Ransomware continues to pose a serious problem for critical infrastructure and industrial organizations despite a slight drop in the number of incidents in the second quarter of 2022, according to a report from cybersecurity firm Dragos released on Tuesday.
Dragos bases its quarterly ransomware assessments on information from “publicly disclosed incidents, network telemetry and Dark Web posting.” The most recent report identified 125 distinct ransomware incidents in the second quarter, down from 158 in the first quarter; 23 of the 37 ransomware groups targeting industry and infrastructure that Dragos monitors were active, as opposed to 22 in the previous period.
This latest report focuses in part on the churn witnessed in the ransomware ecosystem, most notably the apparent shutdown of the Conti cybercrime gang in May after its attack on the government of Costa Rica drew the attention of the U.S. State Department. According to reports from cyber intelligence companies, the gang gained a foothold in a computer system of Costa Rica’s Finance Ministry, subsequently spreading to multiple government agencies and leading officials to declare a state of emergency.
Conti announced it was shutting down operations in May and took all its websites offline the following month. Dragos attributed the drop in cyber incidents primarily to this shutdown but said it is highly likely that the group has not gone away for good. Instead, experts believe the gang has split into smaller subgroups that joined or started new criminal operations with other cybercrime veterans.
One example is the group Black Basta, which claimed responsibility for an attack against agriculture equipment manufacturer and distributor AGCO in May. Dragos said researchers suspect that Black Basta, which it called “significant [and] threatening,” is being managed by former members of Conti and REvil, a notorious gang responsible for last year’s attack on global meat company JBS and itself suspected of being an offshoot of the DarkSide hacking group that attacked Colonial Pipeline. (See Glick Calls for Pipeline Cyber Standards After Colonial Attack.)
Most of the global ransomware targets last quarter were in Europe; Dragos recorded 46 attacks, or 37% of the total, in the continent. North America came next, with 36 attacks — 29% of the total, down from 42% in the first quarter — followed by Asia with 32. South America, the Middle East and Africa were apparently much less enticing targets, with six, four and one attack, respectively.
Eighty-six of the attacks in the second quarter were directed against the manufacturing sector; automotive companies bore the brunt with seven attacks. The energy sector tied for second with food and beverage companies, at 10 attacks each.
Dragos said that the second quarter’s attacks, though less numerous, were “more impactful,” noting an attack on factories operated by Foxconn in Mexico that caused the facilities to be shut down for several weeks. Operational technology networks continue to be a major target, and the firm warned that even attacks that only manage to penetrate a company’s information technology can still “negatively impact OT operations” if the networks interact.
Dragos predicted that fresh ransomware groups will continue to pop up in the third quarter, either made up of veterans or newcomers to the cybercrime world. In light of “continuous political tension between Russia and Western countries,” the firm said it could forecast continued targeting of OT operations with “moderate confidence.”