SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Dragos announces its Q3 Industrial Ransomware Analysis
Fri, 28th Oct 2022
FYI, this story is more than a year old

Ransomware continues to be one of the most threatening financial and operational risks to industrial organisations worldwide during the third quarter of 2022.

Last quarter, Dragos assessed that Q3 would witness an increase in ransomware groups' evolving activities, the disruption of industrial operations, and the appearance of new or reforming ransomware groups.

Dragos is unaware of any significant industrial disruptions in Q3. However, Dragos knows multiple new ransomware groups targeting industrial entities during Q3, like SPARTA BLOG, BIANLIAN, Donuts, ONYX, and YANLUOWANG. 

Until now, Dragos cannot confirm if these groups are reformed from other dissolved ransomware groups, such as Conti, who shut down their operation last quarter. 

In addition, Dragos observed ransomware trends tied to political and economic reasons, such as the conflict between Russia and Ukraine and Iranian and Albanian political tensions. 

Dragos observed another trend related to the global crisis of energy supplies and prices, which may have caused Ragnar Locker, AlphaV and possibly other ransomware groups to increase their activities targeting energy sectors. 

Dragos monitors and analyses the activities of 48 different ransomware groups that target industrial organisations and infrastructures. They observed through publicly disclosed incidents, network telemetry, and dark web posting that out of these 48 groups, only 25 have been active during Q3 of 2022. 

Dragos is aware of 128 ransomware incidents in the third quarter of 2022 compared to 125 in the previous quarter. 

The Lockbit ransomware family account for 33% and 35% respectively of the total ransomware incidents that target industrial organisations and infrastructures in the last two quarters, as the groups added new capabilities in their new Lockbit 3.0 strain. 

Anti-detection mechanisms, anti-debugging, and disabling Windows defenders are among the features that make Lockbit one of the fastest-growing ransomware strains. 

Last month, an unknown person claimed he had hacked Lockbit servers and leaked Lockbit 3.0 builder, allowing anyone to create ransomware. Dragos assesses with moderate confidence that Lockbit 3.0 will continue to target industrial organisations and pose threats to industrial operations in the last quarter of 2022, whether by the Lockbit gang itself or others who can create their own version of the Lockbit ransomware.

Dragos analyses ransomware variants targeting industrial organisations worldwide and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. 

Breakdowns of ransomware activities for this quarter are as follows:


  • 36% of the 128 ransomware attacks target industrial organisations and infrastructures in North America, for a total of 46 incidents
  • Europe comes in second with 33%, 42 incidents
  • Asia with 22% or 28 incidents
  • South America with 6% or eight incidents
  • Africa and Australia with 2% each, two incidents each

The reported cases in North America jumped to 36% compared to 26% in the last quarter. The increase in ransomware activities in North America could be tied to the current global political and economic situations. 

In Q4 of 2022, Dragos assesses with confidence that ransomware will continue to disrupt industrial operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems. 

"Due to the changes in ransomware groups and the leaking of the Lockbit 3.0 builder, Dragos assesses with moderate confidence that more new ransomware groups will appear as either new or reformed ones in the next quarter," says Dragos.