Despite takedowns of top ransomware groups, those remaining threat actors have continued to develop new tricks, while maintaining their ability to capitalize on zero-day vulnerabilities, helping them do more damage to industrial control systems with fewer attacks, according to new research.
Dragos released its latest industrial ransomware analysis for the last quarter of 2023, finding the landscape more refined, and potent, than ever before in its attacks against ICS. It's a surprising reveal given recent high-profile busts of ransomware operators in the space, including Ragnar Locker and ALPHV, the new report explained.
Indeed there were fewer ransomware attacks impacting industrial systems during the analysis period.
According to the report, there were a total of 32 groups of the 77 known to attack ICS that were active last quarter, and the number of incidents dropped from 231 the previous year down to 204 in the fourth quarter of 2023.
One potential contributor is the fact that ransomware groups like LockBit, BlackCat, Roya, and Akira have innovated over the past few months, adding techniques like remote encryption, the Dragos team reported.
ICS Ransomware Is Upping its PR Game These groups have likewise begun to work on their media relations efforts.
It's up to defenders to similarly up their communications game in their incident response efforts, Dragos added.
Ransomware groups are also working more closely and sharing intelligence among themselves, helping them evolve their cyberattacks rapidly, the researchers warn.
The report pointed to the collaboration of BianLian, White Rabbit, and Mario Ransomware to target financial services organizations as a prime example of this kind of threat.
While the groups are all adding new tools into their ransomware arsenal, Dragos researchers added that exploiting zero-day vulnerabilities continues to be the most effective for their operations, highlighting as a prime example the sprawling LockBit ransomware attacks from last fall that leveraged the Citrix Bleed zero-day, which impacted organizations including Boeing, the Industrial and Commerical Bank of China, Comcast Xfinity, and more.
Most Active ICS Ransomware Actors Although the sheer number of ransomware attacks against industrial systems is down, Dragos warns that these cybercriminals remain a dangerous threat.
The report findings added the LockBit 3.0 group was the most active over the quarter, responsible for 25.5 percent.
Black Basta ransomware was second with 10.3 percent.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 26 Jan 2024 14:25:07 +0000