Security Experts:

Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom

Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends.

Industrial cybersecurity firm Dragos reported that 25 of the 48 threat groups known to target industrial organizations and infrastructure were active in the third quarter of 2022. The list includes several new ransomware groups, such as Sparta Blog, Bianlian, Donuts, Onyx and Yanluowang.

It’s unclear if these are actual new gangs or if they’re previous operations that have been rebranded — for instance, the people behind Conti are believed to have launched new operations after the brand became toxic and it was shut down.

There are also several known groups that targeted industrial entities in Q3 but not in Q2, including Lockbit 3.0, which accounted for the highest percentage of attacks, Cl0p Leaks, Medusalocker, and Revil.

Ransomware groups targeting industrial organizations

Dragos is aware of 128 industrial ransomware attacks in Q3, one-third of which targeted entities in North America, followed closely by Europe. In the case of North America, the percentage jumped from 26% in Q2 to 36% in Q3.

“The increase in ransomware activities in North America could be tied to the current global political and economic situations,” Dragos said.

The manufacturing sector is the most targeted, according to data from Dragos, with 88 attacks. Targets include organizations specializing in metal products, industrial solutions, packaging, plastics, electronics, automotive, cosmetics, building materials, and furniture.

Learn more about ransomware attacks on industrial organizations at

SecurityWeek’s ICS Cyber Security Conference

Sophos this week published a report titled ‘The State of Ransomware in Manufacturing and Production’ (PDF). The report is based on a survey of 5,600 IT professionals in mid-sized organizations across 31 countries, including 419 respondents in the manufacturing and production sector.

Data collected by Sophos shows that this sector had the lowest attack rate, with only 55% of the surveyed organizations being targeted by ransomware. However, this represents a significant increase from the previous year, when it was 36%.

The manufacturing and production industry also reported the lowest encryption rate — 57% compared to the cross-sector average of 65%.

On the other hand, these industrial organizations reported an increase in attack complexity and they saw the highest average ransom payment — more than $2 million, compared to $800,000 for the cross-sector average.

Specifically, 38 respondents agreed to say how much they paid. Of these, 8% paid more than $1 million and 37% paid more than $100,000. Eleven percent said they had paid less than $1,000.

“While a number of very high-value ransoms have pushed the overall average up, there is clearly an upward trend in payments year over year,” Sophos said in its report.

The cybersecurity firm also found that manufacturing firms paid, on average, $1.23 million to remediate a ransomware attack, the process taking 1-6 months for 10% of organizations and less than a week for 67% of them.

“At first sight, it may seem counterintuitive that the average recovery bill is less than the average ransom payment. However, in many cases, insurance providers cover ransom payments,” Sophos clarified.

The study found that 75% of organizations have cyberinsurance, and while the payout rate for ransomware attacks is 97%, the payout rate for the actual ransom is 30%, the lowest compared to other sectors.

“This low pay-out rate is likely linked to the overall low ransom payment rate by the sector. However, given that manufacturing and production reported the highest average ransom, organizations in this sector should make sure they have the coverage they need in their insurance policies,” Sophos said.

Related: Ransomware Often Hits Industrial Systems, With Significant Impact: Survey

Related: Number of Ransomware Attacks on Industrial Orgs Drops Following Conti Shutdown

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.