Information provided here is sourced from Dragos OT Cyber Threat Intelligence adversary hunters and analysts who conduct research on adversary operations and their tactics, techniques, and procedures (TTPs). Dragos OT cyber threat intelligence is fully reported in Dragos WorldView threat intelligence reports and is also compiled into the Dragos Platform for threat detection and vulnerability management.

The ransomware landscape demonstrates its dynamic and rapidly shifting nature, as evidenced by the marked increase in incidents and impact during the second quarter of 2024 (April-June) compared to the past quarter’s analysis. Despite declining incidents and the relatively low impact of ransomware attacks in the first quarter, the second quarter has shown a significant resurgence. This recovery is particularly notable given major ransomware groups’ initial setbacks due to law enforcement operations in the first quarter.

Ransomware Attacks Significantly Increase in Q2, As Groups Recalibrate Strategies

While these initial disruptions had temporarily curtailed the activities of several leading ransomware groups, the number of ransomware attacks almost doubled in the second quarter compared to the first quarter. For instance, ALPHV (also known as BlackCat) was targeted by a U.S.-led law enforcement operation in December 2023, eventually leading to the group’s closure in March 2024. Following this, law enforcement actions against LockBit 3.0 in February 2024 led to a notable reduction in their operations. Dmitry Khoroshev, a key figure in the LockBit Ransomware Group, was placed on a wanted list with a reward for information leading to his capture. Despite these significant actions, these groups quickly adapted and recalibrated their strategies, substantially increasing incidents. This surge in activity brought ransomware operations to the next level, causing significant operational disruptions to industrial organizations.

The rebranding of Royal ransomware to BlackSuit reflects a strategic adaptation of the ransomware group, showcasing enhanced capabilities such as more sophisticated encryption and improved lateral movement tactics. Similarly, Knight ransomware transformed into RansomHub. The resilience and adaptability of ransomware groups highlight their persistent threat to industrial sectors. This quarter has also seen a notable shift in the Ransomware-as-a-Service (RaaS) landscape, with groups like BlackSuit and RansomHub emerging with updated tactics and techniques. These updates include more sophisticated encryption algorithms, improved lateral movement methods within networks, and more effective evasion of detection mechanisms.

Critical Industrial Operations Prime Target in Ransomware Activity

Moreover, the industrial sector remains a prime target for these groups due to the critical nature of its operations and the potentially high impact of disruptions. Ransomware’s impact on industrial organizations has increased, with ransomware groups focusing on high-impact operators to maximize their profits. The risk posed by ransomware is further exacerbated as government-affiliated groups adopt ransomware tactics, and hacktivists increasingly utilize and even build their own ransomware tools. For instance, the Ikaruz Red Team has been reported to be targeting critical infrastructure in the Philippines using ransomware, illustrating the convergence of ideological and financial motivations in the cyber threat landscape. This growing trend proves the evolving and escalating nature of the ransomware threat, which spans beyond traditional cybercriminal enterprises to include politically and ideologically driven actors.

Ransomware Operation Impacts on Industrial Organizations

In the second quarter of 2024, Dragos’s assessment of ransomware attacks with increased business impact against industrial organizations was validated, with incidents exhibiting more severe impacts than in earlier quarters. This quarter saw a significant rise in the frequency and severity of attacks, reflecting the evolving threat landscape and the persistent risk posed by ransomware groups.

The ransomware incidents had significant operational impacts on various organizations:

Frontier Communications

• Date: Early May 2024
• Ransomware Group: RansomHub
• Impact: Shutdown of certain systems, resulting in material operational disruption.

Clevo

• Date: May 2024
• Ransomware Group: RansomHub
• Impact: Although the exact operational impact on Clevo, a manufacturer of customizable gaming laptops, is not fully known, the attack demonstrates RansomHub’s expanding reach and focus on high-value targets.

Allied Telesis, Inc.

