Security Experts:

Connect with us

Hi, what are you looking for?



Number of Ransomware Attacks on Industrial Orgs Drops Following Conti Shutdown

The number of ransomware attacks on industrial organizations decreased from 158 in the first quarter of 2022 to 125 in the second quarter, and it may be — at least partially — a result of the Conti operation shutting down.

The number of ransomware attacks on industrial organizations decreased from 158 in the first quarter of 2022 to 125 in the second quarter, and it may be — at least partially — a result of the Conti operation shutting down.

According to data collected by industrial cybersecurity firm Dragos, Conti accounted for a significant chunk of the ransomware attacks on industrial organizations and infrastructure in the previous quarters and the threat actor’s decision to pull the plug on the operation in May could have led to the drop in the number of attacks in the second quarter.

Experts believe the Conti operation, which had been a highly profitable business, was shut down after the brand became toxic following some of the group’s members openly expressing support for Russia after it launched its invasion of Ukraine.

The Conti brand may have been terminated, but experts believe its leaders are still active, continuing their work through several smaller ransomware operations, including Karakurt, Black Basta, BlackByte, AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.

According to Dragos, 33% of the ransomware attacks in Q2 were launched by the LockBit group, followed by Conti (13%), Black Basta (12%), Quantum (7%), AlphV (4%) and Hive (4%).

It’s worth noting that the Black Basta group was not seen launching attacks in Q1, which could indicate that they are filling the gap left by the Conti operation. It’s believed that Conti leaders started preparing for their exit weeks before the actual shutdown.

Learn more about ransomware attacks on industrial organizations at

SecurityWeek’s ICS Cyber Security Conference

Industrial organizations in Europe accounted for 37% of all ransomware attacks seen by Dragos, followed by North America, which accounted for 29% of incidents, and Asia, with 26%. The company pointed out that the percentage of Asian companies hit in the previous quarter was only 9%.

As for the most targeted sectors, manufacturing continues to be the main target, with 86 of the attacks observed in the second quarter aimed at this industry.

Ransomware attacks on ICS sectors in Q2 2022

Some groups appear to focus on a particular industry. For example, Karakurt has mainly targeted transportation entities, and Vice Society has only attacked automotive manufacturing firms.

Some groups only target certain regions. For instance, Moses Staff has only targeted Israel, while Black Basta, Ransomhouse, and Everest have only targeted companies in the US and Europe. Quantum and Lorenzo ransomware have only targeted companies based in North America.

Ransomware attacks on industrial organizations can have a significant impact, with several incidents known to have caused disruption to operational technology (OT) systems. Dragos noted that while the number of attacks is down, the impact has been significant. 

“In Q3 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt OT operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems,” Dragos said.

It added, “Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware will continue to either indirectly or directly target OT operations.”

Related: Europe Warned About Cyber Threat to Industrial Infrastructure

Related: Increasing Number of Threat Groups Targeting OT Systems in North America

Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...