Despite recent crackdowns on prominent ransomware groups, the remaining adversaries in the realm of Industrial Control Systems (ICS) ransomware are escalating their threats with more sophisticated tactics and collaborative efforts, while still effectively exploiting zero-day vulnerabilities. This alarming trend was highlighted in Dragos’ latest analysis of industrial ransomware activities for the last quarter of 2023, which revealed a more refined and dangerous landscape despite a decrease in the total number of attacks.

New Ransomware Threats

The report, indicated a surprising resilience and evolution of ransomware threats targeting ICS, considering the high-profile takedowns of groups like Ragnar Locker and ALPHV. Although there was a decrease in the number of attacks – from 231 to 204 – the intensity and sophistication of these incursions have not diminished. The analysis found that out of 77 known groups targeting ICS, 32 were active in the last quarter, with LockBit, BlackCat, Roya, and Akira being notably innovative, introducing remote encryption techniques to enhance the effectiveness of their attacks.

These groups are not just advancing technologically; they are also improving their public relations strategies. By engaging with media, releasing press statements, FAQs, and interviews, they are shaping public perception and narrative around their activities, thus increasing their notoriety and pressure on their victims.

Collaboration

The report also highlighted a worrying trend of increased collaboration among ransomware groups. This synergy enables them to share intelligence and tactics rapidly, posing a heightened risk to critical infrastructure and industrial sectors. The partnership among groups like BianLian, White Rabbit, and Mario Ransomware targeting financial services is a stark example of this emerging threat.

0Days

Despite the evolution in their modus operandi, leveraging zero-day vulnerabilities remains a cornerstone of these groups’ strategies. A prime example is the widespread LockBit ransomware attacks leveraging the Citrix Bleed zero-day, impacting major organizations globally.

Dragos’ report emphasized that while the frequency of ransomware attacks on industrial systems may have declined, the threat they pose remains significant. LockBit 3.0 emerged as the most active group in the last quarter, being responsible for over a quarter of the incidents. Following close behind was the Black Basta ransomware.

The Short Term Outlook

Looking ahead, Dragos anticipates the ransomware landscape to continue evolving, with the emergence of new variants and continued reliance on zero-day vulnerabilities. This evolution underscores the importance for defenders in these sectors to enhance their incident response and cybersecurity measures to combat these increasingly sophisticated threats.

Energy, Water, Transportation, Electricity and Communications are all obvious targets. If we don’t start shoring up, implementing ITDR based on Zero Trust principles, we will pay a heavy price, and soon. We continue to be alarmed that we see no evidence of progress toward any of this in any of our ICS plants or facilities.

Maybe we’re just alarmists.