cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Op-Ed: Dragos Industrial Ransomware Analysis — Q4 2022

During the final quarter of 2022, ransomware continued to pose substantial financial and operational risk to industrial organisations worldwide.

user iconSeth Enoka
Mon, 06 Feb 2023
Op-Ed: Dragos Industrial Ransomware Analysis — Q4 2022
expand image

We actively monitored and analysed the activities of 57 unique ransomware groups that impacted industrial organisations and critical infrastructure and observed (through publicly disclosed incidents, network telemetry, and dark web postings) that of these 57 groups, only 24 were active during Q4 of 2022.

During this time, we became aware of 189 ransomware incidents — a 48 per cent increase from the 128 incidents in the previous quarter.

These groups continued to improve their tools, making them more efficient, enhancing their evasion capabilities, and adopting new tactics, techniques, and procedures (TTPs). Several ransomware groups rewrote their malware in Rust, including RansomExx, ALPHV, Hive, Luna, and Qilin. Given that Rust is a relatively new programming language, anti-virus solutions are unable to dissect and analyse it as effectively as older programming, more well-known languages. Therefore, adversaries are observed achieving longer dwell times and greater opportunity to impact victim systems before being detected.


A new tactic known as “intermittent encryption” has been adopted by a growing number of ransomware groups, including Black Basta, ALPHV, PLAY, Qilin, and Qyick. Intermittent encryption relies on encrypting parts of the targeted files’ content, enabling faster encryption. This reduction in encryption decreases the chances of being detected by automated detection tools that rely on detecting abnormal file operations.

We observed multiple victims impacted by two or more ransomware groups last quarter, indicating the groups may have bought the initial access from the same initial access brokers (IABs) and wholesale access markets (WAM). Often three major criminal actors will work together in business relationships: IABs are the groups that gain initial access to a network. Ransomware authors or tool creators write the ransomware but don’t actually deploy it themselves. Finally, “Affiliates” are the people who purchase access to a victim network from those IABs, deploy and detonate the ransomware within the network, and communicate with the victim to organise the ransom payment and provide access to the decryption tool if one exists. Overall, these types of business relationships raise the risk level that industrial organisations face from ransomware.

LockBit 3.0 accounted for 21 per cent (or 40 incidents) of the 189 ransomware incidents that impacted industrial organisations and infrastructure, down from an annual high of 35 per cent (or 45 out of 128 incidents) last quarter when they introduced their LockBit 3.0 builder and other new capabilities.

Dragos analyses ransomware variants impacting industrial organisations globally and tracks ransomware information via public reports and information uploaded to or appearing on dark web resources. By their very nature, these sources report victims that allegedly pay or otherwise “cooperate” with the criminals. There is, however, no 1:1 correlation between total targeted attacks and those attacks that elicit victim cooperation. Our breakdown of ransomware activities for this quarter is as follows: globally, 52 per cent of the 189 ransomware attacks impacted industrial organisations and infrastructure in North America, for a total of 98 incidents, more than doubling the number of attacks in the region last quarter. Europe was second with 21 per cent or 40 incidents, Asia was third with 20 per cent or 37 incidents, and Australia had just 1 per cent or two incidents.

Looking at industry sectors, 76 per cent of ransomware attacks impacted the manufacturing sector (143 incidents in total), a 38 per cent increase over the last quarter. Next was food and beverage, with 8 per cent of attacks (15 incidents), roughly on par with last quarter. Energy was targeted with 7 per cent of the attacks (14 incidents) and the pharmaceuticals sector had 5 per cent of attacks (nine incidents). Oil and gas showed 2 per cent (four incidents). The other manufacturing sectors were targeted with 1 per cent or one or less of total attacks in the fourth quarter of 2022. There were no attacks this last quarter on transportation or construction.

The ransomware incidents that Dragos tracked last quarter impacted 147 unique manufacturing sub-sectors. At the top of the list, automotive manufacturing had 12 per cent (17 attacks), followed by industrial equipment and supplies with 10 per cent (14 attacks).

Analysis of ransomware data showed LockBit 3.0 was responsible for 21 per cent of the total ransomware attacks, accounting for 40 incidents; Black Basta and Royal came in next with 12 per cent, each with 23 and 22 incidents, respectively; AlphaV was responsible for 10 per cent of attacks. BianLian, which first appeared last quarter, accounted for 6 per cent of attacks.

We continued to observe trends in the victimology of ransomware groups. This does not determine the permanent focus of these groups; victimology can change over time. Dragos observed seven more ransomware groups impacting industrial sectors and regions of the world in this last quarter than in Q3 of 2022. Based on our analysis of the Q4 2022 time frame, Dragos observed some of the most active ransomware groups impacting the following industries:

  • AlphaV: energy, food and beverage, oil and gas, manufacturing
  • BianLian: energy, engineering, food and beverage, mining, pharmaceuticals, and manufacturing
  • Black Basta: food and beverage, manufacturing
  • Karakurt: energy, food and beverage, oil and gas, pharmaceutical, and manufacturing
  • LockBit 3.0: food and beverage and manufacturing
  • Royal: energy, food and beverage, oil and gas, pharmaceutical, and manufacturing
  • AvosLocker only impacted Paraguay
  • Daixin Team only impacted Indonesia
  • Donut only impacted the US

Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flat networks enabling ransomware to spread into OT environments, or precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to vulnerable OT systems.

Due to the changes in ransomware groups and the leaking of the LockBit 3.0 builder, Dragos assesses with moderate confidence that new ransomware groups will appear as either new or reformed groups in the next quarter.

As some governments are considering an outright ban on ransomware payment, Dragos assesses with moderate confidence that the ransomware groups’ activities will decrease in the countries where the payment is banned and increase in other countries where they can achieve their financial objectives.

The 2022 ICS/OT Cybersecurity Year in Review will be released shortly. You can pre-register for this free report here.

Seth Enoka is a senior industrial incident responder at Dragos.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.