Dragos Industrial Ransomware Analysis: Q1 2024

Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.

Ransomware remains the foremost widespread cybersecurity threat impacting industrial organizations worldwide. The first quarter of 2024 (January – March) saw unusual developments within the ransomware threat landscape, marked by significant law enforcement successes and unexpected shifts within the cybercriminal community. Notably, an extensive international law enforcement collaboration led to the dismantling of the Lockbit ransomware group, one of the most prominent and widely recognized groups in the cybercrime arena. Concurrently, the Alphv/Blackcat group, another prominent player in the ransomware ecosystem, initiated a surprising self-decommission of its infrastructure after stealing millions of dollars from an affiliate that recently attacked an American healthcare services provider.

These events may potentially lead to a period of intense upheaval among ransomware operators, which occurred after a noticeable strategic adaptation aimed at maximizing the impact on their targets. In the past quarter’s blog, which covered ransomware attacks in Q4 of 2023 (October – December), Dragos predicted this strategic shift in the ransomware operation due to the law enforcement effort to fight ransomware and declining ransom payments by the victims. With the recent ransomware incidents focusing on causing profound operational disruptions and business continuity challenges, ransomware groups have escalated their tactics to urgently compel affected organizations into meeting their ransom demands.

The recent Alphv/BlackCat ransomware campaign targeting the healthcare sector is particularly concerning. The effects go beyond financial losses, directly threatening human lives and healthcare services. The situation highlights the powerful influence that leading ransomware groups wield over their affiliates, guiding them to concentrate attacks on specific industries to amplify damage. Furthermore, this reflects a strategic refinement in ransomware tactics, transitioning from merely targeting individual victims to orchestrating operations aimed at deliberately targeting specific industry. Dragos assesses with moderate confidence that this type of coordinated effort could become a substantial threat to industrial sectors if similar tactics are applied in the future. This risk is amplified as ransomware payment rates decline and law enforcement agencies increase successful takedown campaigns against ransomware groups.

The technical capabilities of ransomware groups in the first quarter of 2024 underscore their agility and sophistication in exploiting vulnerabilities, particularly in public-facing applications. The targeting of ConnectWise ScreenConnect by BlackBasta and Lockbit and the Qlik Sense application by CACTUS highlight a strategic approach to leverage weak points in widely used platforms. Furthermore, the rapid exploitation of new vulnerabilities, as demonstrated by Cactus exploiting a vulnerable VPN less than 24 hours after the vulnerability was initially disclosed, showcases these groups’ swift adaptability and readiness to capitalize on security gaps. Moreover, Dragos has assessed with moderate confidence that ransomware operations, possibly in collaboration with initial access brokers (IABs), have attempted to exploit zero-day vulnerabilities in Ivanti ICS VPN.

Ransomware Trends, Patterns, & Observations

Dragos analyzes ransomware variants used against industrial organizations worldwide and tracks ransomware information via public reports and information uploaded or appearing on dark websites. By their very nature, these sources report victims that were listed as targets and those that pay or otherwise “cooperate” with the criminals, and they do not necessarily match one-to-one with all incidents that took place in this last quarter.

Dragos has noted a decline in ransomware activities targeting the industrial sector in the first quarter of 2024 compared to the final quarter of the previous year. Of the 77 ransomware groups known for their industrial attacks, just 22 remained active recently, a decrease from 32 in the earlier quarter. Similarly, the number of ransomware incidents within the industrial sector reduced from 204 to 169. This downturn is attributed, with moderate confidence, to a shift in focus by ransomware groups towards the healthcare sector since early 2024 and a significant increase in law enforcement actions dismantling ransomware operations and apprehending the individuals involved.

Furthermore, unlike in previous periods, there were no significant operational disruptions caused by ransomware in the first quarter of 2024. While this might initially seem optimistic, the emerging trend of ransomware groups influencing their affiliates to shift focus and maximize impact on specific sectors raises concerns. Dragos assesses with moderate confidence that such coordinated efforts pose a real threat to the industrial sector, especially if similar tactics are adopted in the future.

Regional Impact Observations, First Quarter of 2024

• There were 83 ransomware incidents (roughly 49 percent of the observed 169 global ransomware attacks) that impacted industrial organizations and infrastructure in North America, compared to 87 incidents in the previous quarter. Within North America, the U.S. received over 45 percent of all ransomware incidents, compared to 37 percent in the previous quarter.
• Approximately 30 percent of global ransomware incidents (51 in total) impacted Europe, compared to 67 incidents in the previous quarter.
• Asia is next with approximately 11 percent, or 19 incidents.
• South America and Africa both had roughly 3 percent, or 5 incidents each.
• The Middle East and Australia had 3 incidents, each.

