Manufacturing sector hit hardest by ransomware in 2024

Research from the cybersecurity firm Dragos has identified the manufacturing sector as the most targeted by cyber threat actors, experiencing a significant proportion of ransomware attacks in the third quarter of 2024.

The analysis conducted by Dragos indicates that the manufacturing sector faced 394 unique attacks during the period from July to September 2024. This figure represents 71% of all ransomware incidents observed across key industries during this time.

Dragos assesses with moderate confidence that ransomware activity targeting industrial organisations will likely continue to escalate. This is attributed to actors driven by both financial and ideological motivations.

The risks are compounded by a shift from traditional financial extortion to operational sabotage, notably by personas with hacktivist intentions. This convergence further blurs the line between cybercrime and cyberwarfare, necessitating enhanced defences for Industrial Control Systems (ICS) and Operational Technology (OT) environments.

The period in question saw transformative shifts within the ransomware landscape, which remains both dynamic and continuously evolving.

The ecosystem was highly active, with new groups emerging, existing entities rebranding, expansion of initial access broker operations, and an increase in the use of illicitly traded tools. Ransomware operators demonstrated adaptability, leveraging technological advancements and strategic realignments to mitigate disruptions and sustain operations.

Other significant statistics from the third quarter include 38 incidents in the transportation sector, accounting for 7% of all incidents. The communications and electric sectors experienced 17 and 13 incidents, respectively, together making up approximately 5% of happenings. The oil and natural gas sector recorded 13 incidents at 2% of the total, while the government sector faced 12 incidents, also 2% of recorded cases. The water and wastewater, mining, and data centre sectors faced less frequent incidents, with 5, 3, and 1 cases, respectively.

Throughout this period, established ransomware groups such as RansomHub, LockBit3.0, and Play maintained prominence, while new actors emerged capitalising on vulnerabilities within IT and OT environments.

The industrial sector, with a focus on manufacturing and ICS equipment and engineering, remained a primary target for operators exploiting weak credential practices and vulnerabilities in remote access systems.

Geographically, North America was the most impacted, with 304 ransomware incidents, accounting for approximately 55% of the global activity. The United States and Canada were particularly targeted, with adversaries focusing on critical sectors like manufacturing, utilities, and healthcare. Europe followed with 119 incidents, making up about 22% of the global attacks. The United Kingdom, Germany, and Italy were particularly targeted, especially in the manufacturing, transportation, and technology sectors.

It is vital for organisations to prioritise strong cybersecurity measures to mitigate these threats. Recommendations include monitoring critical ports, enforcing multi-factor authentication (MFA), maintaining offline backups, and securing remote access. Additionally, enhanced personnel training and ongoing assessment of network architecture are crucial in defending against evolving tactics.

As the ransomware landscape continues to fragment and adapt, proactive defences, intelligence sharing, and collaboration remain essential in protecting critical infrastructure and industrial operations.