Cyber battleground: Dragos’ industrial ransomware analysis on the fight against ransomware

Cyber battleground: Dragos’ industrial ransomware analysis on the fight against ransomware

Despite the relentless efforts of international law enforcement to combat ransomware, the battle persists with the fourth quarter of 2023 showcasing a dynamic landscape marked by both a decline in reported incidents and a surge in innovative tactics. Abdulrahman H. Almari, Senior Threat Analyst at Dragos, sheds light on the 2023 OT Cybersecurity Year in Review report which provides a panoramic view of the most significant cyber trends, threats and lessons learned during cybersecurity events of 2023. He discusses ransomware groups embracing techniques like remote encryption, increasing the likelihood of successful attacks and engaging with the media to manipulate public perception.

Abdulrahman H. Almari, Senior Threat Anyalst at Dragos

While international law enforcement’s relentless efforts have resulted in arrests and the dismantling of ransomware operations, the battle against ransomware groups continues unabated. During the fourth quarter of 2023, we witnessed a slight decline in reported incidents yet saw a surge in actions that kept the ransomware threat landscape dynamic.

Ransomware groups consistently adapt by evolving their strategies, embracing new techniques and even reconfiguring or rebranding their operations to bolster their earnings and evade detection. Yet, international law enforcement has achieved noticeable results in fighting ransomware operations, including arresting members of ransomware groups – an example being the arrest of a Ragnar Locker developer in Paris after dismantling their infrastructure.

Additionally, the U.S. Justice Department, in collaboration with international agencies and help from Germany, Denmark and Europol, disrupted the activities of the AlphaV ransomware group. The U.S. Federal Bureau of Investigation’s (FBI) developed a decryption tool that aided over 500 victims, preventing approximately US$68 million in ransom payments. This operation is part of a broader initiative to combat major ransomware operations and apprehend key figures involved in global cyber disruptions.

As ransomware groups have consistently demonstrated their capacity to innovate and refine their methods, active groups such as LockBit, BlackCat, Royal and Akira adopted new techniques known as remote encryption or remote ransomware during the last quarter. This new technique involves compromising an endpoint connected to the victim’s network and using it to launch the ransomware attack within the victim’s environment, thereby increasing the likelihood of a successful attack. As Dragos assessed with moderate confidence in last quarter’s blog, ransomware groups continue to prioritise zero-day vulnerabilities in their operations. This strategic focus was evident in the actions of the LockBit ransomware group as it exploited a vulnerability known as ‘Citrix Bleed’ (CVE-2023-4966) during its attacks. LockBit leveraged this flaw to hijack authenticated sessions, gaining temporary access to various targets, including Boeing’s parts and distribution business.

However, ransomware groups have expanded beyond technical innovations. They actively engage with the media to control the narrative surrounding their activities, courting journalists and providing press releases, FAQs and interviews to manipulate public perception. This calculated approach allows ransomware gangs to amplify their notoriety and exert pressure on victims, ultimately enhancing their profitability. This evolving trend presents a fresh set of challenges for cybersecurity defenders and incident responders who must incorporate effective communication strategies into their response plans to counter these cybercriminal tactics.

The threat landscape has also grown more complex due to ransomware groups’ willingness to collaborate. While these collaborations may not directly impact industrial sectors, they are a worrisome development. Notably, instances of collaboration among ransomware groups – such as BianLian, White Rabbit and Mario Ransomware  – teaming up to target financial services firms, underscores a concerning trend of cybercriminal networks working together for mutual gain. This growing cooperation poses potential risks to critical infrastructure and industrial sectors as cybercriminals continue to share tactics, techniques and potentially even vulnerabilities that could be leveraged in future attacks.

Ransomware operation impacts on industrial organisations

In the fourth quarter of 2023, Dragos’ assessment of increased business-impacting ransomware attacks against industrial organisations was validated, with incidents exhibiting more severe impacts when compared to earlier quarters. An example is the Lockbit attack in October 2023 which exploited the Citrix Bleed vulnerability, targeting Boeing’s core operations in parts and distribution. Furthermore, the Qilin ransomware group’s November cyberattack on Yanfeng, a Chinese automotive part company supplying interior components to global carmakers, disrupted operations to the extent that Stellantis had to halt production at its North American plants.

In addition, Dragos noticed other ransomware incidents impacted the operations of multiple organisations, such as:

Ransomware trends, patterns and observations

Dragos analyses ransomware variants used against industrial organisations worldwide and tracks ransomware information via public reports and information uploaded or appearing on dark websites. By their very nature, these sources report victims that were listed as targets and those that pay or otherwise ‘cooperate’ with the criminals and they do not necessarily cover all incidents that took place in the last quarter.

Two interesting observations from the fourth quarter of 2023, compared to the previous quarters, were observable decreases in active ransomware groups and ransomware incidents impacting industrial organisations. Of the 77 ransomware groups that have historically attacked industrial organisations and infrastructure, only 32 were active in the last quarter and the number of ransomware incidents went from 231 to 204 over the same period. As of this time, Dragos is uncertain about the cause of this decrease in ransomware incidents between the third and fourth quarters of 2023.

Although the number of ransomware incidents and Dark Web postings in the fourth quarter of 2023 was slightly less than in the third quarter of 2023, the overall impact of these ransomware attacks against industrial organisations remains significant.