Industry Impacts, First Quarter of 2024

Manufacturing was the most impacted industry during the first quarter of 2024, with 106 observed incidents in total, or 62.7 percent. The breakdown by sector is as follows: 

• The transportation sector was impacted 25 times, for a total of 14.7 percent of all observed incidents.
• The industrial control systems (ICS) equipment and engineering sector had 12.4 percent of alleged attacks (21 incidents). 
• The oil and natural gas sector had 4.3 percent of alleged attacks (8 incidents), which is double the number of the incidents of the previous quarter.
• The water and wastewater sector were the victim of 1.7 percent of alleged attacks (3 incidents).
• The mining, communications, electric, and renewable energy sectors had 2 or less attacks each in the last quarter.

In addition to the primary industries and sectors mentioned above, Dragos observed 21 unique manufacturing subsectors impacted by ransomware during the first quarter of 2024. Their percentage breakdown as a part of all manufacturing incidents follows:

• Equipment: 18 incidents
• Consumer and Construction: Each had 15 incidents
• Metals: 8 incidents
• Food & Beverage: 7 incidents
• Packaging: 6 incidents
• Chemical and Maritime: Each had 5 incidents
• Electronics: 4 incidents
• Machinery, Pharmaceuticals, and Textile: Each had 3 incidents
• Aerospace, Automotive, Healthcare, Semiconductor, and Plastic: Each had 2 incidents.
• Automation, Defense, Glass, and Rubber: Each had 1 incident.

Ransomware Groups Trends, Patterns, and Observations During the First Quarter of 2024

Dragos’s analysis of numerous ransomware data from the first quarter of 2024 indicates that the Lockbit 3.0 group was behind the most attacks against industrial organizations, with 26.6 percent (or 45 incidents) of observed ransomware events. The 8base ransomware was the second with 13.6 percent (or 23 incidents). The following rounds out the observed ransomware group trends for the first quarter of 2024:

• Hunters International was responsible for 17 incidents, representing 10.06%.
• Black Basta was linked to 13 incidents, which is 7.69%.
• Akira accounted for 12 incidents, translating to 7.10%.
• Alphv was involved in 11 incidents, equating to 6.51%.
• Cactus was identified in 9 incidents, or 5.33%.
• Bianlian was responsible for 8 incidents, or 4.73%.
• MedusaLocker was active in 5 incidents, making up 2.96%.
• Both Play and Trigona were associated with 4 incidents each, each holding 2.37%.
• Inc Ransom and Stormous, each had a hand in 3 incidents, each with 1.78%.
• Meowleaks, Qilin, and Rhysida were each tied to 2 incidents, or 1.18%.
• Abyss, Blacksuit, Cl0p, Cuba, Knight, and Ransomexx were each involved in 1 incident. 

The groups that Dragos observed in the fourth quarter of 2023, but not in the first quarter of 2024, are as follows: 

• Losttrust
• Noescape
• RA Group
• Lorenz
• MetaEncryptor
• MoneyMessage
• Snatch
• Threeam
• DoNut Leaks
• Daixin Team
• Monti
• RagnarLocker

In Conclusion

Looking forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, likely characterized by the introduction of new variants and an increasing number of coordinated campaigns targeting industrial sectors. Ransomware groups are anticipated to further refine their strategies, with a high probability of continuing to leverage zero-day vulnerabilities in their attacks.

Additionally, there are only two ransomware variants that have demonstrated OT-impacting capabilities – EKANS and Cl0p. However, Dragos is aware of multiple instances where ransomware operators were able to detonate ransomware within the OT environment and, even without OT-impacting capabilities, was still able to cause operational disruption. For those reasons, ransomware operators considering how their respective criminal enterprises can better impact industrial organizations and OT environments is entirely plausible. This is further exacerbated by industrial trends of digitalizing OT environments and movement towards more IT and OT connectivity and dependencies. This potential shift in focus towards OT processes and environments could be driven by the continuous attempts of ransomware groups to exert greater pressure on victims to pay ransoms. By targeting critical OT processes, these groups could significantly amplify the impact of their attacks on industrial organizations. Such disruptions would not only affect operational capabilities but also compromise safety, thereby increasing the urgency and potentially compelling victims to meet ransom demands more readily. 

This evolving strategy reflects a concerning trend in the ransomware landscape, where the consequences of attacks extend beyond data loss and financial impact to directly threaten the core operational integrity of targeted organizations.

To address cybersecurity threats in OT, including ransomware threats, the SANS Institute recommends five critical controls to ensure world-class ICS and OT cybersecurity. These five critical controls include: an ICS-focused incident response plan, a defensible architecture, OT network visibility and monitoring, secure remote access, and risk-based vulnerability management. You can learn more about the five critical controls by downloading our guide, “5 Critical Controls for World-Class OT Cybersecurity.”

Get Your Copy of the 2023 Year in Review

For a complete analysis of 2023 ransomware activity affecting industrial and critical infrastructure, download your free copy of the 2023 OT Cybersecurity Year in Review.