• Date: May 27, 2024
• Ransomware Group: LockBit
• Impact: Encryption of corporate files and theft of sensitive data, disrupting telecommunications equipment supply operations. The ransomware exfiltrated data dating back to 2005, threatening to release it publicly if ransom demands were not met.

Gijón Bio-Energy Plant

• Date: May 18, 2024
• Ransomware Group: RansomHub
• Impact: Access to Supervisory Control and Data Acquisition (SCADA) systems, encryption, and exfiltration of over 400 GB of data, with the potential to halt production and disrupt waste and energy management processes.

Current Ransomware Trends, Patterns & Observations

Dragos continues to analyze ransomware variants used against industrial organizations worldwide, tracking ransomware information via public reports and data uploaded or appearing on dark websites. These sources report victims that were listed as targets and those that pay or otherwise “cooperate” with the criminals, and they do not necessarily match one-to-one with all incidents that took place in this last quarter.
Several notable observations from Q2 2024 compared to previous quarters include a significant resurgence in ransomware activity and the emergence of new tactics by ransomware groups. Specifically, while we saw a decline in Q1 2024 in both the number of incidents and the impact of ransomware attacks, there was a marked increase in the second quarter. The total number of ransomware incidents almost doubled from Q1 to Q2.

Among the 86 ransomware groups known for targeting industrial organizations, 29 remained active in the second quarter compared to 22 ransomware groups in the first quarter of 2024. However, the second quarter saw a resurgence with several rebranded groups and new entrants in the ransomware landscape. Groups such as BlackSuit (formerly Royal ransomware) and RansomHub (previously Knight ransomware) have shown notable activity, leveraging sophisticated tactics and techniques to enhance their operations.

In addition to the resurgence, the overall impact of these ransomware attacks against industrial organizations remains a significant concern. While Dragos did not identify any ransomware attacks targeting industrial control systems (ICS) or operational technology (OT) processes, ransomware groups have disrupted the IT systems of industrial organizations. Disruptions to OT networks have occurred, primarily due to the interdependencies between OT and IT systems. The rise in ransomware incidents during Q2 2024 underscores the evolving threat landscape and the persistent risk posed by these groups.

Regional Impact Observations, Second Quarter of 2024

In the second quarter of 2024, ransomware incidents exhibited a marked increase, impacting various regions differently:

• North America: There were 187 ransomware incidents (approximately 60 percent of the observed 312 global ransomware attacks) that impacted industrial organizations and infrastructure in North America. A significant portion of these incidents occurred in the U.S.
• Europe: Approximately 26 percent of global ransomware incidents (82 in total) impacted Europe.
• Asia: Asia experienced 10 percent of global ransomware incidents, with 29 incidents reported.
• South America: Two percent of global ransomware incidents (6 in total) impact South America.
• Middle East, Australia, and Africa: The three regions had approximately one percent each of the global ransomware incidents, with 8 incidents reported collectively in these regions.

Industry Impacts, Second Quarter of 2024

• Manufacturing: The manufacturing sector was the most affected, with 210 observed incidents, accounting for approximately 67 percent of all ransomware incidents.
• Industrial Control Systems (ICS) Equipment and Engineering: Developers and manufacturers of ICS equipment and software experienced 47 incidents, making up 15 percent of total incidents.
• Transportation: The transportation sector was impacted 23 times, representing 7 percent of all observed incidents.
• Government (Gov): Government entities faced 8 ransomware incidents, which is 3 percent of the total.
• Oil and Natural Gas (ONG): The ONG sector had 7 incidents, equating to 2 percent of the overall incidents.
• Communications: The communications sector was affected by 5 ransomware incidents, making up 2 percent of the total.
• Mining, Electric, Renewables, and Water: Each of these sectors experienced 3 incidents, accounting for 4 percent of the total incidents each.

