by Taimur Ijlal

The true cost of ransomware in the Middle East

Sep 14, 2021

The Middle East is especially vulnerable to ransomware because enterprises in the region have had relatively little experience with remote work and off-premises data storage. The nature of such attacks has also evolved.rn

Credit: Thinkstock

Criminals go where the money is, as the old saying goes, and nowhere is this more true than cyber-crime. As more and more criminals are able to successfully extort organisations into paying them huge amounts of money at the threat of bringing down their businesses; extortion based cyber-attacks are skyrocketing, with ransomware leading the pack.

A recent midyear report from Checkpoint highlighted that ransomware attacks have increased by 93% in 2021 compared to the same period last year with the Europe Middle East and Africa ( EMEA ) region seeing some of the highest growth .

Other security firm report similar findings. In its latest The State of Ransomware 2021 report, for example, Sophos reported that 38% of the UAE tech executives polled said they were attacked with ransomware during the past year.

Middle East is vulnerable to ransomware

Attackers using ransomware are taking advantage of newly remote workers as well as more sophisticated hacking techniques. The Middle East is especially vulnerable to ransomware because until recently, enterprises in the region have had relatively little experience with remote work and off-premises data storage.

 The nature of such attacks has also evolved from wide, sweeping automated attacks being replaced by more focused, manual attacks that have a much larger impact and potential for damage. Additionally, even DDOS attacks, which are dangerous in of themselves, are now being used as mere covers for distracting security teams and infecting companies with ransomware.

It is not just organisations themselves that are risk with ransomware, as attackers have woken up to the exponential damage that can be done by targeting an organisation’s supply chain instead of individual companies.  

By exploiting the existing trust relationships between a company and its partners, cyber-criminals are able to throw a much wider net and greatly increase the attack surface as was demonstrated by the recent SolarWinds attack, which hit several Middle Eastern countries.

Although supply chain attacks have always existed as a risk, this new “triple extortion” technique of steal, extort and target supply chain has been surging greatly. Organisations in the Middle East will need to assess and establish a strategy for dealing with the fallout of such attacks should their critical supply chain partners get attacked

The risk is not just restricted to lost reputation and money, as ransomware can have massive implications to national security. An attack similar to the recent Colonial Pipeline ransomware attack in the US, which is one of the most disruptive attacks on record, has the potential to cause huge damage to the Middle East economy and directly impact its economic growth should it happen here .

Does it pay to pay a ransom?

In its 2021 ransomware report, Sophos covered over 5,000-plus senior level decision makers globally, and highlighted that the average ransom paid by businesses was US$170,000 and the average cost of recovering from such an attack has doubled from last year to $1.85 million.

While it may be tempting to simply pay the attackers and quickly get your data and systems back, giving in to their demands is not worth it in the long term. Despite the fact that it costs over 10 times more to remediate than to pay the attackers, the sad reality is that only 8% of organisations managed to get back all of their data, which proves that it simply does not make sense to pay the ransom.

While recovery from a ransomware attack can span years due to the remediation efforts required, taking the short cut simply is not worth it, which is relevant given the fact that the Sophos report shows that over 28% of organizations in the Middle East paid a ransom.  Paying the ransom only creates a vicious loop in which attackers are motivated to keep on targeting organizations and refining their attacks with no consequences for their actions.

How to protect against ransomware

Given the rapid spready of such attacks, CISOs in the middle east should assume that their organisations, regardless of their size or sector, are already a target, and make sure proper technical and administrative controls are present to protect their assets in the case of a ransomware attack. Some of the key tips to follow are listed below:

  • “Defence in depth” is not a cliché: Intelligently layering your security stack is the key to having an effective ransomware strategy and CISOs need to ensure that in addition to having systems patched and protected with the last zero-day malware protections, their teams are also trained and aware of the latest tactics used by ransomware. Security Operations Centers (SOCs) should be implemented and empowered with threat intel and hunting tools to find weak points before an attacker does.
  • Test, test, test! None of the controls listed above will matter however if their efficacy is not tested before an actual attack happens. While most CISOs do invest in red team and blue team exercises in which red teams simulate attackers and blue teams try to stop them, they might not give a proper picture of your security controls given the size and spread of most company’s technology footprint. In addition to running periodic red team / blue team tests, CISOs can look into breach-and-attack simulation systems for automating continuous attacks against the organisations’ controls and getting an updated objective assessment of their posture.
  • Backups can save the day: In the worst-case scenario, having a proper backup strategy defined can be the key difference between recovering from a ransomware attack or a complete shutdown of operations. The industry defined best practice of 3:2:1 (3 sets of backups on two different media out of which one is offline) can be an effective strategy to counter a ransomware incident provided it is deployed and tested properly. The offline backup especially has to be disconnected from the network and stored either physically separate or on a cloud provider given that ransomware actively searches for storage devices that are connected to the affected network.

The future of ransomware

The success rate of recent attacks means that the pandora’s box of advanced ransomware has been opened now, and the fact that the Biden administration has gotten directly involved in trying to prevent future attacks similar to the Colonial Pipeline one is enough to demonstrate the impact these ransomware attacks can cause. Ransomware is now a matter of national security and with the Middle East is at the forefront of using digitization to enhance their economic roadmaps, attackers are aware of the ability of ransomware to disrupt such plans.

In their midyear report, Checkpoint forecast that ransomware will continue to grow despite the added attention from governments and law enforcement, as attackers will also evolve and improve their tactics via advanced tools and automation. CISOs in companies across sectors and sizes will need to consider ransomware attacks against their environments and their supply chains as a confirmed reality so that they can put in the required controls and prevent long-lasting damage to their roadmaps.

(Taimur Ijlal is an information security and data protection professional with more than 18 years of experience in cybersecurity, enterprise risk assessment and cloud technology.)