New research from leading industrial cybersecurity solutions provider Dragos has revealed there were more than 600 ransomware incidents across industrial sectors during the final quarter of 2024, with threats increasing from Q3. Manufacturing remains the most targeted sector, seeing 70% of global ransomware attacks across industrial sectors (424 observed incidents) during Q4 2024.
The final quarter of 2024 saw an uptick in global ransomware activities across all industrial sectors. Q3 (July-September) saw the number of ransomware incidents exceed the 550 mark – with Q4 exceeding 600 incidents, ransomware’s popularity as an attack method continues to increase.
Throughout Q4 2024, newly branded or rebranded ransomware groups proliferated. Several leveraged leaked source code or formed partnerships with established adversaries, rapidly adopting advanced tactics, techniques, and procedures (TTPs). In addition, many public resources indicated that nation-state adversaries openly aligned with ransomware operators, obscuring distinctions between financially driven and geopolitically oriented attacks. Collectively, these developments underscore a convergence of operational and strategic interests, resulting in increased theft of sensitive industrial data and both intended and unintended disruptions to industrial operations, ultimately causing prolonged downtime, safety risks, and financial losses for affected organizations.
Some key industry findings from the final quarter of 2024:
• The manufacturing sector remained the most impacted sector, with 424 observed incidents, accounting for 70% of all ransomware activity.
• Industrial control systems (ICS) equipment and engineering experienced 58 incidents, representing 10% of total activity.
• The transportation sector encountered 69 incidents (around 11%).
• Oil and natural gas (ONG) recorded 19 incidents (~3%).
• Government and water sectors each faced 5 incidents (~1% each).
• Mining reported 4 incidents.
• The renewables sector faced 3 incidents.
• Datacentres experienced 2 incidents.
Ransomware incidents in the fourth quarter of 2024 continued to vary by region, with North America remaining the most frequently targeted area:
• North America: 308 reported incidents (approximately 51% of global ransomware activity). The United States accounted for most of these attacks.
• Europe: 168 incidents (approximately 28% of global ransomware activities). The United Kingdom, Germany, and Italy remained top targets, with attacks primarily affecting manufacturing and transportation.
• Asia: Approximately 70 incidents (about 12% of global ransomware activities).
• South America: 19 incidents (approximately 3% of global ransomware activity). Brazil registered most attacks in the region, with most operations focusing on food and beverage manufacturing and transportation systems.
• Middle East: 13 incidents, roughly 2–3% of global ransomware events.
• Oceania: 14 total incidents (nearly 2–3%). Australia and New Zealand were the primary targets.
• Africa: 7 incidents, representing under 2% of global incidents. South Africa and Tunisia accounted for the most reported attacks.
During Q4 2024, ransomware groups shifted tactics and alliances at a rapid pace. Established operators such as RansomHub, LockBit3.0, and Play retained their dominance, while newly emerged or rebranded threats utilised modern infiltration methods and affiliate networks. Their focus on IT vulnerabilities, including unpatched VPN appliances, firewall firmware, and backup management solutions, led to operational disruptions in industrial environments. The industrial sector, particularly the manufacturing, transportation, and ICS equipment and engineering sectors, remained a primary target as adversaries employed advanced tactics and leveraged weaknesses in remote access solutions and credential practices.
Organisations should prioritise key cybersecurity measures such as enforcing multi-factor authentication (MFA), monitoring critical ports, maintaining offline backups, and strengthening remote access controls. In addition, enhanced personnel training and periodic network architecture reviews are vital for staying ahead of continually adapting ransomware techniques.
As the ransomware ecosystem continues to fragment and adapt, proactive defences, threat intelligence sharing, and collaborative mitigation efforts will be essential to safeguarding critical infrastructure and industrial operations into the next quarter and beyond.