In addition to the primary industries and sectors mentioned above, Dragos observed 23 unique manufacturing subsectors impacted by ransomware during the second quarter of 2024. Their percentage breakdown as a part of all manufacturing incidents follows:

• Construction: 33 incidents (16 percent)
• Consumer and Food & Beverage: Each had 27 incidents (13 percent each)
• Equipment and Metal: Each had 16 incidents (8 percent each)
• Electronic and Textile: Each had 10 incidents (5 percent each)
• Agriculture, Chemical, Healthcare, and Machinery: Each had 7 incidents (3 percent each)
• Aerospace, Packaging, Pharma, and Plastics: Each had 6 incidents (3 percent each)
• Automotive: 5 incidents (2 percent)
• Engineering: 4 incidents (2 percent)
• Recycling, Rubber, and Semiconductor: Each had 2 incidents (1 percent each)
• Electrical, Glass, Maritime, and Paper: Each had 1 incident (0.5 percent each)

Ransomware Groups Trends, Patterns, and Observations: Second Quarter of 2024

Dragos’s analysis of numerous ransomware data from the second quarter of 2024 indicates that the Lockbit group was behind most attacks against industrial organizations, with approximately 21 percent (or 66 incidents) of observed ransomware events. The Play ransomware was the second with approximately 10 percent (or 31 incidents). The following rounds out the observed ransomware group trends for the second quarter of 2024:

• BlackBasta: Linked to 27 incidents, which is approximately 9 percent.
• 8Base: Responsible for 22 incidents, representing approximately 7 percent.
• Akira and BlackSuit: Each accounted for 20 incidents, translating to approximately 6 percent each.
• MedusaLocker: Active in 17 incidents, making up approximately 5 percent.
• Hunters International and Inc Ransom: Each were responsible for 16 incidents, approximately 5 percent each.
• Cactus: Identified in 11 incidents, or approximately 4 percent.
• RansomHub and Qilin: Each tied to 10 incidents, or approximately 3 percent each.
• BianLian: Responsible for 7 incidents, or approximately 2 percent.
• RA Group and Rhysida: Each were involved in 6 incidents, or approximately 2 percent each.
• DragonForce, RansomHouse, and Cl0p: Each linked to 4 incidents, or approximately 1 percent each.
• Team Underground: Involved in 3 incidents, or approximately 1 percent.
• Stormous and MeowLeaks: Each responsible for 2 incidents, or approximately 1 percent each.
• Brain Cipher, Red Ransomware, MetaEncryptor, Cloak, D_Nut_Leaks, BlackByte, Everest, and Monti: Each involved in 1 incident.

Dragos observed activity of the following ransomware groups in the second quarter of 2024, that were not active or observed in the first quarter of 2024. Their presence in Q2 highlights the evolving nature of ransomware group activities and the constant shifts within the ransomware ecosystem.

• RA Group
• Dragonforce
• Ransomhouse
• Team Underground
• Brain Cipher
• Red Ransomware
• Metaencryptor
• Cloak
• D_Nut_Leaks
• Blackbyte
• Everest
• Monti

In Conclusion

In the second quarter of 2024, ransomware groups demonstrated a significant capacity for adaptation, with some groups rebranding and others emerging with new tactics and techniques. This suggests that these groups will continue to refine their operations, leveraging sophisticated methods such as zero-day vulnerabilities to enhance their attacks.

As we move forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, characterized by the introduction of new ransomware variants and increasing coordinated campaigns targeting industrial sectors. Despite significant law enforcement actions, the observed resilience and adaptability of ransomware groups indicate a likely continuation of this trend.

While Dragos did not identify any ransomware attacks directly targeting ICS/OT processes, the interconnected nature of IT and OT environments means that disruptions to IT systems can have significant downstream effects on OT operations. This interdependency suggests that ransomware groups may increasingly target OT networks to amplify the impact of their attacks, potentially compromising the safety and operational integrity of industrial organizations.

5 Critical Controls for OT Cybersecurity

The SANS Institute recommends five critical controls to ensure world-class ICS and OT cybersecurity. Learn more about these cybersecurity controls by downloading our guide.

Get Your Free Copy