More than 40% of victims of ransomware attacks in South Africa pay the cybercriminals responsible to try to secure or recover their data. But in many cases, the crooks simply disappear with the money.
This is according to a new report from security firm Kaspersky, which said 42% of local ransomware victims coughed up money to recover their data.
Whether they paid or not, only 24% of victims were able to restore all their encrypted or blocked files following an attack. Sixty-one percent lost at least some files; 32% lost a significant amount; and 29% lost a small number of files. Meanwhile, 11% who did experience such an incident lost almost all their data, Kaspersky said.
According to TechCentral, Marina Titova, head of consumer product marketing at Kaspersky, said handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice. Kaspersky always recommends that those affected by ransomware should not pay as that money supports this scheme to thrive.
A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.
Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:
“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”
The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”
“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”
The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.
The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.
The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.
Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”
“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.
Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.
“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”
Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.
“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”
On 25 October, the City of Johannesburg tweeted that it had been the victim of a network breach, where it was forced to shut down various systems including its website, e-services, and billing systems.
Business Day reported that a ransom note, sent by Shadow Kill Hackers, demanded 4 bitcoin (about R435,000) before 28 October, or else it would upload the sensitive data online.
Nearly two weeks later, the City of Johannesburg’s website is offline and its call centre is unreachable, leaving residents unable to register for e-services or receive their bills.
The city has responded to complaints on Twitter, confirming that its systems are “temporarily down” – but there has been no further information about the cause of the outage or how long it will last.
According to MyBroadband, attempts to call City of Johannesburg hotlines reportedly “resulted in callers being told that the number does not exist, while attempts to access the City of Johannesburg’s website are unsuccessful.”
It is unclear whether the website’s current downtime is linked to the Shadow Kill Hackers’ cyber-attack.
By Emma Beswick for EuroNews
Anonymous hackers have brought the US city of Baltimore to its knees by seizing control of government computers, demanding bitcoin in return for releasing their hold over the systems.
A ransomware attack was discovered on May 7, with the city taking down online systems and services in an effort to contain it.
While the attack took place two weeks ago, the city’s mayor, Bernard Young, is refusing to pay the requested sum, leaving officials unable to process parking tickets among other administrative functions.
He warned that it could take months for normal service to be resumed.
“Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout the process,” Young said in a statement.
The city’s emergency services have not been affected.
The hackers demanded 13 bitcoins — worth around R1,4-million — to remove the file-locking virus, according to a ransom note obtained by the Baltimore Sun.
“We’ve (been) watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” it read. “We won’t talk more, all we know is MONEY! … Hurry up! Tik Tak, Tik Tak, Tik Tak!”
The city remained unable to send or receive emails at the time of writing.
A similar cyber attack hit Atlanta last year, according to NBC, costing millions to recover damage, while Greenville in North Carolina was targetted in April.
As many as 25 local governments have been attacked by hackers this year, the media added, citing analysts.