As part of the analysis of the cybersecurity landscape in South Africa, Kenya and Nigeria in 2021, Kaspersky researchers have selected ransomware as the most dynamically changing type of threat. As the overall number of ordinary malware attacks in the region has decreased, ransomware operators have transformed their strategies to double extortion models and are shifting their activity focus from one region to another.
The double extortion model first emerged in 2020, when in addition to the ordinary ransom demands for the decryption code for victims’ encrypted files, the ransomware operators have begun to also add a threat to publish the company’s papers online for everyone to see. In 2021 Darkweb forums or other platforms, including specifically created websites, saw a significant number of double extortion ransomware victim’s data disclosed.
The reason for such a trend was the fact that nowadays most companies back up data, so they are no longer interested in paying a large sum of money for the return of encrypted documents. In addition, in the quarter-to-quarter analysis of 2021, the ransomware threat landscape has demonstrated that the three countries mentioned earlier are facing a so-called malware distribution migration. While it is common for cybercriminals to test a malware in a certain country and then shift to another one, the ransomware operators in South Africa, Kenya and Nigeria seem to constantly circulate from one region to another: the moment one ransomware wave passes over one of the countries, the operator seems to quickly recall the operations and shift them to another region.
As a result, as one of the countries faces a rapid decrease in ransomware attacks, the other two are experiencing a growth in such detections. In Q2 2021, for instance, Nigeria saw an unexpected 40% decrease, with South Africa and Kenya seeing a growth in the attacks of 23% and 6,9% respectively. However, regardless of the seasonal migration, South Africa remains a leader in the number of ransomware attacks detected by Kaspersky.
Maria Garnaeva, Senior Security Researcher at Kaspersky ICS CERT team, believes that these trends should not be seen in a purely negative way: “The fact that ransomware operators have to go out of their usual practices to extort money from African companies in the region is consequent to the fact that companies are increasing their levels of cybersecurity protection, so that fewer malware operators are succeeding in their attacks in the region. Ransomware operators now have to be more creative and invest in new ways with more resources in their attacks, to be successful. While the schemes are actually becoming more sophisticated, the overall number of successful malware attacks decreased and the overall level of security awareness in the region grew.”
To protect your company from ransomware, Kaspersky experts recommend that you:
- Always keep software updated on all the devices you use to prevent ransomware from exploiting vulnerabilities.
- Focus your defence strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminal connections.
- Back up data regularly. Make sure you can quickly access it in an emergency when needed.
- Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
- Explain to all employees that ransomware can easily target them through a phishing email, a shady website or cracked software downloaded from unofficial sources. Ensure staff remain vigilant at all times and check their knowledge with tests.
- Along with proper endpoint protection, dedicated services can help against high-profile ransomware attacks. Kaspersky Managed Detection and Response proactively hunts for attacks and helps to prevent them in early stages, before attackers reach their final goals.