How to survive the rising tide of ransomware attacks in the Middle East

Ransomware is on the rise worldwide this year as cybercriminals take advantage of newly remote workers, growing pools of data, and more sophisticated hacking technology. The Middle East, a region that until recently has had relatively little  experience with remote work and off-premises data storage, has been vulnerable  to this growing tide of cybercriminality.

Globally, there has been an incredible 715 percent rise in detected and blocked ransomware attacks since 2019, according to security company Bitdefender, and experts believe that a ransomware attack will take place every 11 seconds by 2021. In the Middle East, there were 2.57 million phishing attacks between April and June of this year alone, security firm Kaspersky has reported. Phishing, a preferred tool of black hat hackers, has seen a 600 percent increase in the UAE since February, and Saudi Arabia saw 973,061 phishing attacks, the most in the region, in the same period, Kaspersky said.

Veritas Technologies

“There are two essential kinds of ransomware which are circulating all over the MENA [Middle East and North Africa] region,” said Johnny Karam, vice president of emerging markets at Veritas Technologies. “The most widely recognized sort today is crypto-ransomware, which expects to scramble individual data, information, and records. The other, known as locker ransomware, is intended to lock the system, preventing victims from utilizing it.”

On July 6 and July 9, 2020, two state-run organizations in the Middle East and North Africa reportedly suffered a simultaneous ransomware attack that threatened to lock down their systems. Palo Alto’s global threat intelligence team, Unit 42, reported that the cybercriminals installed and ran a variant of the Thanos ransomware which created a text file that displayed a message requesting the victim a transfer of ‘US $20,000’ into a specified bitcoin wallet to restore the files on the system.

“While we do not have visibility into the overall impact of these attacks or its success in receiving payment from the victims, the threat group behind the use of these tools had previous access to these networks, as they obtained valid credentials from the networks,” said Haider Pasha, chief security officer at Palo Alto Networks, Middle East and Africa.

Increased complexity expands threat surface

Obtaining valid credentials has been made easier for bad actors this year, as millions of employees in the Middle East shifted to remote-working models as a response to the COVID-19 pandemic.

Remote Desktop Protocols required to keep employees working offsite are generally regarded as safe and secure when used within a private network. However, when left open on the internet and accessible with simple passwords, RDPs create an open door for ransomware threats. 

Thales

“Unauthorized access via RDPs allows attackers to gain access to corporate servers and act as a launchpad for ransomware attacks,” said Sébastien Pavie, regional vice president for data protection solutions at Thales. “There are millions of computers with their RDP ports exposed online without any protection, which makes RDP a huge attack vector to all sorts of malicious cyber activities, and increasingly ransomware attacks.”

Multicloud environments that are growing in complexity are also contributing to the wave of ransomware in the MENA region, according to Karam. The Veritas Ransomware Resiliency 2020 report showed that UAE and Saudi businesses are overwhelmingly failing to keep pace with the exceptionally fast process of digital transformation that has been accelerated by COVID-19. This has led to much greater complexity in multicloud environments, leaving data at risk of ransomware attacks.

“In the UAE and KSA only 43 percent and 29 percent of respondents have kept pace with their IT complexity, respectively, underscoring the need for greater use of data protection solutions that can protect against ransomware across the entirety of increasingly complex environments,” said Karam.

High-value targets cause high-level damage

Ransomware cost businesses across the world more than US$11.5 billion in damage in 2019, Cybersecurity Ventures estimated, and is expected to cost the global economy $6 trillion by 2021. On average, businesses that thwarted these attacks still paid $730,000 in recovery costs, according to cybersecurity company Sophos, and for those that paid the ransom, the cost including recovery averaged $1.4 million. 

The damage caused by ransomware does not end when the ransom is paid, however. Attacks that aim at high-value targets like government entities or industrial operations can damage industry reputation and even national security. 

“One of the key sectors that often fall victim to attacks is the oil and gas industry,” Karam said, “and part of the reason for targeting oil and gas in the Gulf is because it’s a strategically important part of the economy. If there is a nation-state behind a cyberattack and it wants to have a political impact, it will pick areas that are the most important to an economy.”

The potential human cost of ransomware was pulled into stark relief in September of this year when German police launched a negligent homicide investigation after a woman in a Dusseldorf hospital died as services were disrupted due to a ransomware attack. 

Preparation and recovery are key to survival

Experts agree that it is no longer a matter of whether an organization will suffer a malware attack but a question of when. While the threat landscape in the Middle East may seem grim, there are steps organizations can take to prepare for an inevitable ransomware attack.

Palo Alto Networks

“To better prepare themselves, organizations should not just harden their defences but make it difficult for bad actors to breach their systems,” Pasha advises, “making it expensive for them both in resources and time.”

Prevention, as with any virus, is key. Pavie recommends adopting an application whitelist that identifies ‘trusted applications’ whose integrity are regularly tested, as well as strict, fine-grained access control to critical data.

“Some malware depends on escalating privileges to gain great system access,” Pavie said. “Appropriate access control solutions can bar privileged users from examining and even accessing resources.”

Finally, data-at-rest encryption is necessary to protect data wherever it resides, be it in on or off-premises data centres, in public or private clouds. Encryption renders data worthless to cybercriminals who often threaten to publish business-critical or sensitive information. 

In the inevitable event of a ransomware attack, a swift and thorough recovery response is critical to support business continuity and reduce overall damage. To that end, security experts recommend a three-pronged approach to critical data backup. 

“The ‘3-2-1 rule’ must be adopted, in which two data copies are stored on different storage media and one is ‘air-gapped’ in an offsite location,” Karam said. “A strong defence and high level of data visibility of immutable data for fast and reliable recovery will all be central to success.”

As connected environments continue to increase in complexity, and sensitive data becomes more valuable and plentiful, the potential for cybercriminals to enact critical damage through ransomware will only grow in tandem. As the MENA region moves forward with plans for digital transformation, experts agree that businesses and government entities alike need to adopt robust security against the rising tide of ransomware.