Ransomware Report Shows Fewer Incidents, Future Concerns

By Staff
4 Min Read

Dragos recently released its Q1 2024 ransomware report, which offers some cautiously optimistic findings:

  • While ransomware remains the most widespread cybersecurity threat impacting industrial organizations, research from this past quarter shows a decline in activities targeting the industrial sector. Of the 77 ransomware groups known for their industrial attacks, only 22 were active.
  • There were no significant operational disruptions caused by ransomware in the first quarter of 2024.
  • Dragos attributes this drop in ransomware activity to two factors:
  1. Coordinated law enforcement missions focused on RaaS groups. This includes the recent actions taken against Lockbit, perhaps the most dangerous ransomware group for the industrial sector. This group, however, was still responsible for 26 percent of all ransomware attacks in the first quarter. Additionally, the Alphv/Blackcat group initiated a self-decommission of its infrastructure after stealing millions from an affiliate.
  2. Many of the most notorious RaaS groups have shifted their focus to the healthcare sector.
  • Dragos expressed concerns over the drop in activity from major RaaS players, as this could be an indication of the ability of these groups to influence their affiliates to shift focus in optimizing their efforts on specific sectors. This has been the case with the industrial sector in the past, and is currently being experienced in healthcare, i.e. the Change Healthcare hack. Reading between the lines, it would seem that the focus could be shifted back to the manufacturing and infrastructure sectors based on the whims of these prominent criminal organizations.
  • According to Dragos, the technical capabilities of ransomware groups underscore their agility and sophistication in exploiting vulnerabilities, citing the targeting of ConnectWise ScreenConnect by BlackBasta and Lockbit, and the Qlik Sense application by CACTUS.
  • Dragos also found that ransomware operations, possibly in collaboration with initial access brokers (IABs), have attempted to exploit zero-day vulnerabilities in Ivanti ICS VPN.
  • There were 83 ransomware incidents that impacted industrial organizations and infrastructure in North America, compared to 87 incidents in the previous quarter. Manufacturing was the most impacted industry during the first quarter of 2024, with 106 observed incidents in total, or 62.7 percent. This breaks down by sector as follows:
    • The transportation sector represented 14.7 percent of all observed incidents.
    • Industrial control systems (ICS) registered 12.4 percent of attacks.
    • Oil and natural gas accounted for 4.3 percent, which is double the number of the incidents of the previous quarter.
    • The water and wastewater sector was the victim of 1.7 percent of attacks.
    • In addition to the primary industries and sectors mentioned above, Dragos observed 21 unique manufacturing subsectors impacted by ransomware during the first quarter of 2024, including Food and Beverage, Packaging, Chemicals, Pharmaceuticals and Aerospace.
  • The 8base ransomware group accounted for 13.6 percent of ransomware attacks, followed by  Hunters International, Black Basta, Akira, MedusaLocker, and many more.
  • Dragos also cited recommendations from the SANS Institute, and their five critical controls to ensure world-class ICS and OT cybersecurity:

    • An ICS-focused incident response plan.
    • A defensible architecture.
    • OT network visibility and monitoring.
    • Secure remote access.
    • Risk-based vulnerability management. 

    To read more about the report and Dragos analysis of the findings, click here.

    Share This Article
    Leave a comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *