Dragos: 125 ransomware attacks on industrial systems in Q2 after Conti shutdown

Ransomware attacks on industrial systems continued unabated in the second quarter of the year according to data collected by security company Dragos, which counted 125 incidents during that time.

In a report on Tuesday, Dragos researchers said that while there was a minor decline in ransomware attacks on industrial systems in the quarter due to the Conti ransomware group closing shop, several attacks had devastating effects. 

The LockBit ransomware group encrypted over 1,200 servers during a May attack on a Foxconn factory in Mexico, causing the factory to shut down for several weeks, according to Dragos. 

One of the newer ransomware groups, Black Basta, was named as the culprit behind a May attack on agricultural equipment manufacturer AGCO that crippled the company’s operations for weeks, Dragos found.

Through publicly disclosed incidents, network telemetry, and dark web postings, the company tracks 43 different ransomware groups, noting that only 23 groups were active in the second quarter. The 125 attacks tracked by the firm was less than the 158 seen in the first quarter. Dragos attributed the decline to the shutdown of Conti, which previously accounted for about 25% of attacks on industrial organizations and infrastructures that they tracked.


Nearly 40% of all ransomware attacks on industrial organizations and infrastructures took place in Europe during the second quarter, with North America coming in second with 36 incidents. There were about 32 incidents in Asia and other attacks across South America, the Middle East and Africa. 

According to Dragos data, 86 attacks targeted systems at manufacturing organizations while 10 were aimed at the food and beverage industry as well as energy companies. When broken down, most attacks on the manufacturing industry involved automotive companies, metal products organizations and others working with building materials and clothing. 

The attacks on manufacturing companies also had several downstream effects on other organizations that rely on materials and goods produced by these factories. 

“Analysis of ransomware data shows Lockbit 2.0 made 33 percent of the total ransomware attacks in Q2; Conti comes in next with 13 percent; Black Basta made 12 percent; Quantum made 7 percent; AlphaV and Hive made 4 percent each,” Dragos researchers said.

“Lockbit 2.0 maintained the same number of ransomware incidents as last quarter, showing that the group continues to maintain the same level of operation. Whereas the Conti, Lockbit 2.0, and Black Basta groups continue to target different sectors of industrial organizations, most of the victims are within the manufacturing sector.”

Dragos found several other trends in the quarter related to what organizations each ransomware group targeted, noting that LockBit was the only group that went after the pharmaceutical, mining, and water treatment sectors.

Black Basta, Ransomhouse, and Everest only targeted entities in the U.S. and Europe while several groups – LAPSUS$, CL0P LEAKS, and Rook – were not seen at all throughout Q2.


For the third quarter, Dragos said it expected ransomware groups to continue targeting industrial operations, either "through the integration of OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems."

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.