for 6% of attacks each.
• Automotive and cosmetics each made up 10% of incidents.

Ransomware by group

Analysis of ransomware data shows Lockbit 3.0 made 35% of the total ransomware attacks in Q3, accounting for 45 incidents; Black Basta comes in next with 11%; Hive made 7%; KARAKURT made 6%; Avos Locker and Lorenz made up 4% each.

Figure 3: Ransomware incidents by ransomware group.

It should be mentioned that ransomware attacks against manufacturing entities also impact other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organisations.

Ransomware victimology trends

During Q3 of 2022, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Three more ransomware groups were observed targeting industrial sectors and regions of the world in this last quarter than in Q2 of 2022. Based on analysis of the Q3 2022 timeframe, Dragos observed:

• Ragnar Locker has been targeting mainly the energy sector.
• Cl0p Leaks has been targeting only the water and wastewater sector.
• KARAKURT has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
• Lockbit 3.0 is the only group that targeted chemicals, drilling, industrial supplies and interior design.
• Stormous has only targeted Vietnam.
• Lorenz has only targeted the United States.
• Sparta blog has only targeted Spain.
• Black Basta and Hive targeted the transportation sector.
   

The groups we observed in Q2 but not in Q3 are: Lockbit 2.0, Conti, Snatch, Moses staff, Midas leaks, pandora and Suncrypt. The following groups were observed in Q3 but not in Q2: Lockbit 3.0, Cl0p Leaks, Medusalocker, Sparta blog, BIANLIAN, DONUTS, ONYX, Revil, and YANLUOWANG.

What’s next?

In Q4 of 2022, Dragos predicts with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear in the next quarter, as either new or reformed ones.

*Abdulrahman H Alamri is a Senior Adversary Hunter at Dragos. He holds a master's degree in Cybersecurity and worked previously in the Saudi National Cybersecurity Authority (NCA) as a Tactical Threat Intelligence team lead.

Top image: ©iStockPhoto.com/Just_Super