A ransomware survey by cybersecurity awareness platform KnowBe4 took a deep look into the South African market, finding that ransomware and cybercrime are increasingly impacting organisations on the continent.
While many companies (32%) were attacked in 2021, some multiple times (12%), 64% of organisations believe they are prepared, and 67% would not pay the ransom.
According to Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa, the South African market with its growing economy and cyber dependence, is becoming increasingly tasty as a cyber extortion snack.
“It is natural for cybercriminal organisations to look at emerging economies for future attacks, as they are often not as prepared as the rest of the world,” she adds. “Many South African sectors have a high cyber dependence and, as we have seen with recent attacks, such as the Department of Justice (DoJ) and Transnet, successful ransomware attacks have a direct impact on economy and infrastructure. Right now, organisations need to collaborate to increase preparedness.”
This preparedness starts with understanding the landscape and recognising how successful extortion attacks can fundamentally impact the business bottom line, and the public sector’s service delivery.
The public sector is concerned about its lack of preparedness – only 30% of the respondents in the public sector believed they were prepared enough – when it comes to cybersecurity training and systems, and this is one sector that cannot afford to lose money to a hack. The recent DoJ hack saw thousands of people affected, many in very dehumanising ways, as systems could not process death certificates, manage child support payments and effectively handle court proceedings. This is just one example of how long the tail of extortion crime can be.
“Ransomware, along with other types of extortion cybercrime, require a systemic response that is designed to prevent and mitigate its impact,” says Collard. “Along with understanding how poor security and training can impact the business or public sector services, it is important to recognise how the process works and how professional these organisations have become.”
Companies held to ransom are sent to “shaming sites” where they are then met with a landing page that has a countdown timer – how long they have to pay– and the amount they need to pay. They can then engage with the criminals to negotiate the ransom, receive payment instructions and get their data returned to them or a promise from the criminals that they will not release the stolen data.
The entire kill chain, from start to finish, follows a number of steps. First, one group is used to undertake the initial attack typically by using social engineering tactics such as phishing or by using insecure Microsoft Remote Desktop (MRDP) connections, password guessing or the exploitation of a software weakness to gain access to the network.
Once inside, they move laterally across the environment, exfiltrating and encrypting as much data as possible. To add extra pressure, attacks can also include backup destruction, bribing of internal employees or combining the extortion with the threat of taking down systems via distributed denial of service attacks. Finally, negotiation for the ransom is handled by the ransomware operator.
“There are at last two parties involved in a typical case – the operators and their affiliate partners,” says Collard. “Once the payment has been verified, the victim is sent the decryption tool and regains access to their data.”
Research by Orange Cyber Defense has found that even though there are some countries and sectors that appear to be the most often attacked, there are victims in every country and sector.
The U.S., Canada, France, UK, Germany and Italy are the most often attacked due to victim attractiveness following national GDP. Industries most consistently tracked on leak sites were manufacturing followed by professional scientific services and sectors with a strong reliance on technology.
“It does not matter what sector or country you are in, what matters is how weak your defences are,” concludes Collard. “In South Africa, it is becoming incredibly important for companies to adequately prepare against this growing cyber extortion threat.”