Connect with us

Hi, what are you looking for?



Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme 

ICS cybersecurity vendor Dragos discloses breach and data theft but says ransomware group failed at elaborate extortion scheme.

Industrial cybersecurity vendor Dragos on Wednesday said a known ransomware group breached its defenses and accessed threat intel reports, a SharePoint portal and a customer support system but ultimately failed in an elaborate extortion scheme that included private messages to company executives.

Dragos, a well-capitalized startup in the ICS security space, said its internal security controls caught and limited the damage from the intrusion, which began when the criminal group hacked into the personal email address of a new sales employee prior to their start date, and used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. 

“The group accessed resources a new sales employee typically uses in SharePoint and the Dragos contract management system. In one instance, a report with IP addresses associated with a customer was accessed, and we’ve reached out to the customer,” Dragos said in a statement documenting the incident.

The company published a timeline showing the hackers spent just over 16 hours and successfully accessed some data that include 25 Dragos intel reports normally available to paying customers and a contract management system. 

Dragos said the unnamed ransomware actor also downloaded general use data from the company’s SharePoint and sent emails to company executives threatening to release the stolen data if the company refused to pay extortion demands.

“We investigated alerts in our corporate Security Information & Event Management (SIEM) and blocked the compromised account,” Dragos said, noting that its layered security controls prevented the threat actor from deploying ransomware in its network.

“They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure,” the company said.

Advertisement. Scroll to continue reading.

“After they failed to gain control of a Dragos system and deploy ransomware, they pivoted to attempting to extort Dragos to avoid public disclosure.”

Dragos said it chose not to engage with the actor, despite multiple attempts to make contact via WhatApp messages that included references to family members of Dragos executives.

Dragos said it decided not to engage with the criminals and ignored all attempts at communication, despite the risk that the stolen data may be publicly released.

“The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts,” the company said.

Related: U.S. Warns Sophisticated ICS/SCADA Malware Can Damage Critical Infrastructure

Related: New Dragos OT-CERT Provides Free Industrial Cybersecurity Resources

Related: Dragos Becomes First Industrial Cybersecurity Unicorn After Raising $200 Million

Related: Five Threat Groups Target Industrial Systems: Dragos

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...