Ransomware as we know it has evolved. Where these cyberattacks were once seen as disparate, they have become more sophisticated, better co-ordinated, and wider spread than ever before in recent years.
In South Africa in particular, the impact of ransomware groups can be felt, as Trend Micro revealed recently during its Mid-Year Cybersecurity Threat Report that 15 million malware families were blocked locally during the first half of 2023.
“Ransomware, in particular, is a challenge for local companies, with almost 2 500 ransomware detections in June alone,” the company explained in a release sent to Hypertext.
“Earlier this year Trend Micro researchers discovered a new ransomware that uses legitimate search engine tools to search for files to encrypt. Investigation into this new ransomware, which researchers named ‘Mimic’, suggests a connection with the larger and more notorious Conti ransomware group. It’s suspected that collaboration between these criminal groups helps them lower costs and increase their market presence while also maintaining the efficacy of their criminal activities,” it added.
Zeroing in on the South African landscape, Trend Micro says the country has become a testbed for many ransomware groups wanting to experiment with hacking techniques before targeting larger businesses or industries.
This, unfortunately, is as the result of a mixed approach to cybersecurity in SA across different industries, with some more mature and taking the threat of cybercrime more seriously than others.
“They’ve evolved. Become more targeted in who they are attacking. We hear things like ransomware-as-a-service, phishing-as-a-service, where they outsource, set up a network, infiltrate environments, and sell it to amateurs to be able to get into their environments,” highlighted Emmanuel Tzingakis, technical lead for Sub-Saharan Africa at Trend Micro.
“On the dark web, they even have recruitment campaigns to hire developers and sellers, so the operation is just like a business. They’re becoming more evolved, and more sophisticated,” he warned.
Noting just how business-like ransomware groups have become, Gareth Redelinghuys, country MD for the African Cluster at Trend Micro, says these organisations have dedicated service hotlines in place to assist businesses that have been attacked to troubleshoot getting their data back once they’ve paid the ransom.
“These are the kinds of things that they’re doing. They’re keeping it live, real, and relevant, paying for just about anything as an actual service,” he explained.
“I’ve actually heard, although I cannot verify this, but I’ve heard that many syndicates are now hiring HR people to help manage their staff, so that gives you an indication of just how sophisticated things are getting,” adds Tzingakis.
Along with evolving their business, ransomware groups continue to utilise new methods when it comes to attacks, with AI now playing an important role as far as improving the efficiency and reach of cybercriminals.
To that end, Trend Micro has seen two ways in which AI is being employed – virtual kidnapping and harpoon whaling.
The latter sees ransomware groups targeting a high ranking executive in an organisation, aiming to infiltrate their system or compromise their security in some way in order to not only gain access to more coveted data within the organisation, but also ensuring a larger fee can be demanded in terms of the ransom being asked.
ChatGPT and other generative AI platforms are leveraged to automate the gathering of information, formation of target groups, and identification of vulnerable behaviours.
“This attack is a highly targeted social engineering scam that involves emails crafted with a sense of urgency and that contain personalised information about the targeted executive or director. With AI tools becoming increasingly adept at creating text that can seem human-crafted, the effort needed to attack executives has been drastically reduced, making the targeting of hundreds of thousands of executives easier than ever before,” Trend Micro pointed out.
As for virtual kidnapping, these imposter scams as they are categorised are becoming more rampant.
“In the case of virtual kidnapping, malicious actors are able to create a deepfake voice of their victim’s child and use it as proof that they have the child in their possession to pressure the victim into sending large ransom amounts,” the report found.
As ransomware groups become more sophisticated, evolving at a rate that is simply too fast to keep up with, it is more important than ever for companies and the people working at them, to adopt a multi-layered approach when it comes to cybersecurity.
[Image – Photo by GuerrillaBuzz on Unsplash]
