Over 200 critical infrastructure ransomware incidents in 2023

Critical infrastructure - pylons against blue sky

Share this content


According to Dragos’ quarterly industrial ransomware analysis for the critical infrastructure sector, there have been 214 ransomware incidents globally in the first quarter of 2023, a 13% increase from Q4 2022.

The company also observed two new and significant trends, the use of zero-day vulnerabilities and the exploitation of recently discovered vulnerabilities — the Clop ransomware group claimed use of the GoAnywhere zero-day vulnerability (CVE-2023-0669) to impact 130 organisations in February 2023. Other ransomware groups, such as Cuba and Play, used a zero-day exploit dubbed OWASSRF to target CVE-2022-41080 and compromise unpatched Microsoft Exchange servers in January 2023.  

Critical infrastructure

“Ransomware attacks continued to be a significant threat to industrial organisations and critical infrastructure in the first quarter of 2023. This trend underscores the growing sophistication and opportunism of ransomware groups, making it crucial for industrial organisations to remain vigilant and adopt robust cybersecurity measures to protect their operations and critical infrastructure,” said Abdulrahman Alamri, Senior Adversary Hunter at Dragos.

“Twenty of the 61 ransomware groups that we track caused significant damage to industrial organisations through the use of continually evolving tactics.”

Dragos’ breakdowns of ransomware activities for this quarter are as follows:

Ransomware by region

  • 44% of the 214 ransomware attacks recorded globally impacted industrial organisations and critical infrastructure in North America, for a total of 95 incidents, which is twice the number Dragos reported last quarter for North America
  • Within North America, the US sustained over 41% of all ransomware attacks
  • Europe came in second with 28% of the global total and 59 incidents
  • Asia is next with 15% or 33 incidents
  • South America had 5%, totaling ten incidents
  • The Middle East had 4% or eight incidents
  • Africa had 3%, totaling six incidents
  • Australia had 1% or three incidents

Ransomware by critical infrastructure sector and sub-sector

Sixty-seven percent of ransomware attacks impacted the manufacturing sector (143 incidents total), the same number of incidents in the last quarter. Next was food and beverage, with 13% of attacks (28 incidents), roughly double the incidents in the previous quarter.

The energy sector was targeted with 7% of the attacks (15 incidents) and the pharmaceuticals sector had 5% of attacks (10 incidents). Oil and gas showed 3% (seven incidents up from four last quarter) and the transportation sector had around 3% of attacks (six incidents). Mining and water sectors were impacted with 1% of total attacks in the first quarter of 2023.  

Ransomware by groups

In Q1 of 2023, Dragos tracked the activity of 20 ransomware groups, compared to 24 in Q4 of 2022.  Analysis of ransomware data shows Lockbit 3.0 was responsible for 36% of the total ransomware attacks, accounting for 77 incidents, nearly double the incidents in the last quarter; AlphaV was responsible for 13% of attacks; Royal came in next with 12%; Black Basta and Clop next with 7% each.

Ransomware victimology trends

During the first quarter of 2023, Dragos continued to observe trends in the victimology of ransomware groups. This does not, however, determine the permanent focus of these groups, as victimology can change over time.

Dragos observed three more ransomware groups impacting industrial sectors and regions of the world in this last quarter than in Q4 of 2022. Based on the analysis of the Q1 2023 timeframe, Dragos observed some of the most active ransomware groups impacting the following industries and geographies: 

  • Abyss, Bianlian and Everest: manufacturing in North America
  • Avos locker, Royal, Unsafe, Lorenz: food & beverage and manufacturing
  • Play and Stormous: manufacturing and energy 
  • CL0P leaks: transportation 
  • DAIXIN team: food & beverage in North America 
  • Mallox: manufacturing and oil & gas
  • Black Basta: North America and Europe
  • Blackbyte: North America

Looking ahead to Q2 2023

Dragos assesses with high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems.

Due to the changes in ransomware groups, Dragos assesses with moderate confidence that new ransomware groups will continue to appear as either new or reformed ones in the next quarter. 

As ransomware groups’ revenues continue to decrease due to victims’ refusal to pay ransoms and government efforts to prohibit this, Dragos assesses with moderate confidence that ransomware groups will increase their efforts to cause damage to industrial organizations to fulfill their financial objectives.

Receive the latest breaking news straight to your inbox