About 3 months ago, Techzim attended an IT security workshop in Harare where a local IT networking and cyber-security company called Procomm spoke about the rise in ransomware attacks targeting companies in Zimbabwe.
Ransomware, like other types of cyber-attacks, is something that’s not discussed much in the public in Zimbabwe. Companies and individuals get attacked, they resolve the situation somehow, and move on quietly.
This worrying issue was brought to the fore by the WannaCry attacks because hospitals and medical practices in the UK were attacked. It turns out Zimbabwe is one of the 104 countries that hit by this attack.
Since Procomm alerted us to the ransomware trend months ago, we decided to contact them and get more information so Zimbabweans are clearer about these issues, and can be safer. Here’s the QnA we had with Procomm Managing Executive, Tawengwa Toronga:
There’s an increase in cases of ransomware globally, but now also in Zimbabwe. Why is this the case and how much more of this do you think will happen?
In the past 18 months we have seen ransomware reach a new level of maturity and menace. The perfection of the ransomware business model has created a ‘gold-rush’ mentality among attackers, as growing numbers seek to cash in. Ransom fees range from $300 to $1000 per PC and a couple of thousand of dollars for targeted organization attacks. It is estimated that ransomware cybercriminals took in about $1 billion in 2016.
A growing number of cybercrime groups appear to be attempting to capitalize on ransomware. It is now also easier than ever to create your own ransomware with ransomware creation kits, or ransomware-as-a-service (RaaS), which is now emerging on the cybercrime underground.
RaaS is designed to make ransomware accessible to anyone. One does not need to be tech-savvy or have expensive equipment to turn to this type of misconduct. It is also easy to spread. Advanced cybercriminals usually author the malicious code, then make it available for others to download and use. The authors may provide the ransomware for free or charge a small fee up front, often opting to take a cut of each ransom. This incentivizes a higher volume of attacks and higher ransom requests. The payouts are also quicker compared to selling stolen credit card data or personal information. Perhaps most importantly, there is a lower risk of being caught due to the anonymity of Bitcoin.
On the other hand, attacks against organizations are also rapidly increasing. While indiscriminate ransomware campaigns remain the most prevalent form of threat, new and more advanced attacks are emerging. A growing number of cyber-gangs are beginning to focus on targeted attacks against large organizations. These attacks involve a high level of technical expertise, using techniques more commonly seen in cyberespionage campaigns to break into and traverse the target’s network.
Although more complex and time-consuming to perform, a successful targeted attack on an organization can potentially infect thousands of computers, causing massive operational disruption and serious damage to revenues and reputation. Once cybercrime gangs notice some businesses succumb to these attacks and pay the ransom, more attackers will follow suit in a bid to grab their share of the potential profits.
See this article for the predictions in Ransomware in 2017.
Has your company worked on any such cases locally? What would be your estimates of the frequency of ransomware in Zimbabwe and Africa?
There has been isolated cases where we have been called to assist with incident response, both from consumers and organisations.
Unfortunately, there is no public available report with the actual statistics available specifically for Zimbabwe or Africa for the current prevalence and ramifications of actual ransomware incidents. Although prevalence to the attacks differ worldwide, the one common thread is that ransomware is growing as a threat everywhere.
What/who are the typical targets of ransomware locally and how does such an attack typically occur?
While ransomware attacks to date have been largely indiscriminate, there is evidence that attackers have a growing interest in hitting businesses with targeted attacks.
Consumers/Individuals are the most likely victims of ransomware, accounting for about 57 percent of all infections between January 2015 and April 2016, according to the Symantec Special Report: Ransomware and Businesses 2016. While most major ransomware groups tend to be indiscriminate in their attacks, consumers are often less likely to have robust security in place, increasing the possibility they could fall victim to ransomware.
There are many different variants of ransomware; some are designed to attack windows PCs while other strains infect Macs and even mobile devices. This type of malware is highly effective because the methods of encryption or locking of the files are practically impossible to decrypt without paying ransom.
Victims typically download ransomware by opening an infected email attachment or clicking a compromised pop-up or link, triggering malicious code. From there, a sequence of events unfolds that encrypts the user’s files, locks down the victim’s device and displays a message listing demands that must be met in order to regain access.
Once these files are encrypted, the only way to get them back is to restore a recent backup or pay the ransom. Problem is, backups often fail. Storage Magazine reports that over 34% of companies do not test their backups and of those tested, 77% found that tape backups failed to restore. According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed.
