Cy-X expected to pick up in 2023

Anna Collard, KnowBe4 Africa.

---

Cyber extortion activity is expected to increase this year, and although the majority of respondents say they are not willing to pay a ransom if attacked, 29% of respondents admitted they might pay, depending on business impact. This emerged during a ransomware and Cy-X webinar, hosted by KnowBe4 in partnership with ITWeb, this week.

Wicus Ross, senior security researcher at Orange Cyberdefense, explained that ransomware is a specific term used for encryption activity, while the term Cy-X is broader, covering extortion by encryption, denial of service or threatening to expose data.

For the past three years, Orange Cyberdefense has collected data on over 6 000 victims on data leak sites, using this as a barometer for Cy-X activity.

Ross said: “In 2020, we saw the emergence of double extortion; 2021 was a busy year; and in 2022, there seemed to be a decline, with data on around 2 100 victims collected last year. We believe the war on Ukraine is a contributing factor behind this decline. However, our model suggests we could see an increase in global Cy-X victims in Q1 2023. In Africa, we expect an upward trend for the quarter too. Unfortunately, I think we may see an increase overall this year.”

Orange Cyberdefense also enriches the data to understand where the victims are located, the type of industry and the number of employees. Ross said: “Our data shows that there were around 30 victims in Africa in 2022, compared with 2 100 globally. Africa is a comparatively small economy, which could be the reason for this. In Africa, LockBit is the main player, in line with global trends.”

For the last three years, South Africa has had the most victims visible on the public shaming sites – 32 in total, followed by Egypt. In terms of the sectors most targeted by attackers, manufacturing represented the sector most hit globally in 2022 (21%), followed by professional services (16%) and retail (7%). In Africa, the sectors most hit in 2022 were finance and insurance (23%), manufacturing (17%) and retail (10%).

Anna Collard, SVP of Content Strategy and Evangelist for KnowBe4 Africa, released the findings of a new survey by KnowBe4, in partnership with ITWeb, which set out to uncover how South African business is responding to the ransomware Cy-X threat.

Ninety-six percent of survey respondents said they were concerned about ransomware and Cy-X (up from 85% last year); 71% had not experienced a ransomware attack; 18% had; and 3% said they had experienced multiple incidents. Among respondents who had been affected by ransomware, 60% remediated internally and only 2% paid the ransom.  Thirty-three percent took disciplinary action against the people responsible internally. The root causes of the successful attacks were password issues (31%), social engineering (23%) and unpatched software (17%).

A poll of webinar participants found similar patterns, with 80% saying they had not suffered a ransomware attack; 6% had suffered an encryption only attack; 6% had exfiltration of data only; and 6% had been victims of double extortion (exfiltration of data and encryption).

The survey found that 23% of the organisations that paid the ransom received a ransomware decryption key that did not result in the recovery of their files; 13% partially recovered their files; and only 13% fully recovered their files.

Fifty-two percent of those who suffered a ransomware attack didn’t report it to law enforcement or another regulatory body, while 24% notified both a law enforcement agency and a regulatory body, 12% notified a law enforcement agency and 12% notified a regulatory body.

Seventy percent of the survey respondents overall said they would not pay a ransom to obtain the decryption key and 66% said they would not pay a ransom to prevent exfiltrated data from being exposed or sold. Seven percent would pay a ransom to obtain an encryption key and 19% might, depending on the impact on business continuity. Nine percent would pay a ransom to prevent exfiltrated data from being exposed or sold and 20% might, depending on the impact on business continuity and the type of data exfiltrated.

A poll of webinar participants found that if they were attacked, 42% of companies would not pay the ransom, 46% said it depended on the impact on business, 7% said their cyber insurance would pay and 3% would pay.

Collard said: “You should never pay if you can avoid it, but it can be complicated and the impact on the business and its customers has to be weighed up when deciding whether to pay or not. Ransomware operators are quite happy that cyber insurance will pay a ransom and they may also check how much the insurers will cover before determining the size of the ransom they demand. They also use regulatory fines as leverage for extortion.”

Asked whether cyber insurance covers their organisation against ransomware, 37% of survey respondents said they didn’t have cyber insurance; 30% said they did, but cover was limited; 24% said they were fully covered; and 10% said paying ransoms was excluded from their cyber insurance policy.

Respondents said the heaviest costs in the case of a successful Cy-X attack would be IT services to recover affected technologies (26%), followed by the cost of lost revenue owing to interrupted operations (19%) and the cost of future lost business (15%).

On their levels of preparedness, 87% said they were prepared for a ransomware attack, 11% said they could be more prepared and 2% said they were not at all prepared.

A poll of webinar participants echoed this, with 38% saying they were well prepared, with an incident response plan taking ransomware and Cy-X into account; 28% said they were prepared, with a generic cyber incident response plan; and 33% said they could be better prepared.

“In security, there is no easy silver bullet,” Collard noted. She said organisations needed to take a multi-layered approach to security, building a security training and awareness culture. They should also implement advanced anti-phishing protection and endpoint protection, protect VPN gateways and all externally facing systems, enable phishing resistant multi-factor authentication and, most importantly, define and frequently test a Cy-X incident response process.