Ransomware will continue to disrupt operational technology (OT) environments amid the Russian invasion of Ukraine, according to the latest research from industrial cybersecurity firm Dragos.
Researchers analyzed ransomware variants targeting industrial organizations worldwide and tracked ransomware information via public reports, and information uploaded or appearing on dark web resources.
Dragos’ findings suggest even though the number of ransomware attacks and dark web postings in the first quarter of 2022 is slightly less than the number in Q4 2021, the impacts of these ransomware attacks are much larger in operational technology environments.
Ransomware attackers are targeting giant organizations, their suppliers and subsidiaries resulting in major operational disruptions. A Conti-related attack in February of 2022 targeted Kojima Industries Corp, which supplies Toyota’s plastic parts and electronic components. The incident forced Toyota to shut down its operation for several days.
Ransomware Attacks by Region
Dragos also noted ransomware targets by region. Most ransomware attacks (81%) targeted Europe and North America.
Globally, 45% of ransomware attacks target industrial organizations and infrastructure in North America (36% of that in the U.S.); Europe comes second with 41%; Asia with 10%; the Middle East with 6%; South America with 2 %; and 1% for Africa and Australia tied for 1%.
The U.S. was the most targeted country for ransomware with 36% followed by the UK with 7% of all targeted attacks.
Ransomware Attacks by Industrial Sector
About 75% of all ransomware attacks that Dragos tracked in Q1 2022 targeted the manufacturing sector.
At least 6% of these attacks targeted the food and beverage sector, 4% targeted pharmaceuticals, 3% targeted oil and natural gas, 3% targeted engineering; 2% targeted utilities and 1 % targeted mining.
Ransomware Group Trends
During Q1 of 2022, Dragos observed trends within certain ransomware groups:
- Suncrypt and Quantum have been targeting only food and beverages entities.
- RansomeXX and Rook have been targeting only pharmaceuticals.
- The utilities sector has been mainly targeted by Avos Locker and Blackbyte.
- The telecommunications sector has been mainly targeted by LAPSUS$.
- Lorenz, LV, Moses Staff, KARAKURT, CL0P LEAKS, Ragnar Locker, and Stormous have only targeted organizations within the manufacturing sector.
Heading into Q2, Dragos asserts that political tension between Russia and western countries will only exacerbate ransomware disruptions.