ICS Ransomware Danger Rages Despite Fewer Attacks

Refined tactics, increased collaboration between groups, and continued success exploiting zero-days is helping ICS ransomware attackers inflict more damage, researchers find.

Industrial Control Systems panel
Source: Sergey Ryzhov via Alamy Stock Photo

Despite takedowns of top ransomware groups, those remaining threat actors have continued to develop new tricks, while maintaining their ability to capitalize on zero-day vulnerabilities, helping them do more damage to industrial control systems (ICS) with fewer attacks, according to new research.

Dragos released its latest industrial ransomware analysis for the last quarter of 2023, finding the landscape more refined, and potent, than ever before in its attacks against ICS. It's a surprising reveal given recent high-profile busts of ransomware operators in the space, including Ragnar Locker and ALPHV, the new report explained.

Indeed there were fewer ransomware attacks impacting industrial systems during the analysis period. According to the report, there were a total of 32 groups of the 77 known to attack ICS that were active last quarter, and the number of incidents dropped from 231 the previous year down to 204 in the fourth quarter of 2023.

Although the report doesn't attribute the shift in the number of attacks into any specific cause, it pointed out the overall threat to ICS remains "significant."

One potential contributor is the fact that ransomware groups like LockBit, BlackCat, Roya, and Akira have innovated over the past few months, adding techniques like remote encryption, the Dragos team reported.

"This technique involves compromising an endpoint connected to the victim's network and using it to launch the ransomware attack within the victim's environment, thereby increasing the likelihood of a successful attack," the team said.

ICS Ransomware Is Upping its PR Game

These groups have likewise begun to work on their media relations efforts.

"They actively engage with the media to shape the narrative surrounding their activities, courting journalists, and providing press releases, FAQs, and interviews to manipulate public perception," Dragos researchers added. "This calculated approach allows ransomware gangs to amplify their notoriety and exert pressure on victims, ultimately enhancing their profitability."

It's up to defenders to similarly up their communications game in their incident response efforts, Dragos added.

Ransomware groups are also working more closely and sharing intelligence among themselves, helping them evolve their cyberattacks rapidly, the researchers warn. The report pointed to the collaboration of BianLian, White Rabbit, and Mario Ransomware to target financial services organizations as a prime example of this kind of threat.

"This growing cooperation poses potential risks to critical infrastructure and industrial sectors as cyber criminals continue to share tactics, techniques, and potentially even vulnerabilities that could be leveraged in future attacks," Dragos added.

While the groups are all adding new tools into their ransomware arsenal, Dragos researchers added that exploiting zero-day vulnerabilities continues to be the most effective for their operations, highlighting as a prime example the sprawling LockBit ransomware attacks from last fall that leveraged the Citrix Bleed zero-day, which impacted organizations including Boeing, the Industrial and Commerical Bank of China, Comcast Xfinity, and more.

Most Active ICS Ransomware Actors

Although the sheer number of ransomware attacks against industrial systems is down, Dragos warns that these cybercriminals remain a dangerous threat.

The report findings added the LockBit 3.0 group was the most active over the quarter, responsible for 25.5 percent (or 52 incidents). Black Basta ransomware was second with 10.3 percent.

"Looking forward, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, marked by the emergence of new ransomware variants," the report forecasts. "These developments are expected as ransomware groups strive to refine their attack methodologies, likely keeping zero-day vulnerabilities as a key component in their operational toolkit."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights