Middle East and Africa region least targeted by ransomware attacks in 2021, study says

Average ransom demand surged 45% as human-operated attacks have remained the 'most prominent and devastating threat'

The sophistication of ransomware attacks has led to longer downtimes for victims, up at 22 days in 2021 from 18 days a year earlier, the Group-IB report said. EPA
Powered by automated translation

The Middle East and Africa was the least targeted region by ransomware attacks in the past year, but the average ransom demanded by bad actors globally surged by almost half in 2021, according to a new report by cyber security company Group-IB.

Israel was the most targeted country, with 18 per cent of all attacks in the region, followed by the UAE, South Africa and Turkey with 11 per cent each. Saudi Arabia accounted for 10 per cent and the rest of MEA countries accounted for 5 per cent of the ransomware attacks at the most, the Singapore-based firm said in the study released on Thursday.

“Given multiple rebrands forced by the law enforcement actions as well as the merge of tactics, techniques and procedures due to the constant migration of affiliates from one ransomware-as-a-service programme to another, it is becoming increasingly challenging for security professionals to keep track of the ever-evolving tactics and tools of ransomware threat actors,” Oleg Skulkin, head of Group-IB's digital forensics and incident response unit, said.

Globally, North America experienced the most attacks with 52 per cent of the total, followed by Europe and the UK (28 per cent), the Asia-Pacific (10 per cent), Latin America (6 per cent) and MEA (4 per cent), according to the report, which compared data from the first quarter of 2021 and 2022.

A concerning factor was that data belonging to 147 companies from the MEA region was uploaded on ransomware data leak sites (DLS), with 17 coming from the UAE, the study showed. The list had 15 Saudi Arabian companies, followed by Kuwait with six and Qatar with five.

However, stringent measures are being taken to counter potential threats. In the GCC, banksare increasing their investments in digital security to manage their exposure to cyber risks effectively, S&P Global Ratings said.

Cyber criminals continue to look for lucrative opportunities and tend to be where digital activity is most apparent. They have increased their efforts to be a step ahead of organisations and individuals as digital adoption in daily life continues to rise.

Overall, online criminal activity cost about $6 trillion globally last year, according to a study by research company Cybersecurity Ventures. If that were to be measured as a country, it would be the world's third-largest economy after the US and China, it said.

By 2025, these crimes are expected to cost the world about $10.5tn, up 250 per cent from 2015's $3tn, the company said.

Group-IB's research showed that ransom demanded had also significantly increased, surging 45 per cent annually to about $247,000 last year. The highest amount demanded was $240m, an eightfold increase from 2020's $30m.

The sophistication of attacks also led to longer downtimes for victims, up to 22 days in 2021 from 18 days a year earlier, it added. The average dwell time of ransomware in systems was nine days.

"Some organisations are well protected, which means that deploying ransomware enterprise-wide is impossible, so threat actors shift their focus to data exfiltration," Group-IB analysts said in the report, referring to the process of malware performing an unauthorised transfer of data from a computer.

Bots — in this case, commodity malware, such as Trojans, which take control of computers — became even more widely used in human-operated ransomware attacks, the report said, adding that many bots were tied to certain ransomware affiliates in 2020, but now most are used by various threat actors involved in such attacks.

Cyber criminals also have varying actions when it comes to DLS activity, with the most acknowledged being a revelation of a company's data on a public platform should they refuse to pay the ransom.

Bad actors also have a number of options to increase their gains on DLS: data could be published in parts, with some setting up auctions before publishing exfiltrated data. Some ransomware operators do not publish exfiltrated data on a DLS, but use it to collaborate with other threat actors to gain more leverage.

"For the third year in a row, human-operated ransomware attacks have remained the most prominent and devastating threat," the Group-IB analysts said.

"Various ransomware-as-a-service programmes and initial access brokers have become cheap fuel for such attacks, and have made it possible even for low-skilled threat actors to join the game and target relatively large companies."

Updated: May 19, 2022, 11:21 AM