Below are some of the common ransomware delivery vectors
- Email– Phishing and spam email is by far the most common delivery method of ransomware. The scenario involves sending an email with an attachment disguised as an innocuous file or tricking the user to click on a URL on the email that opens a compromised website.
- Free Software – Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software to entice the user.
- Exploit Kits – Exploit kits are sophisticated toolkits that exploit vulnerabilities. Most often, exploit kits are executed when a victim visits a compromised website. Malicious code hidden on the site, often in an advertisement (malvertisement), redirects you to the exploit kit landing page unnoticed. If vulnerable, a drive-by download of a malicious payload will be executed, the system will become infected, and the files will be held for ransom.
In terms of the involvement of Bitcoin in such cases: why do the hackers ask for Bitcoin?
For those considering cyber extortion, the anonymity commonly associated with Bitcoin is very enticing. Earlier schemes relied on bank accounts or money orders, so criminals felt they were at greater risk of being tracked down by law enforcement authorities.
The ease of acquisition of Bitcoin on the Internet and the lack of personally identifiable information tied to bitcoin wallets make it really appealing to hackers.
Although there are cases where law enforcement authorities have on some occasions been able to trace bitcoin extortion transactions to criminals, this has not deterred cyber criminals from using the crypto currencies.
Once hit and Bitcoin payment is asked for, what do you recommend for those that have come under such a predicament?
I personally advise against paying the ransom where possible, simply because this removes the incentive for cybercriminals to continue engaging in these kind of scams. As long as victims continue to pay the ransom and fund the growth and development of these ransomware families there will be more creative and effective ransomware attacks in the future.
However, if you can’t restore the important data from the backup copies, the decision to pay basically comes down to whether the data that was encrypted is worth more than the ransom demanded.
Many of the cybercriminals behind ransomware have focused on creating a trustworthy reputation on the Internet, honoring all ransom agreements, but still there are no guarantees of getting your data back as victims are quickly left alone with the decryption keys once the exchange has been made.
What do you recommend companies and individuals do to better protect themselves?
Organizations need to be fully aware of the threat posed by ransomware and make building their defenses an ongoing priority. While a multilayered approach to security minimizes the chance of infection, it’s also vital to educate end users about ransomware and encourage them to adopt best practices. As ransomware gangs continue to refine their tactics, organisations and individuals cannot become complacent. Businesses should continue to review and improve their security in the face of this rapidly evolving threat.
Here are a few best practices to minimize the risk and loss from ransomware:
- Backups, backups, backups — and test those backups regularly.
- Install antivirus and make sure it’s up to date with the latest definition files.
- Regularly patch your operating systems, especially Windows.
- Keep web browsers and plug-ins such as Adobe Flash and Microsoft Silverlight updated, and prioritize patching new releases.
- Uninstall any browser plug-ins that are not required for business purposes, and prevent users from re-installing them.
- Disable Microsoft Office macros by default, and selectively enable them for those who need macros.
- Scan incoming emails for suspicious attachments, including examining all compressed attachments.
- Automatically quarantine any email that has an attachment containing a script or a .scr file.
- Disable or remove the PowerShell, wscript, and cscript executables on all non-administrative workstations.
- Do not give all users in the organization local administrative access to their workstations.
- Use threat intelligence to gain visibility into your organization’s external threat environment and monitor for any emerging ransomware threats to your organization.
12 comments
the solution is simple; ditch Microsoft Windows and use Linux
someone who is not tech savvy thinks linux and Mac are secure,
Precisely, I don’t know why most Zimbabweans think Linux and MacOS are virus proof. In fact MacOS was the first targeted OS. Consider this a warning!
Great article Limbikani. I’d like to correct you on one thing you got wrong. bitcoin is often wrongly considered to be anonymous and it’s easy to think that because you can send money to someone without knowing their identity. However bitcoin transactions are highly traceable and achieving anonymity in a bitcoin transaction is near impossible.
Secondly the fast that all bitcoin transactions are stored on a public and permanent ledger, makes it the least ideal currency to use for criminal activities (most people new to bitcoin still don’t get this).
bitcoin is rather pseudonymous, which means that whenever you do a transaction and not using your real identity, you are using a pseudonym. The moment someone is able to link your identity to that pseudonym they will have access to your entire transaction history.
But then again most victims of ransomware (as well as law enforcement) are not tech savvy enough to know how to trace bitcoin transactions. Many of this cyber criminals are dumb too – a lot of people are in jail today just because they used bitcoin for the crime instead of cash.
Tawanda i think you don’t get it, Bitcoin is anonymous, unless you are trying to define a new Open Bitcoin system that reveals who is doing what, but the current Bitcoin is the currency for Criminals, and Law Enforcement can do nothing about it. right now we know that the criminals have received cash by going to site howmuchwannacrypaidthehacker.com but nothing else
@Easytech, you make several assertions that are not true:
1. It is not true tha tbitcoin is anonymous – the bitcoin transaction log is public. Anyone running a full node can see every transaction happening on the bitcoin network. I run a full bitcoin node at home and several at work – I’m speaking from experience.
2. bitcoin is already open. For starters it’s open sources, the transction log is open for everyone to see, anyone is open to join, anyone is open to build their own wallet that works on the bitcoin protocol.
3. bitcoin is not a currency for criminals. If a Pastor were arrested for rape, does that make Christianity a religion for rapists? If one person robs a bank, does that make the US dollar a currency for criminals? If someone laundered money with bitcoin and got caught because they were stupid enough to launder money with a traceable currency which is not anonymous called bitcoin, does that make bitcoin a currency for criminals?
4. Although Law enforcement can’t to anything about it today in many places in the world, this is a problem that can easily be fixed with education.
Bitcoin is very secretive anonymous, do not kid yourself Tawanda.
If it was not, then why would hospital and banks right in the heart of America pay the ranson to get there data back.
Can you give us names or places where someone was arrested for criminally using bitcoin. One day when quantum computers becomes widely available, then maybe we will start to see progress in identifying bitcoin criminals.
just because hospitals and banks are paying the ransoms does not justify that bitcoin is anonymous. bitcoin is the least anonymous currency in the world because all bitcoin transactions are public. Anyone who knows what they are doing can see the complete bitcoin transaction log. I’m not saying they are easy to trace though – not everyone can easily trace bitcoin transactions – it’s not easy. The same way making a billion dollars is not easy but can we say that it’s impossible because banks and hospitals can’t do it?
Here a list of some of the who were arrested for criminally using bitcoin: https://www.gwern.net/DNM%20arrests
I don’t know how long the list is exactly – I actually lost count when I was at around 500. All these people got caught specifically because they used bitcoin.
Tawanda, I’m not sure if your misinformation is intentional or not. The Bitcoin ledger is public as you say, but the wallet IDs attached to transactions are anonymous. This would be like your bank publishing all client transactions but blanking out names: sure the information is “public”, but we still don’t know who has the 3 million dollar balance unless they told us their account number.
Hi Tapiwa, I think you’re starting to get it.
Did you watch last night’s episode of ‘The Blacklist’. Raymond Reddington was able to hire the Debt Collector while pretending to be that prisoner and he actually fooled everyone including both the Debt Collect and Kate into thinking that he was actually the prisoner. But when Liz called Kate, Kate knew that Reddington had assumed a false identity and she was able to to link all his actions to the same identity.
I tell you this story story to illustrate the difference between anonymity and pseudonymity. All bitcoin transactions are attached to an identity. In many cases we don’t really know who is behind this identity so this identity is a pseudonym.
I know that Anonymity was not one of the design goals of bitcoin but today, bitcoin provides only pseudonymity through the use of bitcoin identities (public keys or their hashes). if you cannot attache an identity to a bitcoin tranaction, then you wont’ be able to fire out all the transactions that were made by that particular use. Alternatively if you can, like Kate’s voice, you will be able to call out Reddington.
Like Liz’ voice I mean
I don’t watch “The Blacklist”.
Here’s a primer on pseudonymity and anonymity[1]. It is apparent that bitcoin users have both pseudonymity (unchanging hashes) and anonymity (absolutely no link to legal name/ “real” identity) unless they voluntarily publicly announce all their wallet hashes IRL to link the bitcoin personas and their legal names.
It is trivial to launder bitcoin by making numerous but small payments which are much harder to track. There are no limits to the number of bitcoin wallets a person can own.
1. https://english.stackexchange.com/questions/224254/whats-the-difference-between-anonymous-and-pseudonymous