Despite the takedowns of some top ransomware groups, the remaining threat actors have continued to adapt and develop new tactics to capitalize on zero-day vulnerabilities, allowing them to cause more damage to industrial control systems (ICS) with fewer attacks, according to new research released by Dragos.
The report, which analyzed the last quarter of 2023, revealed that the ransomware landscape has become more refined and potent in its attacks against ICS. This is surprising given the recent high-profile busts of ransomware operators such as Ragnar Locker and ALPHV. During the analysis period, there were fewer ransomware attacks impacting industrial systems, with 32 out of 77 known ransomware groups actively attacking ICS, resulting in a decrease in the number of incidents from 231 to 204 in the fourth quarter of 2023. The report emphasized that even though there were fewer attacks, the overall threat to ICS remains significant.
The research highlighted the fact that ransomware groups like LockBit, BlackCat, Roya, and Akira have been innovating and refining their techniques to include remote encryption, which involves compromising an endpoint connected to the victim’s network to launch the ransomware attack within the victim’s environment. The report also pointed out that these groups have started to work on their media relations efforts by engaging with the media to shape the narrative surrounding their activities, ultimately enhancing their profitability.
Furthermore, ransomware groups are collaborating more closely and sharing intelligence among themselves, allowing them to evolve their cyberattacks rapidly. The report cited the collaboration of BianLian, White Rabbit, and Mario Ransomware as an example of this growing cooperation, posing potential risks to critical infrastructure and industrial sectors.
The researchers at Dragos also highlighted the continued exploitation of zero-day vulnerabilities as the most effective tactic for the ransomware groups, citing the example of the sprawling LockBit ransomware attacks from last fall that leveraged the Citrix Bleed zero-day, impacting organizations like Boeing, the Industrial and Commercial Bank of China, and Comcast Xfinity, among others.
In terms of the most active ICS ransomware actors, the report found that the LockBit 3.0 group was responsible for 25.5% of incidents, while the Black Basta ransomware was second with 10.3%. Looking ahead, Dragos assesses with moderate confidence that the ransomware threat landscape will continue to evolve, marked by the emergence of new ransomware variants as groups strive to refine their attack methodologies, likely keeping zero-day vulnerabilities as a key component in their operational toolkit.
Overall, the research revealed that ransomware groups have continued to evolve and adapt their tactics in order to capitalize on zero-day vulnerabilities, collaborate more closely, and engage in media relations efforts to enhance their profitability, posing a significant and ongoing threat to industrial control systems.