Create a free Manufacturing.net account to continue

Dragos Shares Ransomware Analysis

A look at the groups, tactics and impact of hacker campaigns at the end of 2023.

Feb 15, 2024
Ransomware

While international law enforcement’s relentless efforts have resulted in arrests and the dismantling of ransomware operations, the battle against ransomware groups continues. During the fourth quarter of 2023, we witnessed a slight decline in reported incidents, yet saw a surge in actions that kept the ransomware threat landscape dynamic. 

Ransomware groups consistently adapt by evolving their strategies, embracing new techniques, and even reconfiguring or rebranding their operations to bolster their earnings and evade detection. Yet international law enforcement has achieved noticeable results in fighting ransomware operations, including arresting members of ransomware groups, such as the arrest of a Ragnar Locker developer in Paris, and dismantling their infrastructure.

Additionally, the U.S. Justice Department, in collaboration with international agencies including Germany, Denmark, and Europol, disrupted the activities of the AlphaV ransomware group. The U.S. Federal Bureau of Investigation’s (FBI) developed a decryption tool that aided over 500 victims, preventing approximately $68 million in ransom payments. This operation is part of a broader initiative to combat major ransomware operations and apprehend key figures involved in global cyber disruptions. 

As ransomware groups have consistently demonstrated their capacity to innovate and refine their methods, active groups such as LockBit, BlackCat, Royal, and Akira adopted new techniques known as remote encryption or remote ransomware during the last quarter. This technique involves compromising an endpoint connected to the victim’s network and using it to launch the ransomware attack within the victim’s environment, thereby increasing the likelihood of a successful attack.

As Dragos assessed with moderate confidence in last quarter’s blog, ransomware groups continue to prioritize zero-day vulnerabilities in their operations. This strategic focus was evident in the actions of the LockBit ransomware group as they exploited a vulnerability known as ‘Citrix Bleed’ (CVE-2023-4966) during their attacks. LockBit leveraged this flaw to hijack authenticated sessions, gaining temporary access to various targets, including Boeing’s parts and distribution business. (You can learn more about this hack here.)

However, ransomware groups have expanded beyond technical innovations as they continue to adapt and refine their methods. They actively engage with the media to shape the narrative surrounding their activities, courting journalists, and providing press releases, FAQs, and interviews to manipulate public perception. This calculated approach allows ransomware gangs to amplify their notoriety and exert pressure on victims, ultimately enhancing their profitability. 

The threat landscape has also grown more complex due to ransomware groups’ willingness to collaborate. While these collaborations may not directly impact industrial sectors, they are a worrisome development. Notably, instances of collaboration among ransomware groups, such as BianLian, White Rabbit, and Mario Ransomware teaming up to target financial services firms, underscore a concerning trend of cyber criminal networks working together for mutual gain.

This growing cooperation poses potential risks to critical infrastructure and industrial sectors as cyber criminals continue to share tactics, techniques, and potentially even vulnerabilities that could be leveraged in future attacks.

Impacts on Industrial Organizations 

In the fourth quarter of 2023, Dragos’s assessment of increased business-impacting ransomware attacks against industrial organizations was validated, with incidents exhibiting more severe impacts when compared to earlier quarters. An example of this was the Lockbit attack in October 2023, which exploited the Citrix Bleed vulnerability, targeting Boeing’s core operations in parts and distribution.

Furthermore, the Qilin ransomware group’s November cyberattack on Yanfeng, a Chinese automotive part company supplying interior components to global carmakers, disrupted operations to the extent that Stellantis had to halt production at its North American plants. In addition, Dragos noticed other ransomware incidents that impacted the operations of multiple organizations, such as the following:

Two interesting observations from the fourth quarter of 2023, compared to the previous quarters, were observable decreases in active ransomware groups and ransomware incidents impacting industrial organizations. Specifically, of the 77 ransomware groups that have historically attacked industrial organizations and infrastructure, only 32 of the groups were active in the last quarter, and the number of ransomware incidents went from 231 to 204 over the same period.

As of this blog, Dragos is uncertain about the cause of this decrease in ransomware incidents between the third and fourth quarters of 2023. Although the number of ransomware incidents and dark web postings in the fourth quarter of 2023 was slightly less than in the third quarter of 2023, the overall impact of these ransomware attacks against industrial organizations remains significant. 

  • There were 87 ransomware incidents (roughly 43 percent of the observed 204 global ransomware attacks) that impacted industrial organizations and infrastructure in North America, compared to 91 incidents in the previous quarter. Within North America, the U.S. received over 37 percent of all ransomware incidents, similar to last quarter.
  • Manufacturing was the most impacted industry during the fourth quarter of 2023, with 135 observed incidents in total, or 66.1 percent. The breakdown by sector is as follows. 
    • The transportation sector was impacted 26 times, for a total of 12.7 percent of all observed incidents, which is a 50 percent increase compared to the previous sector.
    • The industrial control systems (ICS) equipment and engineering sector had 11.7 percent of alleged attacks (24 incidents).
    • The electric sector was impacted by 3.43 percent of the alleged attacks.
    • The water and wastewater sector were the victim of 2.45 percent of alleged attacks.
    • The oil and natural gas sector had 1.9 percent of alleged attacks.