Regional impact observations, fourth quarter 2023:

  • There were 87 ransomware incidents (roughly 43% of the observed 204 global ransomware attacks) that impacted industrial organisations and infrastructure in North America, compared to 91 incidents in the previous quarter. Within North America, the US received over 37% of all ransomware incidents, similar to last quarter.
  • Approximately 32% of global ransomware incidents (67 in total) impacted Europe, roughly the same percentage as observed in Q3 2023.
  • Asia is next with 14.4% or 30 incidents.
  • South America had 4.4% totalling nine incidents.
  • The Middle East had 2.5% totalling five incidents.
  • Africa and Australia had 3% totalling three incidents each.

Manufacturing was the most impacted industry during the fourth quarter of 2023 with 135 observed incidents in total or 66.1%. The breakdown by sector is as follows:

  • The transportation sector was impacted 26 times, for a total of 12.7% of all observed incidents, which is a 50% increase compared to the previous sector.
  • The industrial control systems (ICS) equipment and engineering sector had 11.7% of alleged attacks (24 incidents).
  • The electric sector was impacted by 3.43% of the alleged attacks (seven incidents).
  • The water and wastewater sector were the victim of 2.45% of alleged attacks (five incidents).
  • The oil and natural gas sector had 1.9% of alleged attacks (four incidents).
  • The mining and government sectors had less than 1% of the global alleged attacks each.

In addition to the primary industries and sectors mentioned above, Dragos observed 22 unique manufacturing sub-sectors impacted by ransomware during the fourth quarter of 2023. The percentage breakdown as a part of all manufacturing incidents is as follows:

  • Equipment: 20% (27 incidents)
  • Consumer: 12% (16 incidents)
  • Metals: 9% (12 incidents)
  • Automotive: 8.1% (11 incidents)
  • Food and beverage, contraction and chemical: 8% (six incidents)
  • Pharmaceuticals, electronic and plastic: 4.4% (six incidents)
  • Packaging and healthcare: 3.7% (five incidents)
  • Aerospace, glass, agriculture and textile: 2.2% (three incidents)
  • Rubber, maritime, paper, recycling and semiconductor: less than 1% (one incident)

Dragos’ analysis of numerous ransomware data from the fourth quarter of 2023 indicates that the Lockbit 3.0 group was behind most attacks against industrial organisations, with 25.5% (or 52 incidents) of observed ransomware events. The BlackBasta ransomware was second with 10.3% (or 21 incidents). The following rounds out the observed ransomware group trends for the fourth quarter of 2023:

  • AlphV was responsible for 6.8% of incidents (14 incidents)
  • 8Base and Play:  6.3% each (13 incidents each)
  • Losttrust was responsible for 5.4% of incidents (11 incidents)
  • Noescape was responsible for 4.4% of incidents (9 incidents)
  • Akira was responsible for 3.9% of incidents (eight incidents)
  • Bianlian was responsible for 3.4% of incidents (seven incidents)
  • Cactus, Inc Ransom, Qilin, Medusablog and Regroup: 2.4% each (five incidents each)
  • Cl0p and Knight: 1.9% each (four incidents each)
  • Meowleaks was responsible for 1.4% of incidents (three incidents)
  • Lorenz, Metaencryptor, Money Message, Rhysida, Snatch and Trigona: less than 1% each (two incidents each)

The remaining ransomware groups were responsible for 1% or less of incidents.

The groups that Dragos observed in the third quarter but not in the fourth quarter of 2023 are as follows:

  • Cloak
  • Ciphbit
  • Rancoz
  • Ransomed
  • Mallox
  • Everest
  • Cuba

Dragos observed the following ransomware groups for the first time in the fourth quarter of 2023:

  • Knight
  • Meowleaks
  • Threeam
  • Losttrust
  • Metaencryptor
  • Moneymessage

It is still being determined whether these new groups are in fact new or if they are reformed or rebranded from other ransomware groups.

Final words

Looking forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve and marked by the emergence of new ransomware variants. These developments are expected as ransomware groups strive to refine their attack methodologies, likely keeping zero-day vulnerabilities as a key component in their operational toolkit.

Additionally, Dragos assesses with low confidence that ransomware groups may increasingly develop and deploy ransomware specifically designed to disrupt Operational Technology (OT) processes. This potential shift in focus towards OT processes could be driven by the continuous attempts of ransomware groups to exert greater pressure on victims to pay ransoms. By targeting critical OT processes, these groups could significantly amplify the impact of their attacks on industrial organisations. Such disruptions would not only affect operational capabilities but also compromise safety, thereby increasing level of urgency and potentially compelling victims to meet ransom demands more readily.

This evolving strategy reflects a concerning trend in the ransomware landscape, where the consequences of attacks extend beyond data loss and financial impact to directly threaten the core operational integrity of targeted organisations.

Get your copy of the 2023 Year in Review

For a complete analysis of 2023 ransomware activity affecting industrial and critical infrastructure, download your free copy of the 2023 OT Cybersecurity Year in Review : https://www.dragos.com/ot-cybersecurity-year-in-review/

Browse our latest issue

Intelligent CISO

View Magazine Archive