A new report from Dragos, examining threats to industrial systems, found that ransomware continues to be one of the most threatening financial and operational risks to industrial organisations worldwide during the third quarter of 2022.
Dragos’ breakdowns of ransomware activities for this quarter are as follows:
Ransomware by region
- Thirty-six percent of the 128 ransomware attacks target industrial organisations and infrastructures in North America, for a total of 46 incidents, as shown above.
- Europe comes in second with 33 percent, 42 incidents.
- Asia with 22 percent or 28 incidents.
- South America with six percent, or eight incidents.
- Africa and Australia with two percent each, two incidents each.
Ransomware by sector and sub-sector
68 percent of ransomware attacks targeted the manufacturing sector (88 incidents), the same percentage reported in Q2. Nine per cent of attacks targeted the food and beverage sector (12 incidents) compared to eight percent in the last quarter. The oil and natural gas sector was targeted with six per cent of the attacks (8 incidents) and the energy and pharmaceuticals sectors with 10 per cent of attacks, with seven and six incidents respectively. The sectors of chemical, mining, engineering, and water and wastewater systems were targeted with one per cent or one incident each.
The ransomware attacks that Dragos tracked this quarter targeted 40 unique manufacturing subsectors. These manufacturing subsectors break down as follows:
- 14 percent of victims were in metal products manufacturing (12 incidents).
- Eight per cent were in industrial solutions (seven incidents).
- Seven per cent were in packaging, six incidents.
- The Electronics and semiconductor manufacturing sectors and plastic accounted for six per cent of attacks each, five incidents each.
- Automotive and cosmetics each made up ten per cent of incidents, 4 incidents each.
Ransomware by groups
Analysis of ransomware data shows Lockbit 3.0 made 35 per cent of the total ransomware attacks in Q3, accounting for 45 incidents; Black Basta comes in next with 11 per cent (16 incidents); Hive made seven percent (nine incidents); KARAKURT made 6 per cent (eight incidents); Avos Locker and Lorenz made five incidents each or four percent. Lockbit 3.0 maintained the same level of operation as Lockbit 2.0 last quarter. Ransomware attacks against manufacturing entities also impact other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organisations.
Ransomware victimology trends
During Q3 of 2022, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Three more ransomware groups were observed targeting industrial sectors and regions of the world in this last quarter than in Q2 of 2022. Based on their analysis of the Q3 2022 timeframe, Dragos observed that:
- Ragnar Locker has been targeting mainly the Energy sector.
- Cl0p Leaks has been targeting only Water and Wastewater sector.
- KARAKURT has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
- Lockbit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
- Stormous has only targeted Vietnam.
- Lorenz has only targeted the United States.
- Sparta blog has only targeted Spain.
- Black Basta and Hive targeted the transportation sector.
“In Q4 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear in the next quarter, as either new or reformed ones,” concluded Abdulrahman Alamri, Senior Adversary Hunter at Dragos.
