More than 40% of victims of ransomware attacks in South Africa pay the cybercriminals responsible to try to secure or recover their data. But in many cases, the crooks simply disappear with the money.
This is according to a new report from security firm Kaspersky, which said 42% of local ransomware victims coughed up money to recover their data.
Whether they paid or not, only 24% of victims were able to restore all their encrypted or blocked files following an attack. Sixty-one percent lost at least some files; 32% lost a significant amount; and 29% lost a small number of files. Meanwhile, 11% who did experience such an incident lost almost all their data, Kaspersky said.
According to TechCentral, Marina Titova, head of consumer product marketing at Kaspersky, said handing over money doesn’t guarantee the return of data, and only encourages cybercriminals to continue the practice. Kaspersky always recommends that those affected by ransomware should not pay as that money supports this scheme to thrive.
According to a recent MyBroadband article, Telkom has fallen victim to the group behind the Sodinokibi ransomware, also known as REvil.
The group has claimed responsibility for the attack and has threatened to leak the Telkom client database on its the Dark Web blog.
The REvil / Sodinokibi group is one of several ransomware operators that steals sensitive data from victims and leaks it on the dark web if their targets don’t give in to their extortion demands.
The group has recruited a team of affiliates who carry out attacks on corporate networks.
According to speculation, the group may have tried to extort $1-million out of Telkom.
The company denied that its systems had been infected with ransomware.
Staff working remotely were unable to connect to servers or the Telkom virtual private network.
South Africa is facing one of the largest cyber attacks it has ever seen, with banks, ISPs, and the government being targeted.
In the last two months:
- The City of Johannesburg fell victim to a cyberattack which led to its information systems becoming compromised, and its systems (including the website and billing) being such down. A ransom was demanded but the City is refusing to pay
- The banking industry was hit by a wave of DDoS attacks targeting consumer-facing services
- ISPs were hit by a number of DDoS attacks, as previously reported in My Tech News. In September, Cool Ideas and Atomic Access suffered an attack that severely affected their services; in October, Cybersmart was hit by a large DDoS attack which caused intermittent connectivity over two days; and recently Afrihost, Axxess, and Webafrica were hit by a very large DDoS attack which affected DSL and fibre subscribers
Parmi Natesan, CEO of the Institute of Directors in South Africa (IoDSA), told MyBroadband that “these attacks should serve as a wake-up call to companies” – who may not be taking adequate steps to protect themselves.
On Friday, doctors at Whipps Cross Hospital, east London, logged into their computers, but a strange red screen popped up. Next to a giant padlock, a message said the files on the computer had been encrypted, and would be lost forever unless $300 was sent to a Bitcoin account – a virtual currency that cannot be traced. The price doubled if the money wasn’t sent within six days. Digital clocks were counting down the time.
It was soon revealed Barts Health Trust, which runs the hospital, had been hit by ransomware, a type of malicious software that hijacks computer systems until money is paid. It was one of 48 trusts in England and 13 in Scotland affected, as well as a handful of GP practices. News reports soon broke of companies in other countries hit. It affected 200,000 victims in 150 countries, according to Europol. This included the Russian Interior Ministry, Fedex, Nissan, Vodafone and Telefonica. It is thought to be the biggest outbreak of ransomware in history.
Trusts worked all through the weekend and are now back to business as usual. But the attack revealed how easy it is to bring a hospital to its knees. Patients are rightly questioning if their medical records are safe. Others fear hackers may strike again and attack other vital systems. Defence minister Michael Fallon was forced to confirm that the Trident nuclear submarines could not be hacked.
So how did this happen? The virus, called WannaCry or WannaDecrypt0r, was an old piece of ransomware that had gained a superpower. It had been combined with a tool called EternalBlue which was developed by US National Security Agency spies and dumped on the dark web by a criminal group called Shadow Brokers. Computers become infected with ransomware when somebody clicks on a dodgy link or downloads a booby-trapped PDF, but normally another person has to be fooled for it to harm a different computer. EternalBlue meant the virus could cascade between machines within a network. It could copy itself over and over, moving from one vulnerable computer to the next, spreading like the plague. Experts cannot trace who caused it, whether a criminal gang or just one person in their bedroom hitting “send”.
Like a real virus, it had to be quarantined. Trusts had to shut down computers and scan them to make sure they were bug-free. Doctors – not used to writing anything but their signature – had to go back to pen and paper. But no computers meant they couldn’t access appointments, referral letters, blood tests results or X-rays. In some hospitals computer systems controlled the phones and doors. Many declared a major incident, flagging up that they needed help. In Barts Health NHS Trust, ambulances were directed away from three A&E departments and non-urgent operations were cancelled.
The tragedy is that trusts had been warned of such an attack. Dr Krishna Chinthapalli, a junior doctor in London, wrote an eerily premonitory piece in the British Medical Journal just two days earlier telling hospitals they were vulnerable to ransomware hits.
How to avoid ransomware
Ransomware is a sophisticated piece of malware that blocks the victim’s access to their files, and the only way to regain access to the files is to pay a ransom.
Here are a few tips to avoid ransomware:
- Back up everything on the company network – create a sane, quiet backup system and use it daily.
- Don’t use Windows XP – it’s a little hard to believe but unsupported operating systems on office computers put data at risk. Consider an upgrade.
- Buy a hard drive and back up documents off-site – even if ransomware hits you overnight, you’ll have a few days’ data on this external backup. This will prevent the destruction of important records.
- Back up to the cloud – use an internet-based service like Google to store back ups.
- Ensure your network security is up-to-date. Install any patches provided by the security software you use.
Businesses often cite cost as a pain point when explaining why they don’t have back-ups or adequate security.
The ultimate question businesses need to ask themselves is: can your company afford to pay the ransom?
Sources: Madlen Davies for www.newstatesman.com; www.techcrunch.com
A new ransomware “super bug”, codenamed “Locky”, is on the lose. There have been 500 000 sessions of the virus crossing the globe in the last few weeks – and now it has arrived in South Africa.
Anti-virus coverage for this type of malware is very poor – only four out of 54 service providers detected it.
It is believed that there are 4 000 infections an hour now – 100 000 infections a day.
A hospital group in the US has had to shut its doors after the fee to purchase its own files was set at $3,6-million – to be paid in untraceable Bitcoin.
There are 499 000 other cases of Locky reported so far. The virus is spread via infected Word documents.
A click on the attachment and the unfortunate victims, unable to mitigate this threat, are given a ransom demand for their files.
And a subsequent visit to the referenced Locky payment portal site reveal multiple options for victims to pay – including payment plans.
How to stay Locky-free:
• Never download freeware or files from untrusted sources as it might be infected.
• Always scan removable devices before using them.
• Regularly scan your PC to detect .locky File Extension Ransomware as well as other related threats.
• Always keep Windows Operating System updated.
• Browser’s security settings should be activated and set to medium level.
• Avoid installation of ActiveX controls as it is somewhat prone to .locky File Extension Ransomware.
• Never install potentially unwanted program on your PC.
• Always carefully read “License and Agreement” before installing any freeware.
• Turn on firewall and other security settings for better PC protection.
• Do not click on suspicious links while surfing web.
• Avoid getting carried away by unrealistic deals and offers as it can be a trick used by .locky File Extension Ransomware.
• Never respond to unknown mails and messages.