Cybersecurity companies release periodic reports trying to alert people to recent threats and new awareness. This report, Industrial Ransomware Analysis: Q2 2024, comes from Dragos, written on his blog by Abdulrahman H. Alamri.

The report shows a resurgence in ransomware group activity, almost doubling the number of attacks in Q2 (312 incidents) compared to Q1(169 incidents) after law enforcement crackdowns earlier this year. Major groups like ALPHV (BlackCat) and LockBit 3.0 have quickly adapted by intensifying attacks and disrupting industrial operations.

The industrial sector remains a primary target due to the nature of its operations and the potentially high impact of disruptions. Notable incidents include Frontier Communications,  Clevo, Allied Telesis, Inc., and the Gijón Bio-Energy Plant. Dragos also notes the rebranding of Royal ransomware to BlackSuit and Knight ransomware to RansomHub, both of which have adopted advanced encryption and lateral movement techniques. 

Key highlights from the report include:

  • The manufacturing sector was the most affected, with 210 observed incidents, accounting for approximately 67 percent of all ransomware incidents
  • Compared to the same time frame in 2023, with 467 incidents in Q1/Q2 2023, there has been a slight increase
  • Lockbit group was behind most attacks against industrial organizations, with approximately 21 percent (or 66 incidents) of observed ransomware events
  • Out of 86 known ransomware groups targeting industrial organizations, 29 were active in Q2 2024, an increase from 22 active groups in Q1 2024
  • Government-affiliated groups are adapting ransomware tactics, and hacktivists are increasingly using and developing their own ransomware tools, illustrating a convergence of ideological and financial motivations

Alamri concludes his report with this:

In the second quarter of 2024, ransomware groups demonstrated a significant capacity for adaptation, with some groups rebranding and others emerging with new tactics and techniques. This suggests that these groups will continue to refine their operations, leveraging sophisticated methods such as zero-day vulnerabilities to enhance their attacks.

As we move forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, characterized by the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors. Despite significant law enforcement actions, the observed resilience and adaptability of ransomware groups indicate a likely continuation of this trend.

While Dragos did not identify any ransomware attacks directly targeting ICS/OT processes, the interconnected nature of IT and OT environments means that disruptions to IT systems can have significant downstream effects on OT operations. This interdependency suggests that ransomware groups may increasingly target OT networks to amplify the impact of their attacks, potentially compromising the safety and operational integrity of industrial organizations.

Share This

Follow this blog

Get a weekly email of all new posts.