Dragos’s analysis of numerous ransomware data from the fourth quarter of 2023 indicates that the Lockbit 3.0 group was behind the most attacks against industrial organizations, with 25.5 percent (or 52 incidents) of observed ransomware events. The BlackBasta ransomware was the second with 10.3 percent (or 21 incidents). The following rounds out the observed ransomware group trends for the fourth quarter of 2023: 

  • AlphV was responsible for 6.8 percent of incidents (14 incidents). 
  • 8Base and Play:  6.3 percent each (13 incidents each)
  • Losttrust was responsible for 5.4 percent of incidents (11 incidents). 
  • Noescape was responsible for 4.4 percent of incidents (9 incidents). 

Dragos observed the following ransomware groups for the first time in the fourth quarter of this year: 

  • Knight
  • Meowleaks
  • Threeam
  • Losttrust
  • Metaencryptor
  • Moneymessage

It is still being determined if these new groups are in fact new, or if they are reformed or rebranded from other ransomware groups.

In Conclusion

Looking forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, marked by the emergence of new ransomware variants. These developments are expected as ransomware groups strive to refine their attack methodologies, likely keeping zero-day vulnerabilities as a key component in their operational toolkit. 

Additionally, Dragos assesses with low confidence that ransomware groups may increasingly develop and deploy ransomware specifically designed to disrupt operational technology (OT) processes. This potential shift in focus towards OT processes could be driven by the continuous attempts of ransomware groups to exert greater pressure on victims to pay ransoms. By targeting critical OT processes, these groups could significantly amplify the impact of their attacks on industrial organizations. Such disruptions would not only affect operational capabilities but also compromise safety, thereby increasing the urgency and potentially compelling victims to meet ransom demands more readily. 

This evolving strategy reflects a concerning trend in the ransomware landscape, where the consequences of attacks extend beyond data loss and financial impact to directly threaten the core operational integrity of targeted organizations.

Latest in Cybersecurity
Ransomware
Report Identifies Hidden Costs, Challenges of Ransomware
April 25, 2024
Ep90
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Transportation and Logistics Under Siege
April 24, 2024
Industrial Cyber
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
April 24, 2024
Related Stories
Ransomware
Cybersecurity
Report Identifies Hidden Costs, Challenges of Ransomware
Ep90
Cybersecurity
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Cybersecurity
Transportation and Logistics Under Siege
Industrial Cyber
Cybersecurity
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
More in Cybersecurity
Ransomware
Cybersecurity
Report Identifies Hidden Costs, Challenges of Ransomware
Too many are paying, and the reasons range from understandable to infuriating.
April 25, 2024
Ep90
Cybersecurity
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
The new factors impacting a growing attack surface, and how to evolve your cyber risk strategies.
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Cybersecurity
Transportation and Logistics Under Siege
A look at how this vital and increasingly targeted market sector is responding to more cyberattacks.
April 24, 2024
Industrial Cyber
Cybersecurity
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
Maximizing technology investments while maintaining security.
April 24, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
Avoiding Shutdowns from Ransomware Attacks
A strategic approach for protecting OT networks.
April 24, 2024
IEC 62443 is a key standard to reduce risk of cyberattacks in industrial workplaces.
Cybersecurity
How to Build a More Secure Connected World with IEC 62443
The goal is better efficiency, improved sustainability and interoperability, enhanced reliability and greater cost-effectiveness for system integrators, product suppliers and other stakeholders.
April 24, 2024
Ap24114558425503
Cybersecurity
UnitedHealth Says Wide Swath of Patient Files May Have Been Taken in Cyberattack
Screen shots containing protected health information or personally identifiable information were posted.
April 24, 2024
Coding
Cybersecurity
CISA Releases 7 ICS Advisories
Unitronics, Rockwell and Mitsubishi head the list.
April 19, 2024
Financial Cyber
Cybersecurity
Alarming Trends Reinforced in Ransomware Attack of Semiconductor Mfr.
Experts assess the fallout from the Dark Angel attack on Nexperia.
April 19, 2024
Industrial Cyber
Cybersecurity
Hexagon, Dragos Announce Partnership
The team-up looks to "revolutionize OT cybersecurity."
April 18, 2024
Ransomware
Cybersecurity
Report Shows Updated Ransomware Concerns
Hackers are elevating the complexity of their attacks - making them harder to detect.
April 18, 2024
Cybersecurity In A Bubble
Cybersecurity
Responding to Emerging Risks and Attack Vectors
Insight on key hacker strategies, response plans and creating a culture that embraces cybersecurity.
April 18, 2024
Ep89
Cybersecurity
Security Breach: Weaponizing Secure-By-Design
How a greater focus on new and legacy OT connections could alter the cybersecurity battlefield.
April 18, 2024
Ap24107471702533
Cybersecurity
Cyberattack Costs Hit UnitedHealth in Q1 That Still Turns Out Better than Expected
UnitedHealth is still restoring several services from the February attack.
April 16, 2024
Siemens Image 1
Cybersecurity
An Automatic Cyber Response Solution
The platform works to isolate and quarantine the infected production equipment during an attack.
April 11, 2024