Security Experts:

Number of Ransomware Attacks on Industrial Orgs Drops Following Conti Shutdown

The number of ransomware attacks on industrial organizations decreased from 158 in the first quarter of 2022 to 125 in the second quarter, and it may be — at least partially — a result of the Conti operation shutting down.

According to data collected by industrial cybersecurity firm Dragos, Conti accounted for a significant chunk of the ransomware attacks on industrial organizations and infrastructure in the previous quarters and the threat actor’s decision to pull the plug on the operation in May could have led to the drop in the number of attacks in the second quarter.

Experts believe the Conti operation, which had been a highly profitable business, was shut down after the brand became toxic following some of the group’s members openly expressing support for Russia after it launched its invasion of Ukraine.

The Conti brand may have been terminated, but experts believe its leaders are still active, continuing their work through several smaller ransomware operations, including Karakurt, Black Basta, BlackByte, AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.

According to Dragos, 33% of the ransomware attacks in Q2 were launched by the LockBit group, followed by Conti (13%), Black Basta (12%), Quantum (7%), AlphV (4%) and Hive (4%).

It’s worth noting that the Black Basta group was not seen launching attacks in Q1, which could indicate that they are filling the gap left by the Conti operation. It’s believed that Conti leaders started preparing for their exit weeks before the actual shutdown.

Learn more about ransomware attacks on industrial organizations at

SecurityWeek’s ICS Cyber Security Conference

Industrial organizations in Europe accounted for 37% of all ransomware attacks seen by Dragos, followed by North America, which accounted for 29% of incidents, and Asia, with 26%. The company pointed out that the percentage of Asian companies hit in the previous quarter was only 9%.

As for the most targeted sectors, manufacturing continues to be the main target, with 86 of the attacks observed in the second quarter aimed at this industry.

Ransomware attacks on ICS sectors in Q2 2022

Some groups appear to focus on a particular industry. For example, Karakurt has mainly targeted transportation entities, and Vice Society has only attacked automotive manufacturing firms.

Some groups only target certain regions. For instance, Moses Staff has only targeted Israel, while Black Basta, Ransomhouse, and Everest have only targeted companies in the US and Europe. Quantum and Lorenzo ransomware have only targeted companies based in North America.

Ransomware attacks on industrial organizations can have a significant impact, with several incidents known to have caused disruption to operational technology (OT) systems. Dragos noted that while the number of attacks is down, the impact has been significant. 

“In Q3 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt OT operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems,” Dragos said.

It added, “Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware will continue to either indirectly or directly target OT operations.”

Related: Europe Warned About Cyber Threat to Industrial Infrastructure

Related: Increasing Number of Threat Groups Targeting OT Systems in North America

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.