Dragos Industrial Ransomware Attack Analysis: Q1 2023 

Ransomware attacks continued to be a significant threat to industrial organizations and infrastructure in the first quarter of 2023. This trend underscores the growing sophistication and opportunism of ransomware groups, making it crucial for industrial organizations to remain vigilant and adopt robust cybersecurity measures to protect their operations and infrastructure. Twenty of the 61 ransomware groups that Dragos tracks caused significant damage to industrial organizations through the use of continually evolving tactics. 

In the first quarter of 2023, Dragos observed two new and significant trends, the use of zero-day vulnerabilities and the exploitation of recently discovered vulnerabilities. For example, the Clop ransomware group claimed use of the GoAnywhere zero-day vulnerability (CVE-2023-0669) to impact 130 organizations in February 2023. Dragos is aware of 14 industrial organizations that the Clop ransomware group impacted in the past quarter. It is unclear if the group used the GoAnywhere vulnerability to impact these organizations. Other ransomware groups, such as Cuba and Play, used a zero-day exploit dubbed OWASSRF to target CVE-2022-41080 and compromise unpatched Microsoft Exchange servers in January 2023.  

Dragos detected 214 ransomware incidents in the first quarter of 2023, a 13 percent increase from the previous quarter. The impact of ransomware attacks on industrial organizations is more difficult to counter and more disruptive than in previous quarters. For example, the Copper Mountain Mining Corporation (CMMC) was impacted by AlphaV ransomware, prompting the isolation of the ICS/OT network and a switch to manual operations. Meanwhile, the Dole food company had to temporarily shut down production plants in North America due to the impact of a ransomware attack on their IT system.

The motives behind ransomware attacks can vary widely and are often difficult to confirm with certainty. However, multiple factors can significantly drive ransomware activity, including financial gain, geopolitical tensions, and economic conditions. Financial gain remains a key driver of ransomware operations, as attackers seek to extort money from victims in exchange for the return of encrypted data. At the same time, government efforts to combat ransomware through sanctions, operational shutdowns, and banning impacted organizations from paying ransoms have led some attackers to become more aggressive in their tactics. Economic conditions may also play a role, as both adversaries and victims may face financial pressures that impact their behavior. Countries like North Korea rely on ransom payments to fund their cyber operations. Geopolitical factors, such as the ongoing tensions between Russia and NATO countries, may also influence ransomware operators’ targets and tactics. 

To address the growing risk posed by ransomware groups, the Cybersecurity and Infrastructure Security Agency (CISA) established the Ransomware Vulnerability Warning Pilot (RVWP) on January 30, 2023, which is a requirement of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). As part of the RVWP, CISA leverages existing authorities and technology to proactively identify information systems with security vulnerabilities commonly associated with ransomware attacks. This is one example of the increase in government efforts and regulations to combat the ransomware threat. 

Dragos analyzes ransomware variants impacting industrial organizations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. By their very nature, these sources report victims that allegedly pay or otherwise “cooperate” with the criminals. There is, however, no 1:1 correlation between total attacks and those attacks that elicit victim cooperation. Our breakdown of ransomware activities for this quarter follows. 

Ransomware by Region 

Globally: 

• 44 percent of the 214 ransomware attacks recorded globally impacted industrial organizations and infrastructure in North America, for a total of 95 incidents, which is twice the number we reported last quarter for North America. 
• Within North America, the U.S. sustained over 41 percent of all ransomware attacks.  
• Europe came in second with 28 percent of the global total and 59 incidents.  
• Asia is next with 15 percent or 33 incidents.  
• South America had five percent, totaling ten incidents.  
• The Middle East had four percent or eight incidents. 
• Africa had three percent, totaling six incidents.  
• Australia had one percent or three incidents.

Ransomware by Sector and Subsector 

Figure 2 above shows that 67 percent of ransomware attacks impacted the manufacturing sector (143 incidents total), the same number of incidents in the last quarter. Next was food and beverage, with 13 percent of attacks (28 incidents), roughly double the incidents in the previous quarter. The energy sector was targeted with seven percent of the attacks (15 incidents), and the pharmaceuticals sector had five percent of attacks (10 incidents). Oil and gas showed three percent (seven incidents up from four last quarter), and the transportation sector had around three percent of attacks (six incidents). Mining and water sectors were impacted with one percent of total attacks in the first quarter of 2023.  

The industrial ransomware incidents that Dragos tracked last quarter impacted 36 unique manufacturing subsectors. At the top of the list, building materials manufacturing had 14 percent (20 attacks), followed by the automotive manufacturing sector with 10 percent or 14 attacks. The remaining manufacturing subsectors that were impacted last quarter break down as follows:  

• Building Materials – 14 percent (20 incidents) 
• Automotive – 10 percent (14 incidents) 
• Chemicals – eight percent (11 incidents). 
• Electronics, industrial equipment, machinery, and metal products – six percent each (9 incidents) 
• Healthcare products – five percent 
• Aerospace, electrical equipment, plastics, textiles – three percent each 
• Building supplies, furniture, metal products, and packaging – four percent, each 
• Household goods, HVAC, and sound systems – two percent, each 
• Remaining subsectors accounted for one percent of ransomware attacks each.

Ransomware by Groups 

In Q1 of 2023, Dragos tracked the activity of 20 ransomware groups, compared to 24 in Q4 of 2022.  Analysis of ransomware data shows Lockbit 3.0 was responsible for 36 percent of the total ransomware attacks, accounting for 77 incidents, nearly double the incidents in the last quarter; AlphaV was responsible for 13 percent of attacks; Royal came in next with 12 percent; Black Basta and Clop next with 7 percent each. The breakdown for the rest of the groups is as follows:  

• Play: 5 percent (10 incidents) 
• MEDUSA BLOG: 4 percent (8 incidents) 
• Avos Locker: 3 percent (7 incidents) 
• Stormous, Blackbyte, Dark Power, Mallox, Ransomehouse, Vice Society had 2 percent of attacks each. 
• The remaining ransomware groups were responsible for one percent or less of the attacks.  

Ransomware Victimology Trends 

During the first quarter of 2023, Dragos continued to observe trends in the victimology of ransomware groups.  This does not, however, determine the permanent focus of these groups, as victimology can change over time. Dragos observed three more ransomware groups impacting industrial sectors and regions of the world in this last quarter than in Q4 of 2022. Based on our analysis of the Q1 2023 timeframe, Dragos observed some of the most active ransomware groups impacting the following industries and geographies: 

• Abyss, Bianlian, and Everest: manufacturing in North America. 
• Avos locker, Royal, Unsafe, Lorenz: food & beverage and manufacturing. 
• Play and Stormous: manufacturing and energy. 
• CL0P leaks: transportation 
• DAIXIN team: food & beverage in North America. 
• Mallox: manufacturing and oil & gas.  
• Black Basta: North America and Europe. 
• Blackbyte: North America.

The groups we observed in Q4 2022 but not in Q1 2023 are: Karakurt, Hive, Snatch, Quantum, Ragnar Locker, Cuba, Dataleak, LV, Qillin, and Donut. The following groups were observed in Q1 2023 but not in Q4 2022: Clop Leaks, Stormous, and Lorenz. We observed the following ransomware groups for the first time in Q1 2023: Medusa Blog, Dark Power, and Unsafe. It is unclear if these new groups are new or reformed from other groups.  

What’s Next? 

Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems. Due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ransomware groups will continue to appear as either new or reformed ones in the next quarter.  

As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organizations  to fulfill their financial objectives.