Exclusive Webinar:

Join us Oct. 6 as Rockwell Automation & Dragos CEOs reshape the way you approach cybersecurity in manufacturing.

Skip to main content
The Dragos Blog

08.09.22 | 4 min read

Dragos Industrial Ransomware Analysis: Q2 2022

Not surprisingly, ransomware groups continued to target industrial organizations and infrastructures and disrupt operational technology (OT) operations in the second quarter of 2022. Even though the number of reported ransomware incidents is slightly less than the numbers we reported in the last quarter, the impact of those attacks remains significant to the targeted industrial organizations, dependent sectors, and their subsidiaries. Even in instances where OT is not the intended target, ransomware attacks on enterprise IT where OT is present can negatively impact OT operations.

Dragos is aware of multiple ransomware incidents that targeted enterprise infrastructures and caused the operations of the targeted organizations to be halted. In the case of Foxconn in May of this year, Lockbit 2.0 ransomware encrypted over 1200 servers in one of the company’s factories in Mexico, causing a disruption to the factory’s operation for a couple of weeks. Noticeably, several ransomware groups, such as Conti and AlphaV, focused on targeting governmental sectors this quarter compared to their historical victimology.

Dragos analyzes and monitors the activities of 43 ransomware groups that target industrial organizations and infrastructures. Dragos observed through publicly disclosed incidents, network telemetry, and dark web posting that out of these 43 groups, only 23 groups have been active during Q2 of 2022. Dragos is aware of 125 ransomware incidents in the second quarter compared to 158 in the last quarter. Dragos assesses with low confidence the shutdown of Conti operations in mid-May may have caused this drop. Conti accounted for 25% and 18%, respectively, of the total ransomware incidents targeting industrial organizations and infrastructures in the last two quarters. Conti shut down its operations two weeks after the U.S State Department announced rewards for any information about Conti leadership and its affiliates.

On the other hand, this quarter witnessed the birth of a significant new threatening ransomware group called Black Basta, responsible for major ransomware incidents such as the May incident that halted AGCO’s operations for weeks. While security researchers are trying to learn more about Black Basta, some suggested that former Conti and REvil group members are running this new ransomware group due to the nature of the operation and the victim selections.

Dragos analyzes ransomware variants targeting industrial organizations worldwide and tracks ransomware information via public reports and information uploaded or appearing on dark web resources. By their very nature, these sources report targets that pay or otherwise “cooperate” with the criminals and therefore do not match 1:1 with incidents. Even though the number of ransomware attacks and dark website postings in the Q2 of 2022 is slightly less than the number in Q1 of 2022, the impact of the ransomware attacks in Q2 of 2022 remains significant. Our breakdowns of ransomware activities for this quarter follows.

Ransomware By Location

Figure 1: Ransomware targets by continent

Globally, 37 percent of the ransomware attacks target industrial organizations and infrastructures in Europe, for a total of 46 incidents, as shown above; North America comes second with 29 percent or 36 incidents; Asia with 26 percent or 32 incidents; South America with 5 percent; the Middle East with 3 percent; and Africa with 1 percent. While the 29 percent of the ransomware attacks targeting industrial organizations in North America is less than last quarter (42 percent), the number of occurrences in industrial infrastructure, 36, is still concerningly high. North America remains one of the most highly targeted regions by ransomware. Noticeably, the percentage of the reported cases in Asia jumped to 26 percent compared to 9 percent in the last quarter.

Ransomware By Sector

Ransomware targets by sector and subsector
Figure 2: Ransomware targets by sector and subsector

Figure 2 shows that eight percent of attacks targeted both the food and beverage and energy sectors, 5 percent targeted the transportation sector, 4 percent targeted the pharmaceuticals sector, and 2 percent targeted the oil and natural gas sector. This figure also shows that 69 percent of all ransomware attacks that Dragos tracked in Q2 2022 targeted 42 unique manufacturing subsectors. Eight percent of victims were in automotive manufacturing, 7 percent were in metal products, 5 percent were in electronics, building materials, and clothing manufacturing, and 4 percent were in plastics.

Ransomware By Groups

ransomware attacks by sector ransomware group
Figure 3: Ransomware attacks by sector ransomware group

Analysis of ransomware data shows Lockbit 2.0 made 33 percent of the total ransomware attacks in Q2; Conti comes in next with 13 percent; Black Basta made 12 percent; Quantum made 7 percent; AlphaV and Hive made 4 percent each. Lockbit 2.0 maintained the same number of ransomware incidents as last quarter, showing that the group continues to maintain the same level of operation. Whereas the Conti, Lockbit 2.0, and Black Basta groups continue to target different sectors of industrial organizations, most of the victims are within the manufacturing sector. Ransomware attacks against manufacturing entities have sometimes impacted other sectors that depend on manufacturers in their operations or supply chain, such as aerospace, food and beverage, and automotive organizations.

Ransomware Victimology Trends

During Q2 of 2022, Dragos observed trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups as victimology can change over time. Based on our analysis of the Q2 2022 timeframe, Dragos observed that:

  • Karakurt has been targeting mainly transportation entities
  • VICE SOCIETY has been targeting only automotive manufacturing entities.
  • Lockbit 2.0 is the only group that targeted the pharmaceutical, mining, and water treatment sectors.
  • Moses Staff has only targeted Israel, and it published a video demonstrating their activities.
  • Black Basta, Ransomhouse, and Everest have only targeted entities in the US and Europe.
  • Quantum and Lorenzo have only targeted North American-based entities.
  • The groups observed in Q1 and not in Q2 are LAPSUS$, CL0P LEAKS, and Rook.
  • Groups that were observed in Q2 but not in Q1: Black Basta, Midas Leaks, Pandora, and Ransomhouse.

In Q3 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt OT operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems.

Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware will continue to either indirectly or directly target OT operations.

Ready to put your insights into action?

Take the next steps and contact our team today.