According to Drago’s quarterly industrial ransomware analysis for the critical infrastructure sector, there were 214 ransomware incidents globally in the first quarter of 2023, a 13 percent increase from Q4 2022. The company also observed two new and significant trends, the use of zero-day vulnerabilities and the exploitation of recently discovered vulnerabilities — the Clop ransomware group claimed the use of the GoAnywhere zero-day vulnerability (CVE-2023-0669) to impact 130 organizations in February 2023. Other ransomware groups, such as Cuba and Play, used a zero-day exploit dubbed OWASSRF to target CVE-2022-41080 and compromise unpatched Microsoft Exchange servers in January 2023.
“Ransomware attacks continued to be a significant threat to industrial organizations and infrastructure in the first quarter of 2023. This trend underscores the growing sophistication and opportunism of ransomware groups, making it crucial for industrial organizations to remain vigilant and adopt robust cybersecurity measures to protect their operations and infrastructure. Twenty of the 61 ransomware groups that we track caused significant damage to industrial organizations through the use of continually evolving tactics,” said Abdulrahman Alamri, Senior Adversary Hunter at Dragos.
Dragos’ breakdowns of ransomware activities for this quarter are as follows:
Ransomware By Region
- 44 percent of the 214 ransomware attacks recorded globally impacted industrial organizations and infrastructure in North America, for a total of 95 incidents, which is twice the number Dragos reported last quarter for North America.
- Within North America, the U.S. sustained over 41 percent of all ransomware attacks.
- Europe came in second with 28 percent of the global total and 59 incidents.
- Asia is next with 15 percent or 33 incidents.
- South America had five percent, totaling ten incidents.
- The Middle East had four percent or eight incidents.
- Africa had three percent, totaling six incidents.
- Australia had one percent or three incidents.
Ransomware by sector and sub-sector
67 percent of ransomware attacks impacted the manufacturing sector (143 incidents total), the same number of incidents in the last quarter. Next was food and beverage, with 13 percent of attacks (28 incidents), roughly double the incidents in the previous quarter. The energy sector was targeted with seven percent of the attacks (15 incidents), and the pharmaceuticals sector had five percent of attacks (10 incidents). Oil and gas showed three percent (seven incidents up from four last quarter), and the transportation sector had around three percent of attacks (six incidents). Mining and water sectors were impacted with one percent of total attacks in the first quarter of 2023.
Ransomware by groups
In Q1 of 2023, Dragos tracked the activity of 20 ransomware groups, compared to 24 in Q4 of 2022. Analysis of ransomware data shows Lockbit 3.0 was responsible for 36 percent of the total ransomware attacks, accounting for 77 incidents, nearly double the incidents in the last quarter; AlphaV was responsible for 13 percent of attacks; Royal came in next with 12 percent; Black Basta and Clop next with 7 percent each.
Ransomware victimology trends
During the first quarter of 2023, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time. Dragos observed three more ransomware groups impacting industrial sectors and regions of the world in this last quarter than in Q4 of 2022. Based on the analysis of the Q1 2023 timeframe, Dragos observed some of the most active ransomware groups impacting the following industries and geographies:
- Abyss, Bianlian, and Everest: manufacturing in North America.
- Avos locker, Royal, Unsafe, Lorenz: food & beverage and manufacturing.
- Play and Stormous: manufacturing and energy.
- CL0P leaks: transportation
- DAIXIN team: food & beverage in North America.
- Mallox: manufacturing and oil & gas.
- Black Basta: North America and Europe.
- Blackbyte: North America.
Looking ahead to Q2 2023
Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems. Due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ransomware groups will continue to appear as either new or reformed ones in the next quarter.
As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organizations to fulfill their financial objectives.