The number of ransomware attacks on industrial organizations decreased from 158 in the first quarter of 2022 to 125 in the second quarter, and it may be — at least partially — a result of the Conti operation shutting down.
According to data collected by industrial cybersecurity firm Dragos, Conti accounted for a significant chunk of the ransomware attacks on industrial organizations and infrastructure in the previous quarters and the threat actor’s decision to pull the plug on the operation in May could have led to the drop in the number of attacks in the second quarter.
Experts believe the Conti operation, which had been a highly profitable business, was shut down after the brand became toxic following some of the group’s members openly expressing support for Russia after it launched its invasion of Ukraine.
The Conti brand may have been terminated, but experts believe its leaders are still active, continuing their work through several smaller ransomware operations, including Karakurt, Black Basta, BlackByte, AlphV (BlackCat), HIVE, HelloKitty (FiveHands), and AvosLocker.
According to Dragos, 33% of the ransomware attacks in Q2 were launched by the LockBit group, followed by Conti (13%), Black Basta (12%), Quantum (7%), AlphV (4%) and Hive (4%).
It’s worth noting that the Black Basta group was not seen launching attacks in Q1, which could indicate that they are filling the gap left by the Conti operation. It’s believed that Conti leaders started preparing for their exit weeks before the actual shutdown.
Learn more about ransomware attacks on industrial organizations at
SecurityWeek’s ICS Cyber Security Conference
Industrial organizations in Europe accounted for 37% of all ransomware attacks seen by Dragos, followed by North America, which accounted for 29% of incidents, and Asia, with 26%. The company pointed out that the percentage of Asian companies hit in the previous quarter was only 9%.
As for the most targeted sectors, manufacturing continues to be the main target, with 86 of the attacks observed in the second quarter aimed at this industry.
Some groups appear to focus on a particular industry. For example, Karakurt has mainly targeted transportation entities, and Vice Society has only attacked automotive manufacturing firms.
Some groups only target certain regions. For instance, Moses Staff has only targeted Israel, while Black Basta, Ransomhouse, and Everest have only targeted companies in the US and Europe. Quantum and Lorenzo ransomware have only targeted companies based in North America.
Ransomware attacks on industrial organizations can have a significant impact, with several incidents known to have caused disruption to operational technology (OT) systems. Dragos noted that while the number of attacks is down, the impact has been significant.
“In Q3 of 2022, Dragos assesses with high confidence that ransomware will continue to disrupt OT operations, whether through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems,” Dragos said.
It added, “Due to the changes in ransomware groups themselves, Dragos assesses with moderate confidence new ransomware groups will appear in the next quarter, whether as new or reformed ones. Dragos assesses with moderate confidence that ransomware will continue to either indirectly or directly target OT operations.”
Related: Europe Warned About Cyber Threat to Industrial Infrastructure
Related: Increasing Number of Threat Groups Targeting OT Systems in North America
Related: Ransomware Hit SCADA Systems at 3 Water Facilities in U.S.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
