Complex Made Simple

Ransomware gangs have eyes on the UAE, with more tricks up their sleeves

Ransomware is very popular with cybercriminals. It makes them richer and allows them to put together resources and marketing techniques to promote their illicit activities. The UAE is an active ransomware market

78% in the UAE indicated they had been impacted by ransomware in 2020 Almost 50% in the UAE said their organizations fall short in one or more critical areas of email security systems Infamous ransomware gangs behave like fully-fledged online service providers

Ransomware is very popular with cybercriminals. It makes them richer and allows them to put together resources and marketing techniques to promote their illicit activities against public and private companies.

Yet the response from corporations has been lackluster and this is costly, as the UAE comes to grips with these attacks.  

UAE ransomware

Mimecast Limited, a leading email security and cyber resilience company, recently announced the publication of its “The State of Email Security” report.  

A full 86% of respondents indicated their companies had experienced a business disruption, financial loss, or other setbacks in 2020 due to a lack of cyber preparedness. Respondents identified ransomware as the chief culprit behind these disruptions. 

78% in the UAE indicated they had been impacted by ransomware in 2020, a massive increase from 66% of companies reporting such disruption in 2019’s report. 

Companies impacted by ransomware lost an average of six working days to system downtime, with 29% of the companies in the UAE saying downtime lasted one week or more.

43% of ransomware victims paid threat actor ransom demands, but only 44% of those were able to recover their data. More than half (56%) never saw their data again, despite paying the ransom.

“Paying ransom also makes companies an attractive target for subsequent attacks, since they’ve demonstrated they’re willing to pay.” said Josh Douglas, Vice President of Threat Intelligence.

Mimecast’s report also revealed that companies aren’t doing well in the area of threat prevention. As many as half of those surveyed in the UAE said their organizations fall short in one or more critical areas of email security systems (compared to 40% globally), leaving employees open to phishing, malware, business email compromise, and other attacks. 

 “So many companies are rapidly adopting digital office models and leaving employees untrained and unprotected in this highly distributed digital environment,” added Josh Douglas.

The Sophos report

Sophos, a global leader in next-generation cybersecurity, today announced the findings of its global survey, “The State of Ransomware 2021,” which reveals that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. The average ransom paid is $170,404. The global findings also show that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.

 The main findings of the State of Ransomware 2021 for the UAE:

  • Around 38% of respondents from the UAE had experienced a ransomware attack in the last 12 months, down from 49% in 2020
  • The number of organizations in the UAE that had data encrypted as the result of a significant ransomware attack dropped to 50% in 2021, down from 78% in 2020
  • The average cost of remediating a ransomware attack in the UAE was US$517,961in 2021, compared to $696,305 in 2020

Remote work a haven for cybercriminals

Jeremy Fleming, director of GCHQ, the UK’s intelligence and cyber agency warned how hostile nation-states are looking to exploit the digital realm to conduct cyberattacks, including attempts to steal coronavirus research and exploit supply chains with malware and phishing attacks.

The rise in remote working has provided cybercriminals with additional avenues to gain initial access to networks as they exploit remote desktop services and VPNs. 

There are cybersecurity procedures that can help make networks more reliant against attacks.

They include avoiding the use of default login credentials while also adding two-factor authentication to help secure user accounts.

Organizations should also apply security patches and updates as soon as possible after they’re released, to stop cybercriminals from exploiting known vulnerabilities as part of attacks.

Read: Grand theft and other traditional financial crimes still happen in the age of ransomware

Read: Acer’s $50 million ransomware demand will double to $100 million

Gangs advertising in broad daylight

Kaspersky said that the methods cybercriminals use to distribute ransomware have changed dramatically. While a few years ago, they would spread encrypted files on a large scale, today, their ransomware attacks have become more focused. Now, fraudsters examine the target in detail and research each target, looking for additional leverage. 

Infamous ransomware gangs behave like fully-fledged online service providers, using traditional marketing techniques. Kaspersky experts have identified clear examples of this transformation, using the Darkside ransomware gang as an example.

1- Darkside actively establishes contact with the press. On their website, there’s a semblance of a press center set up to enable journalists to ask questions and receive first-hand information, and to learn about upcoming publications of stolen information in advance. In fact, DarkSide operators strive to get as much resonance in the networks as possible

2- Ransomware groups collaborate with decryption companies. This is evident because many state-owned companies are prohibited from entering negotiations with cybercriminals. This has created a demand for such intermediaries, who provide legitimate data decryption services

3- Darkside claims to donate part of their income to charity in an attempt to discourage people from fighting them.

4- Before publishing information, cybercriminals study the contacts of the company and identify well-known customers, partners and competitors. The main purpose of this is to maximize target damage, to intimidate victims and to increase the chances of getting a ransom

Targeted ransomware 

From 2019 to 2020, the number of Kaspersky users encountering targeted ransomware to extort money from high-profile targets, such as corporations, government agencies, and municipal organizations, increased by 767%.

Some of the most prolific targeted ransomware families during this time were Maze, the infamous group involved in several loud incidents, and RagnarLocker, also covered in the news. Both of these families began the trend of exfiltration of data in addition to encrypting it and threatening to make the confidential information public if the victims refused to pay.   

Despite the rise in targeted ransomware, the ransomware family most frequently encountered by users is still WannaCry, the ransomware Trojan that first appeared in 2017 and led to damages of at least $4 billion across 150 countries.  

“The ransomware landscape has fundamentally changed. We’ll most likely see fewer and fewer widespread campaigns targeting everyday users. The primary focus will likely continue to be on companies and large organizations, and that means ransomware attacks will continue to become more sophisticated and more destructive,” comments Fedor Sinitsyn, a security expert at Kaspersky.