Security Experts:

Connect with us

Hi, what are you looking for?



Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom

Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends.

Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends.

Industrial cybersecurity firm Dragos reported that 25 of the 48 threat groups known to target industrial organizations and infrastructure were active in the third quarter of 2022. The list includes several new ransomware groups, such as Sparta Blog, Bianlian, Donuts, Onyx and Yanluowang.

It’s unclear if these are actual new gangs or if they’re previous operations that have been rebranded — for instance, the people behind Conti are believed to have launched new operations after the brand became toxic and it was shut down.

There are also several known groups that targeted industrial entities in Q3 but not in Q2, including Lockbit 3.0, which accounted for the highest percentage of attacks, Cl0p Leaks, Medusalocker, and Revil.

Ransomware groups targeting industrial organizations

Dragos is aware of 128 industrial ransomware attacks in Q3, one-third of which targeted entities in North America, followed closely by Europe. In the case of North America, the percentage jumped from 26% in Q2 to 36% in Q3.

“The increase in ransomware activities in North America could be tied to the current global political and economic situations,” Dragos said.

The manufacturing sector is the most targeted, according to data from Dragos, with 88 attacks. Targets include organizations specializing in metal products, industrial solutions, packaging, plastics, electronics, automotive, cosmetics, building materials, and furniture.

Learn more about ransomware attacks on industrial organizations at

SecurityWeek’s ICS Cyber Security Conference

Sophos this week published a report titled ‘The State of Ransomware in Manufacturing and Production’ (PDF). The report is based on a survey of 5,600 IT professionals in mid-sized organizations across 31 countries, including 419 respondents in the manufacturing and production sector.

Data collected by Sophos shows that this sector had the lowest attack rate, with only 55% of the surveyed organizations being targeted by ransomware. However, this represents a significant increase from the previous year, when it was 36%.

The manufacturing and production industry also reported the lowest encryption rate — 57% compared to the cross-sector average of 65%.

On the other hand, these industrial organizations reported an increase in attack complexity and they saw the highest average ransom payment — more than $2 million, compared to $800,000 for the cross-sector average.

Specifically, 38 respondents agreed to say how much they paid. Of these, 8% paid more than $1 million and 37% paid more than $100,000. Eleven percent said they had paid less than $1,000.

“While a number of very high-value ransoms have pushed the overall average up, there is clearly an upward trend in payments year over year,” Sophos said in its report.

The cybersecurity firm also found that manufacturing firms paid, on average, $1.23 million to remediate a ransomware attack, the process taking 1-6 months for 10% of organizations and less than a week for 67% of them.

“At first sight, it may seem counterintuitive that the average recovery bill is less than the average ransom payment. However, in many cases, insurance providers cover ransom payments,” Sophos clarified.

The study found that 75% of organizations have cyberinsurance, and while the payout rate for ransomware attacks is 97%, the payout rate for the actual ransom is 30%, the lowest compared to other sectors.

“This low pay-out rate is likely linked to the overall low ransom payment rate by the sector. However, given that manufacturing and production reported the highest average ransom, organizations in this sector should make sure they have the coverage they need in their insurance policies,” Sophos said.

Related: Ransomware Often Hits Industrial Systems, With Significant Impact: Survey

Related: Number of Ransomware Attacks on Industrial Orgs Drops Following Conti Shutdown

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...