Kaspersky reports on next-level gamechangers in ransomware distribution and monetisation in South Africa, Kenya and Nigeria
As part of the analysis of the cybersecurity landscape in South Africa, Kenya and Nigeria in 2021, Kaspersky researchers have selected ransomware as the most dynamically changing type of threat. As the overall number of ordinary malware attacks in the region has decreased, ransomware operators have transformed their strategies to double extortion models and are shifting their activity focus from one region to another.
The double extortion model first emerged in 2020, when in addition to the ordinary ransom demands for the decryption code for victims’ encrypted files, the ransomware operators have begun to also add a threat to publish the company’s papers online for everyone to see. In 2021 Darkweb forums or other platforms, including specifically created websites, saw a significant number of double extortion ransomware victim’s data disclosed.
The reason for such a trend was the fact that nowadays most companies back up data, so they are no longer interested in paying a large sum of money for the return of encrypted documents. In addition, in the quarter-to-quarter analysis of 2021, the ransomware threat landscape has demonstrated that the three countries mentioned earlier are facing a so-called malware distribution migration. While it is common for cybercriminals to test a malware in a certain country and then shift to another one, the ransomware operators in South Africa, Kenya and Nigeria seem to constantly circulate from one region to another: the moment one ransomware wave passes over one of the countries, the operator seems to quickly recall the operations and shift them to another region.
As a result, as one of the countries faces a rapid decrease in ransomware attacks, the other two are experiencing a growth in such detections. In Q2 2021, for instance, Nigeria saw an unexpected 40% decrease, with South Africa and Kenya seeing a growth in the attacks of 23% and 6,9% respectively. However, regardless of the seasonal migration, South Africa remains a leader in the number of ransomware attacks detected by Kaspersky.
Maria Garnaeva, Senior Security Researcher at Kaspersky ICS CERT team, believes that these trends should not be seen in a purely negative way.
“The fact that ransomware operators have to go out of their usual practices to extort money from African companies in the region is consequent to the fact that companies are increasing their levels of cybersecurity protection, so that fewer malware operators are succeeding in their attacks in the region. '' she said.
''Ransomware operators now have to be more creative and invest in new ways with more resources in their attacks, to be successful. While the schemes are actually becoming more sophisticated, the overall number of successful malware attacks decreased and the overall level of security awareness in the region grew.”