Ransomware continues to be one of the most threatening financial and operational risks for industrial companies worldwide in the third quarter of 2022.
In the last quarter, Dragos estimated that the third quarter would witness an increase in the evolving activities of ransomware groups, the disruption of industrial operations and the appearance of new or reforming ransomware groups.
Dragos is not aware of any significant industrial disruptions in the third quarter. However, Dragos is experiencing several new ransomware groups targeting industrial entities during the third quarter, such as SPARTA BLOG, BIANLIAN, Donuts, ONYX and YANLUOWANG.
So far, Dragos cannot confirm whether these groups are reformed from other disbanded ransomware groups, such as Conti, which ended its operations last quarter.
Additionally, Dragos observed ransomware trends related to political and economic reasons, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions.
Dragos observed another trend related to the global energy supply and price crisis, which may have caused Ragnar Locker, AlphaV and perhaps other ransomware groups to increase their activities targeting the… ‘energy.
Dragos monitors and analyzes the activities of 48 different ransomware groups that target organizations and industrial infrastructure. They observed, through publicly disclosed incidents, network telemetry, and dark web posting, that of these 48 groups, only 25 were active during the third quarter of 2022.
Dragos is aware of 128 ransomware incidents in the third quarter of 2022 compared to 125 in the previous quarter.
The Lockbit ransomware family accounts for 33% and 35%, respectively, of the total number of ransomware incidents that target organizations and industrial infrastructure over the past two quarters, as the groups added new features in their new Lockbit 3.0 strain .
Anti-detection mechanisms, anti-debugging and disabling Windows defenders are some of the features that make Lockbit one of the fastest growing ransomware strains.
Last month, an unknown person claimed that he had hacked Lockbit servers and leaked the Lockbit 3.0 builder, allowing anyone to create ransomware. Dragos assesses with moderate confidence that Lockbit 3.0 will continue to target industrial organizations and pose threats to industrial operations in the last quarter of 2022, whether by the Lockbit gang itself or others who may create their own version of Lockbit ransomware.
Dragos analyzes ransomware variants targeting industrial organizations around the world and tracks ransomware information via public reports and information uploaded or appearing on dark web resources.
The breakdown of ransomware activity for this quarter is as follows:
Globally :
- 36% of 128 ransomware attacks target organizations and industrial infrastructure in North America, for a total of 46 incidents
- Europe comes second with 33%, 42 incidents
- Asia with 22% or 28 incidents
- South America with 6% or eight incidents
- Africa and Australia with 2% each, two incidents each
Reported cases in North America jumped to 36% from 26% last quarter. The increase in ransomware activity in North America could be related to the current global political and economic situation.
In Q4 2022, Dragos confidently assesses that ransomware will continue to disrupt industrial operations, whether through the integration of OT destruction processes into ransomware strains, flattened networks allowing ransomware to spread through OT environments , or by preventive shutdowns of OT environments by operators. to prevent ransomware from spreading to OT systems.
“Due to changes in ransomware groups and the Lockbit 3.0 builder leak, Dragos assesses with moderate confidence that more new ransomware groups will emerge as new or reformed in the next quarter,” Dragos said.
