Industrial cybersecurity firm Dragos reported that it has identified 1,693 industrial organizations with sensitive data exposed on various ransomware groups’ dedicated leak sites (DLS). The firm also revealed an 87 percent increase in ransomware attacks against industrial organizations over the past year. Additionally, Dragos noted a 60 percent rise in ransomware groups affecting OT/ICS (operational technology/industrial control systems) in 2024. Notably, 69 percent of all ransomware attacks targeted 1,171 manufacturing entities across 26 distinct manufacturing subsectors, highlighting manufacturing as the primary target for ransomware, accounting for over 50 percent of attacks, totaling 1,171 incidents.
In its ‘OTICS Cybersecurity Report,’ Dragos identified that these ransomware attacks have more than doubled in the second half of 2024 compared to the first two quarters, while the reasons behind this surge remain unclear. Although Dragos did not observe any specific ICS-tailored ransomware variants in 2024, ransomware adversaries did halt production lines, impaired supply chains, and exfiltrated sensitive data that could easily be used in follow-on malicious activity. The firm assessed that ransomware operators in 2024 likely implemented some level of victim selection with a preference towards organizations with a low tolerance for downtime.
“We’ve also seen ransomware groups hitting industrial control systems, not because they seem to have expertise there or care, but because they see, hey, this weird stuff on that side of the network when we hit it, these companies are paying more and paying faster because we’re impacting in the revenue,” Robert Lee, CEO and co-founder at Dragos, said in a briefing call last week. “And so it’s a feedback loop of if criminals can do something that gets them paid faster and more they’re gonna do it.”
Lee noted an increase in targeting OT due to the feedback loop, even by actors unfamiliar with or indifferent to OT. “We’ve seen some groups explicitly target OT because it is industrial control systems and going after it with knowledge about those systems. So we’ve seen both.”
Dragos observed that the cybersecurity threat landscape in 2024 was significantly influenced by rising geopolitical tensions and their impact on industrial operations worldwide. From sustained campaigns by well-established threat groups to opportunistic attacks by hacktivists and ransomware operators, adversaries are increasingly recognizing OT/ICS environments as viable targets to achieve their objectives.
It added that for ransomware operators, this has meant targeting manufacturing environments where downtime directly pressures victims to pay ransom. “For hacktivists, targeting OT offers a fast and disruptive way to amplify their messages. These attacks reinforce a crucial reality: sophistication is not always necessary to achieve impactful outcomes, and the proliferation of adversaries amplifies the overall risk.”
Dragos reported that the most active ransomware groups against industrial organizations were RansomHub, Fog, and LockBit3.0. Notably, RansomHub quickly escalated activities starting in February 2024 by attracting ransomware affiliates from Cyclops and Knight. They claimed more than 300 victims across multiple critical infrastructure sectors in 2024. Fog similarly expanded their operations into industrial sectors as 2024 went on, they were also one of the primary ransomware groups observed targeting vulnerable remote services and appliances. LockBit3.0 operations were disrupted by the international law enforcement effort ‘Operation Cronos’ in February 2024, but they were resilient and remained a viable threat to industrial organizations throughout the year.
The Hanover, Maryland-headquartered firm noted that manufacturing remains the top target for ransomware attacks against industrial organizations; as ransomware groups know that even brief disruptions can cause significant financial and logistical fallout, putting safety at risk and making manufacturers more likely to pay.
Other industrial sectors, including energy, transportation, and ICS vendors, also remain high on the list as ransomware groups refine their tactics to maximize pressure and impact. With these threats showing no sign of slowing, organizations must prioritize resilience, proactive defenses, and incident response readiness.
The report disclosed that ransomware attacks against industrial organizations are not evenly distributed, and certain regions bear the brunt due to geopolitical tensions, economic incentives, and adversary focus. North America accounted for 984 attacks – 58 percent of all cases. Europe followed with 419 attacks, making up 25 percent of the total. Understanding these regional patterns is key to strengthening defenses, anticipating future threats, and ensuring security strategies align with real-world risks.
Dragos tracked nearly 80 ransomware groups in 2024, a 60 percent increase from the 50 groups observed in 2023. Collectively, these groups attacked an average of 34 industrial organizations per week during the first half of 2024, while that number more than doubled during the second half of the year.
In the 2024 ransomware threat landscape, Dragos identified two significant trends: firstly, ransomware attackers increasingly utilizing remote tools and services, and secondly, the merging of geopolitics, hacktivism, and ransomware activities.
