A new ransomware regime is now targeting critical systems with weaker networks

The year 2024’s ransomware shake-up, fueled by law enforcement crackdowns on giants like LockBit, has shifted focus to critical operations, with major attacks this year hitting targets like Halliburton, TfL, and Arkansas water plant.

A Dragos study for the third quarter of 2024 highlighted a surge in activity from new groups like RansomHub, Play, and Fog, all exploiting VPN flaws and stolen credentials to gain footholds in critical systems using various living-of-the-land (LOTL) techniques.

“The shift from traditional financial extortion to operational sabotage, particularly by hacktivist personas, compounds ransomware risks,” said Dragos in a report. “This convergence of motivations further blurs the line between cybercrime and cyberwarfare, requiring enhanced defenses for ICS and OT environments.”