Ransomware attacks will continue to pose a significant threat to industry organizations and infrastructure in the first quarter of 2023, highlighting the continued growth in sophistication and opportunism of ransomware groups.
As such, it is critical that industry organizations remain vigilant and employ robust cybersecurity measures to protect their operations and infrastructure. Twenty of the 61 ransomware groups we track have caused significant damage to industry organizations through the use of continuously evolving tactics.
Two new important trends were observed in the first quarter. The first is exploitation of zero-day vulnerabilities. The second is the exploitation of a recently discovered vulnerability. For example, in February Clop ransomware group Claimed to have impacted 130 organizations using the GoAnywhere zero-day vulnerability (CVE-2023-0669). Dragos is aware of 14 industry organizations that this group has impacted, but it is unclear if this group used his GoAnywhere vulnerability. Other ransomware groups such as Cuba and Play used a zero-day exploit called OWASSRF to exploit CVE-2022-41080 and Compromise an unpatched Microsoft Exchange server.
Dragos detected 214 ransomware incidents. This was a 13% increase over the previous quarter. The impact of ransomware attacks on industry organizations has been more difficult and devastating than in previous quarters.For example, Copper Mountain Mining Corporation (CMMC) Affected by AlphaV ransomware, facilitating the separation of ICS/OT networks and the switch to manual operation. Meanwhile, Dole Foods had to temporarily shut down its production plants in North America due to the effects of the large-scale disaster. Ransomware attack on IT systems.
The motives behind ransomware attacks vary and are often difficult to ascertain with certainty. However, multiple factors can significantly drive ransomware activity, including financial gain, geopolitical tensions, and economic conditions.
Governments are ramping up efforts and regulations to combat the threat of ransomware. An example in the United States is Ransomware Vulnerability Warning Pilot (RVWP) According to the Cybersecurity and Infrastructure Security Agency (CISA), this Cyber Incident Reporting Under the Critical Infrastructure Act 2022 (Sacia). As part of the RVWP, CISA leverages existing powers and technology to proactively identify information systems with security vulnerabilities commonly associated with ransomware attacks.
Dragos analyzes ransomware variants affecting industry organizations around the world and tracks ransomware information through public reports and information uploaded or displayed on dark web resources. By their very nature, these sources report victims who allegedly paid or “collaborated” with criminals. However, there is no one-to-one correlation between attacks as a whole and attacks that elicit victim cooperation.
Here’s a breakdown of ransomware activity this quarter:
Ransomware by region
Globally, 44% of the 214 ransomware attacks affected industrial organizations and infrastructure in North America, resulting in a total of 95 incidents. Within North America, he over 41% of all ransomware attacks occurred in the United States. Europe was second with 59 incidents with 28 percent of the global total, followed by Asia with 15 percent and he with 33 incidents. 5% (10%) in South America incident), medium East had 4% (8 cases), Africa 3% (6 cases) and Australia just 1% (3 cases).
Ransomware by sector and subsector
Sixty-seven percent of ransomware attacks affected manufacturing (143), the same as last quarter. Food and Beverage was next with 13% (28) of attacks, almost double the number of attacks last quarter. Seven percent of attacks (15 incidents) targeted the energy sector, and 5% (10 incidents) targeted the pharmaceutical sector. Oil & Gas had 3% (7, up from 4 last quarter), while Transportation had around 3% (6). The mining and water sectors were affected, accounting for 1% of all attacks.
The industrial ransomware incidents we tracked affected 36 unique manufacturing subsectors. The building materials manufacturing sector topped the list with 14 percent (20 attacks), followed by the automotive manufacturing sector with 10 percent (14 attacks). The remaining manufacturing subsectors affected are shown in Figure 1 below.
Figure 1: Ransomware incidents by sector
Ransomware by Group
Dragos tracked the activity of 20 ransomware groups compared to 24 groups in the previous quarter. An analysis of ransomware data shows Lockbit 3.0 accounted for 36% of all ransomware attacks and 77 incidents, almost double the number of incidents last quarter. AlphaV was responsible for 13% of attacks. Royal was next at 12%. Black Busta and Crop Next are each 7%, and Play is 5%. The rest of the attackers are shown in Figure 2 below.
Figure 2: Ransomware incidents by ransomware group
Ransomware victim trends
Dragos continued to monitor the damage trends of ransomware groups. However, this does not determine the permanent focus of these groups, as victimology can change over time. Dragos observed three more ransomware groups impacting industry sectors and regions in this last quarter than in Q4 2022. Based on our Q1 2023 analysis, we observed some of the most active ransomware groups impacting the following industries and regions:
- abyss, Bianlianand Everest: Manufactured in North America.
- Avos Locker, royal, not safe, Lorenz: Food and Beverage and Manufacturing.
- play and like a storm: manufacturing and energy.
- CL0P leak: Transportation facilities
- Daishin team: North American Food and Beverages.
- Malox: Manufacturing and Oil & Gas.
- black buster: North America and Europe.
- black bite: North America.
There were groups that were observed in Q4 2022 but not in Q1 2023 and vice versa. Also, for the first time this year, we observed ransomware groups Medusa Blog, Dark Power, and Unsafe. It is unclear if these new groups are entirely new groups or groups reformed from other groups.
what’s next?
We have integrated operational technology (OT) kill processes into ransomware stocks, flattened networks that allow ransomware to spread into OT environments, or proactive production by operators to prevent ransomware. We have high confidence that ransomware will continue to disrupt industrial operations through outages and more. From the spread to industrial control systems. Due to changes in ransomware groups, we are reasonably confident that new or reformed ransomware groups will continue to emerge in the next quarter.
Furthermore, as victims refuse to pay ransoms and government efforts to ban this continue to erode ransomware groups’ revenues, ransomware groups have turned to industry organizations to meet their financial goals. We rate with some confidence when we step up our damaging efforts.
Seth Enoka is a Senior Principal Incident Response Consultant at Dragos.