Ransomware attackers get targeted

By Janice Roberts

Zamani Ngidi, Principal Cyber Risk Consultant at Aon South Africa

Cryptocurrencies help ransomware industry flourish.

City Power announced yesterday that a ransomware attack left Joburg residents unable to buy electricity, highlighting the debilitating effects that a cyberattack can have.  By Friday 26 July, the systems were still not fully restored, and residents were left in the dark and frustrated. 

The increasing frequency and voracity of cyber concerns are mirrored in Aon’s 2019 Global Risk Management Survey where participants ranked cyberattacks and data breaches as #6 in the top 10 risks facing organisations today. Startling figures are changing business and public perceptions of cyberattacks and South African organisations of all sizes and industries are not immune to this scourge:

According to Zamani Ngidi, Principal Cyber Risk Consultant at Aon South Africa, South Africa will continue to see large-scale ransomware attacks that target admin credentials to gain access to, and infect, wider networks. “With the expected increase in ransomware attacks designed to spread through a network, organisations of all sizes and industry sector urgently need to segment their networks. Companies that fail to do so will be impacted by ransomware attacks at a much larger scale than necessary.  The bottom line is that any organisation, regardless of size, ownership or sector, that is reliant on technology and a network to conduct any aspect of its business is at risk.”

Attackers are also changing their tactics, utilising forms of benign malware—such as software designed to cause distributed denial-of-service (DDoS) attacks or launching display ads on thousands of systems— to unleash huge outbreaks of ransomware. Botnet operators will grant ransomware attackers with access to botnet nodes in exchange for payments, allowing them to significantly expand the scope of a ransomware attack.

“While attackers will continue to launch scatter-gun-style attacks to disrupt as many systems as possible, we are also seeing increasing instances of attackers targeting specific companies and demanding ransomware payments proportional to the value of the encrypted assets. This can be quite significant in an event where cyber criminals manage to get their hands on sensitive and distinguishable client information, of which there has been ample, high-profile examples in South Africa,” says Zamani.

To achieve stronger returns in these targeted attacks, criminals will hit environments where access to data and systems is mission critical, such as hospitals, transportation companies and manufacturing companies. We also expect to see an increase in the use of ransomware to infect IoT devices, which come with a diminished set of security features by default to facilitate out-of-the-box functionality, and users tend to maintain these original settings once the devices start functioning. Aon has already seen the Mirai botnet that harnessed IoT devices to launch DDoS attacks and anticipate ransomware to infect smart thermostats and other smart devices.

In addition, cryptocurrencies will continue to support the flourishing ransomware industry overall, despite law enforcement becoming more advanced in their ability to trace attacks, for example, through bitcoin wallets.

According to Zamani, companies will have to go beyond the vital step of creating backups, to protect themselves. “Companies will need to utilise systems that can create snapshots in time or maintain multiple versions of files created over the course of the day, to enable restoration to a specific point in time prior to the backup with minimal loss of productivity. Security professionals will need to routinely test if their backups allow them to restore the data and files in a specific timeframe to ascertain the downtime the company can withstand if a ransomware attack is realised.”

“We will also see more companies recognising the need to implement the Principle of Least Privilege—limiting file access rights for users to the bare minimum permissions they need to perform their work to reduce the number of files that could be encrypted in the event of a ransomware attack. Advanced companies will grant employees only the access needed for the business activities of a specific function, rather than providing automatic access to everything,” he adds.

With perpetrators carrying out wide-scale, profitable, and disruptive attacks in recent years, the number of attackers, the volume of ransomware families, and the number of infections increased dramatically. The trend is continuing, with attackers launching large-scale attacks, but also evolving their tactics to implement targeted attacks with demands for greater payments proportional to the value of the assets. This activity will be supported by the continued rise of cryptocurrencies.

The following questions from Aon will give an indication on how risk ready your organisation is to face a ransomware attack:

  • When was the last time you reviewed your company’s patch management program? Your disaster recovery and business continuity plans?
  • Can you identify where all of your mission critical data resides and whether regular backups are being made?
  • Does your cyber insurance policy provide adequate coverage? Have you taken the necessary steps to ensure you will be eligible to make a claim if your company is impacted?
  • Have you communicated with employees about the latest phishing and social engineering techniques?
  • Do you have an incident response plan in place and has it recently been tested so everyone knows what to do in the event of an attack?
  • Are all necessary technical and procedural controls in place and operating properly?
  • Has your security posture recently been assessed and tested and have you acted on the results?

“Whether you are a big or small operator, your company’s ability to protect against and recover from ransomware attacks rely on implementing proactive technical measures and business continuity plans.  That is why you need a qualified risk advisor by your side who is able to take your business through a comprehensive cyber risk assessment in order to mitigate the risk of unwarranted access to your most crucial data,” concludes Zamani.


Visit the official COVID-19 government website to stay informed: sacoronavirus.co.za