• Home
  • /
  • Malware
  • /
  • Realities of ransomware in SA: It’s after everyone

Realities of ransomware in SA: It’s after everyone

Johannesburg, 10 Dec 2021
Lukas Pelser, pre-sales engineer at Sophos.
Lukas Pelser, pre-sales engineer at Sophos.

No organisation is too small and no system too insignificant to be targeted by ransomware, and South African organisations can expect ransomware attacks to pick up in 2022.

This is according to cyber security expert Lukas Pelser, a pre-sales engineer at Sophos, who was addressing a webinar on ransomware hosted by Sophos.

Pelser said the Sophos 2022 Threat Report finds that ransomware has staked its claim as a major element of the cyber crime ecosystem and shows no sign of slowing down in 2022.

“Ransomware in South Africa can hit anyone, and no business is too small to be at risk,” he said. “We recently saw a one-man graphic design business hit by ransomware in which the attackers were demanding R10 000. In another case, a five-man law firm had a R600 000 payment diverted.”

However, he noted, ransomware doesn’t just target business data. “It can take down cameras, access management or whatever is easiest for attackers to get hold of. I have even seen a mine milling machine hacked to make it spin too fast and put human life at risk, so operational technology is also a target.”

The Sophos 2022 Threat Report predicts that ransomware will become more modular, uniform and influential, targeting people and technology.

Said Pelser: “In South Africa we saw a live incident in which they disabled Windows shadow copies within the organisation, waited a month until all the copies were missing, then launched the ransomware. We also see an increase in attackers calling victims directly, and this is becoming more and more popular. They are also recruiting insiders to help them breach networks, and silencing victims by warning them not to contact the authorities."

The developers of ransomware are creating sophisticated code and playbooks to enable different adversary groups to implement very similar attacks, he said. "I can literally pay someone $50 to take a business offline. Initial Access Brokers (IABs) and malware delivery platforms are targeting victims.”

Sophos expects the abuse of adversary simulation tools will continue, with more adversaries abusing commercial attack simulation tools designed to test defences. Most of the ransomware cases Sophos investigated in 2021 involved the use of Cobalt Strike Beacons, Pelser said.

It is also expected that more malware families will launch hybrid attacks – starting with phishing e-mails to carefully chosen employees. “We have seen attackers targeting specific individuals who mention needing money on social media, and then mail them offering money,” Pelser said.

Sophos also expects more mass attacks abusing IT administration tools and vulnerable Internet-facing systems as well as unprotected Linux-based systems, both in the cloud and on Web and virtual servers.

The report notes that mobile malware will increase across all operating systems, with ‘Flubot’ dominating the list of mobile malware for Android devices, more fraudulent apps exploiting loopholes in the iOS platform and Joker malware continuing to try to outwit Google Play Store checks. 

Other trends expected to continue into 2022 will be the use of AI by attackers – common examples being Russian bride scams using AI, or automated credential harvesting.

Pelser said mitigating the risks required a layered approach covering every stage of the kill chain, with strategic and tactical defence, and combining technology with human expertise. 

He recommended extended detection and response (XDR) products, and a proactive human defence system provided by the Sophos Managed Threat Detection and Response (MTR) team. In the event of an attack, Sophos Rapid Response can assist companies whether they are Sophos customers or not, he noted.