Ransomware Attacks on Industrial Organizations Surge in 2024, Dragos Report Reveals
Industrial cybersecurity firm Dragos has identified a sharp escalation in ransomware attacks targeting industrial organizations in 2024, with 1,693 entities found to have sensitive data exposed on ransomware groups’ leak sites. The firm’s OTICS Cybersecurity Report documents an 87% year-over-year increase in ransomware incidents against industrial sectors, alongside a 60% rise in attacks affecting operational technology (OT) and industrial control systems (ICS).
Manufacturing bore the brunt of the assault, accounting for 69% of all attacks 1,171 incidents across 26 subsectors. The second half of 2024 saw ransomware activity more than double compared to the first two quarters, though the reasons for the surge remain unclear. While Dragos did not observe ICS-specific ransomware variants, attackers disrupted production lines, compromised supply chains, and exfiltrated data for follow-on malicious activity. Many ransomware operators appeared to prioritize victims with low tolerance for downtime, exploiting OT environments to pressure faster payments.
Key Threat Actors and Tactics
The most active ransomware groups targeting industrial organizations included RansomHub, Fog, and LockBit3.0. RansomHub, which emerged in February 2024, rapidly expanded by absorbing affiliates from defunct groups like Cyclops and Knight, claiming over 300 victims across critical infrastructure. Fog targeted vulnerable remote services, while LockBit3.0 persisted despite a February 2024 law enforcement disruption (Operation Cronos).
Geopolitical tensions amplified the threat landscape, with hacktivist groups increasingly adopting ransomware tactics. Notable actors included Handala, Kill Security, and CyberVolk, which blended ideological motives with financial extortion. Dragos also noted a rise in opportunistic attacks leveraging remote tools, such as VPN exploits and exposed RDP sessions, with 65% of assessed sites exhibiting insecure remote access conditions including default credentials and unpatched systems.
Regional and Sectoral Impact
North America suffered the highest concentration of attacks (984 incidents, 58% of the total), followed by Europe (419 incidents, 25%). Manufacturing remained the top target due to its vulnerability to downtime, but energy, transportation, and ICS vendors also faced significant threats. Dragos tracked nearly 80 ransomware groups in 2024 a 60% increase from 2023 with attacks averaging 34 industrial victims per week in the first half of the year, doubling in the second half.
Vulnerability Management Challenges
The report highlighted persistent gaps in OT security, including poor network segmentation and overreliance on outdated remote access policies. Organizations with strict IT-OT segmentation and tested offline backups recovered faster and avoided ransom payments, while those lacking these measures faced prolonged disruptions and higher remediation costs. Dragos emphasized a risk-based vulnerability management approach, noting that only 6% of OT vulnerabilities required immediate action (Now category), while 63% were high-priority (Next) and 31% posed minimal risk (Never).
However, inaccuracies in public advisories complicated prioritization: 22% of advisories contained incorrect data, 11% of CVEs had errors, and 7% were more severe than reported. Additionally, 70% of vulnerabilities resided deep within OT networks (Purdue Level 3.5 and below), making patching difficult without operational disruption.
Incident Trends and Weaknesses
Ransomware accounted for the majority of OT disruptions, with 25% of cases causing full site shutdowns and 75% resulting in partial operational halts. Exploitation of remote access including VPNs and RDP was a factor in 20% of incidents. Third-party vendors and contractors emerged as a major weak point, with some organizations unaware of all remote connections to their OT networks.
Dragos also observed a concerning trend of hacktivist groups incorporating ransomware into their operations, further blurring the lines between ideological and financial motives. The report underscored that sophistication was not always necessary for impact, as even low-skilled adversaries could disrupt critical infrastructure by targeting exposed OT environments.
Dragos, Inc. cybersecurity rating report: https://www.rankiteo.com/company/dragos-inc.
"id": "DRA1768614514",
"linkid": "dragos-inc.",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Manufacturing',
'Energy',
'Transportation',
'ICS vendors'],
'location': ['North America', 'Europe'],
'type': 'Industrial organizations'}],
'attack_vector': ['VPN exploits',
'Exposed RDP sessions',
'Insecure remote access',
'Third-party vendors/contractors'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'number_of_records_exposed': '1,693 entities',
'type_of_data_compromised': 'Sensitive data'},
'date_detected': '2024',
'date_publicly_disclosed': '2024',
'description': 'Industrial cybersecurity firm Dragos identified a sharp '
'escalation in ransomware attacks targeting industrial '
'organizations in 2024, with 1,693 entities found to have '
'sensitive data exposed on ransomware groups’ leak sites. The '
'report documents an 87% year-over-year increase in ransomware '
'incidents against industrial sectors, alongside a 60% rise in '
'attacks affecting operational technology (OT) and industrial '
'control systems (ICS). Manufacturing bore the brunt of the '
'assault, accounting for 69% of all attacks (1,171 incidents '
'across 26 subsectors).',
'impact': {'data_compromised': 'Sensitive data exposed on ransomware leak '
'sites',
'downtime': '25% of cases caused full site shutdowns; 75% resulted '
'in partial operational halts',
'operational_impact': 'Disrupted production lines, compromised '
'supply chains, data exfiltration',
'systems_affected': ['Operational technology (OT)',
'Industrial control systems (ICS)']},
'initial_access_broker': {'entry_point': ['VPN exploits',
'Exposed RDP sessions',
'Third-party vendors']},
'lessons_learned': 'Organizations with strict IT-OT segmentation and tested '
'offline backups recovered faster and avoided ransom '
'payments. Poor network segmentation and overreliance on '
'outdated remote access policies were major weaknesses. '
'Third-party vendors and contractors emerged as a major '
'weak point. Hacktivist groups are increasingly adopting '
'ransomware tactics.',
'motivation': ['Financial extortion',
'Ideological motives',
'Disruption of operations'],
'post_incident_analysis': {'corrective_actions': ['Risk-based vulnerability '
'management',
'IT-OT segmentation',
'Offline backups',
'Enhanced remote access '
'policies'],
'root_causes': ['Insecure remote access conditions',
'Poor network segmentation',
'Third-party vendor '
'vulnerabilities',
'Unpatched systems']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['RansomHub', 'Fog', 'LockBit3.0']},
'recommendations': ['Adopt a risk-based vulnerability management approach',
'Improve network segmentation',
'Enforce strict remote access policies',
'Maintain offline backups',
'Monitor third-party vendor access'],
'references': [{'date_accessed': '2024',
'source': 'Dragos OTICS Cybersecurity Report'}],
'response': {'network_segmentation': 'Recommended as a remediation measure',
'remediation_measures': ['Risk-based vulnerability management',
'Offline backups',
'IT-OT segmentation']},
'threat_actor': ['RansomHub',
'Fog',
'LockBit3.0',
'Handala',
'Kill Security',
'CyberVolk'],
'title': 'Ransomware Attacks on Industrial Organizations Surge in 2024',
'type': 'Ransomware',
'vulnerability_exploited': ['Default credentials',
'Unpatched systems',
'Poor network segmentation',
'Outdated remote access policies']}