A new report from Dragos, examining threats to industrial systems, found that ransomware continues to be one of the most threatening financial and operational risks to industrial organizations worldwide during the third quarter of 2022.
“Dragos monitors and analyzes the activities of 48 different ransomware groups that target industrial organizations and infrastructures,” commented Abdulrahman Alamri, Senior Adversary Hunter at Dragos, who authored the report. “Dragos observed through publicly disclosed incidents, network telemetry, and dark web posting that out of these 48 groups, only 25 have been active during Q3 of 2022. Dragos is aware of 128 ransomware incidents in the third quarter of 2022 compared to 125 in the previous quarter. The Lockbit ransomware family account for 33% and 35% respectively of the total ransomware incidents that target industrial organizations and infrastructures in the last two quarters, as the groups added new capabilities in their new Lockbit 3.0 strain.”
Dragos’ breakdowns of ransomware activities for this quarter are as follows:
Ransomware By Region
- 36% of the 128 ransomware attacks target industrial organizations and infrastructures in North America, for a total of 46 incidents, as shown above.
- Europe comes in second with 33%, 42 incidents.
- Asia with 22% or 28 incidents.
- South America with 6%, or 8 incidents.
- Africa and Australia with 2% each, 2 incidents each.
Ransomware by sector and sub-sector
68% of ransomware attacks targeted the manufacturing sector (88 incidents), the same percentage reported in Q2. 9% of attacks targeted the food and beverage sector (12 incidents) compared to 8% in the last quarter. The oil and natural gas sector was targeted with 6% of the attacks (8 incidents) and the energy and pharmaceuticals sectors with 10% of attacks, with seven and six incidents respectively. The sectors of chemical, mining, engineering, and water and wastewater systems were targeted with 1% or one incident each.
The ransomware attacks that Dragos tracked this quarter targeted 40 unique manufacturing subsectors. These manufacturing subsectors break down as follows:
- 14% of victims were in metal products manufacturing (12 incidents).
- 8% were in industrial solutions (7 incidents).
- 7% were in packaging, 6 incidents.
- The Electronics and semiconductor manufacturing sectors and plastic accounted for 6% of attacks each, 5 incidents each.
- Automotive and cosmetics each made up 10% of incidents, 4 incidents each.
Ransomware by groups
Analysis of ransomware data shows Lockbit 3.0 made 35% of the total ransomware attacks in Q3, accounting for 45 incidents; Black Basta comes in next with 11% (16 incidents); Hive made 7% (9 incidents); KARAKURT made 6% (8 incidents); Avos Locker and Lorenz made 5 incidents each or 4%. Lockbit 3.0 maintained the same level of operation as Lockbit 2.0 last quarter. Ransomware attacks against manufacturing entities also impact other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organizations.
Ransomware victimology trends
During Q3 of 2022, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Three more ransomware groups were observed targeting industrial sectors and regions of the world in this last quarter than in Q2 of 2022. Based on our analysis of the Q3 2022 timeframe, Dragos observed that:
- Ragnar Locker has been targeting mainly the Energy sector.
- Cl0p Leaks has been targeting only Water and Wastewater sector.
- KARAKURT has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
- Lockbit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
- Stormous has only targeted Vietnam.
- Lorenz has only targeted the United States.
- Sparta blog has only targeted Spain.
- Black Basta and Hive targeted the transportation sector.
“In Q4 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear in the next quarter, as either new or reformed ones,” concluded Alamri.