Ransomware Attackers Target Industries with Low Downtime Tolerance

Cybersecurity firm Dragos has identified 23 ransomware groups that impacted industrial organizations, according to its Industrial Ransomware Analysis: Q3 2024 report.

Some of these groups represented entirely new entities, while others were assessed to be rebranded versions of existing groups.

This included APT73, which has been linked to remnants of LockBit affiliates due to its repurposing of the gang’s operational techniques. APT73 also introduced new payloads to evade detection and maintain its foothold in the ecosystem.

Read now: Five Ransomware Groups Responsible for 40% of Cyber-Attacks in 2024

These campaigns prioritized industries with a low tolerance for downtime, such as healthcare, financial services and industrial operations. The attackers appeared to view sectors where operational disruption can lead to cascading impacts as being more likely to pay ransom demands.

The research highlighted several prominent ransomware incidents affecting industrial organizations in Q3 which led to operational halts, financial losses and compromised data integrity.

These included car automotive software firm CDK which paid a $25m ransom to the BlackSuit gang after an attack led to thousands of car dealerships across the US and Canada being disrupted.

In another incident, oilfield services company Halliburton saw its operations disrupted by a ransomware attack attributed to RansomHub, financial losses of approximately $35m were recorded.

Ransomware Groups Evolve their Tactics

The Dragos report highlighted numerous ransomware gangs that have evolved their tactics in the latter half of 2024.

The Eldorado and Play ransomware operators were observed to have shifted their intrusion tactics, techniques and procedures (TTPs) to focus on virtual networking applications, according to the Dragos report. These groups were observed targeting VMware ESXi environments.

Another notable trend in 2024 has been attackers combining vulnerability exploitation with credential-based attacks to bypass multi-factor authentication (MFA) protections.

Additionally, VPN exploitation is increasing despite this being predominantly associated with opportunistic attacks, Dragos observed.

Several prominent ransomware groups exploited vulnerabilities in VPNs and leveraged living-off-the-land techniques to gain traction in target organizations during Q3.

These included Fog ransomware, Helldown and RansomHub, which have demonstrated sophisticated encryption, exfiltration, persistence and disruptive capabilities in critical industrial organizations, including in energy, water management, transportation and manufacturing.

The researchers also observed an expanded reliance on initial access brokers (IABs) in the ransomware-as-a-service (RaaS) model to facilitate entry into targeted environments in Q3.

“These brokers acted as force multipliers, enabling ransomware groups to scale their operations by focusing on payload deployment and extortion strategies,” Dragos noted.

Ransomware Groups Using Advanced Persistence Mechanisms

Multiple ransomware groups expanded their post-compromise lateral movement capabilities by blending traditional methods with advanced persistence mechanisms, according to the report.

These techniques included:

• Living-off-the-land. Ransomware operators were able to evade detection by mimicking legitimate network activity using legitimate administrative tools like PowerShell, certutil.exe, and PsExec
• Abusing remote access tools. Attackers increased their use of remote access tools such as AnyDesk and Quick Assist in conjunction with custom scripts designed to disable antivirus protection
• Targeting virtual environments. Groups like Eldorado and Play developed Linux lockers specifically to target VMware ESXi environments, which encrypt critical virtual machine files while disabling active virtual machines
• Integrated advanced malware. Groups such as Black Basta shifted to custom malware, employed backdoor tools like SilentNight, tunneling utilities like PortYard and memory-only droppers like DawnCry to maintain persistence and evade endpoint detection.