Also, of the ransomware incidents Dragos responded to in 2024, victim organizations that enforced strict network segmentation between IT and OT systems and conducted offline backup testing significantly shortened the recovery times and avoided paying the ransom. Conversely, organizations that did not employ network segmentation and had poorly secured remote access pathways led to more lengthy recovery times, more involved incident response efforts, more severe production downtime, and increased remediation costs.
“In 2023 and into early 2024, Dragos observed a trend of hacktivist groups, or self-proclaimed hacktivist groups, actively targeting and achieving Stage 2 of the ICS Cyber Kill Chain against industrial organizations and critical infrastructure and services worldwide,” Dragos reported. “A new concerning evolution in the hacktivism threat landscape emerged in 2024, with hacktivist and self-proclaimed hacktivist groups employing ransomware as part of their operations against a variety of targets.”
Three notable hacktivist groups were actively using ransomware within their operations in 2024 – Handala, Kill Security, and CyberVolk.
Throughout 2024, Dragos Incident Response mainly observed three kinds of incidents – ransomware compromise, operational errors, and legacy malware infection. Incidents involving ransomware or operational errors led to either partial or full disruption to OT operations. Incidents with legacy malware led to weakened security posture and continue to be a problem in OT environments.
The report added that ransomware compromises leading to either partial or full disruption of OT operations made up the largest volume of incidents. 25 percent of the ransomware cases involved a full shutdown of an OT site, and 75 percent involved disruption to operations to some degree. 20 percent of incidents involved exploitation of remote access, including VPN exploits, remote access applications, and RDP from corporate.
Dragos disclosed that 65 percent of sites assessed had insecure remote access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions. Third-party vendors and contractors continue to be a major weak point, with some organizations unaware of all remote connections to their OT networks. Many OT environments still rely on outdated ‘trust-based’ remote access policies, instead of role-based, monitored, and segmented access controls.
Addressing vulnerabilities, Dragos assessed that while third-party components enhance the capabilities of OT systems, they can introduce vulnerabilities that compromise overall security. These components, often unknown to end-users, are created by external entities and can impact the functionality of the products they support. While vendors may keep their products updated, vulnerabilities in third-party components can remain unaddressed, necessitating proactive strategies like vulnerability management and Software Bill of Materials (SBOM) implementation to mitigate risks. Ultimately, resolving these issues often relies on third-party creators to provide fixes.
Managing vulnerabilities in OT environments requires a risk-based approach, rather than traditional IT patching strategies. The ‘Now, Next, Never’ vulnerability management framework helps organizations prioritize risks based on their real-world impact and exploitability in industrial operations.
The report identified that many organizations still treat OT vulnerabilities like IT vulnerabilities, failing to apply risk-based prioritization to focus on real-world threats. Dragos reported six percent of OT vulnerabilities fall into the ‘Now’ category marking critical issues requiring immediate remediation, often due to active exploitation, significant impact, or direct exposure. 63 percent of OT vulnerabilities fall into the ‘Next’ category covering high-priority issues that should be addressed in a planned timeframe to reduce risk before attackers exploit them, and 31 percent of OT vulnerabilities fall into the ‘Never’ category addressing low-priority vulnerabilities that do not pose an immediate risk and should not be a focus of remediation unless circumstances change.
In 2024, 22 percent of advisories researched contained incorrect data, which can prevent accurate prioritization for patch management and mitigation; 11 percent of Common Vulnerabilities and Exposures (CVEs) had errors in them, which makes it more difficult to prioritize correctly; seven percent were more severe than the public advisory; and three percent were less severe than reported.
Dragos reported that some advisories alerted asset owners to a problem without a solution. Also, 70 percent of vulnerabilities identified were deep within OT networks, making them difficult to patch without disrupting operations, meaning that devices associated with the vulnerabilities were Purdue Level 3.5 and below, closer to the process. 22 percent of network-exploitable vulnerabilities were perimeter-facing, providing adversaries with a direct attack path into OT environments.
Lee observed that the way it is looked at is a lot of vulnerabilities have a CVSS, which is a scoring mechanism in the world of IT to discuss the exploitability of a vulnerability. “It doesn’t talk about the risk of it, but exploitability. And in IT if something is highly exploitable, it’s probably worth paying attention to. But in the world of OT just because it’s exploitable doesn’t mean you can do anything with it,” he added.
In conclusion, the Dragos report highlights the critical need for strong cybersecurity measures in organizations, urging updates to OT incident response plans and annual attack surface analyses to protect vulnerable network gateways. It emphasizes the importance of increased visibility and monitoring to detect threats, as well as scrutinizing remote access points to mitigate risks. Additionally, a strategic approach to vulnerability mitigation is essential, focusing on real-world threats and ensuring a thorough understanding of CVEs to maintain control over processes.
