Skip to content
practice makes perfect

Hackers are using developing countries for ransomware practice

Businesses in Africa, Asia, and South America hit before moving on to Western targets.

Ellesheva Kissin, Financial Times | 11
Credit: Getty Images
Credit: Getty Images
Story text

Cyber attackers are experimenting with their latest ransomware on businesses in Africa, Asia, and South America before targeting richer countries that have more sophisticated security methods.

Hackers have adopted a “strategy” of infiltrating systems in the developing world before moving to higher-value targets such as in North America and Europe, according to a report published on Wednesday by cyber security firm Performanta.

“Adversaries are using developing countries as a platform where they can test their malicious programs before the more resourceful countries are targeted,” the company told Banking Risk and Regulation, a service from FT Specialist.

Recent ransomware targets include a Senegalese bank, a financial services company in Chile, a tax firm in Colombia, and a government economic agency in Argentina, which were hit as part of gangs’ dry runs in developing countries, the data showed.

The research comes as cyber attacks have almost doubled since before the COVID-19 pandemic, exacerbated in the developing world by rapid digitization, good Internet networks, and “inadequate” protection, the IMF said this month.

Reported losses from cyber incidents to businesses worldwide since 2020 had climbed to almost $28 billion, with billions of records stolen or compromised, the IMF said, adding that total costs were likely to be “substantially higher.”

The “staging ground” tactic worked because businesses in those countries had “less of an awareness of cyber security,” said Nadir Izrael, chief technology officer at cyber security group Armis.

“Let’s say you’re going to attack banks,” Izrael said. “You would try out a new weaponized package in a country like Senegal or Brazil, where there are enough banks that might be similar, or international arms of companies that are similar to what you would want to try and attack.”

Medusa, a cyber gang that “turns files into stone” by stealing and encrypting companies’ data, began to attack businesses in 2023 in South Africa, Senegal, and Tonga, the Performanta report said. Medusa was responsible for 99 breaches in the US, UK, Canada, Italy, and France last year.

Security teams would pick up on alerts about a pending attack, but the average user would only become aware of one when they were locked out of their computer system, said Hanah-Marie Darley, director of threat research from cyber security firm Darktrace.

A file, with the subject line !!!READ_ME_MEDUSA!!!.txt., would instruct the user to log on to the dark web and start ransom negotiation with the gang’s “customer service.” If victims refuse, the cyber attackers publish the stolen data.

Cyber security companies monitor the dark web for information and then set up “honeypots”—fake websites that mimic attractive targets—in developing nations to catch experimental attacks at an early stage.

When a group of cyber attackers this year began discussing a new vulnerability, named CVE-2024-29201, they “specifically targeted a few [exposed servers] in third world countries to test out how reliable the exploit was,” said Izrael from Armis, whose analysts were monitoring the gang’s conversations on the dark web.

Attacks on Armis’ honeypots 11 days later confirmed the suspicions: The gang only hit Southeast Asia, before using the techniques at a later stage more widely.

Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft, however, said some cyber gangs were too “opportunistic” to test new attacks so methodically.

Rather, developing countries had experienced increased activity as hackers in poorer countries could buy cheap ransomware and stage their own small attacks, DeGrippo said.

Gangs such as Medusa had begun selling their inventions to less sophisticated hackers, said Darktrace director Darley. Those smaller-scale hackers often did not know how the tech works and used it against easier targets, she said.

Any attackers taking the time to “sandbox their techniques”—to experiment in relatively unguarded cyber zones in developing countries—were more sophisticated, she added.

Teresa Walsh, chief intelligence officer at global cyber threat intelligence body FS-ISAC, said gangs would work within the local environment to “perfect” attack methods, she said, and then “export” their schemes to countries where the same language might be spoken: Brazil to Portugal, for example.

The speed of digital adoption in Africa is “outpacing the development of robust cyber security measures, and general awareness of cyber threats is low,” said Brendan Kotze, cyber analyst at Performanta.

“Combined, this creates a worrying, widening gap in defenses cyber criminals are exploiting,” he added.

Ellesheva Kissin is a reporter at Banking Risk and Regulation, a service from FT Specialist.

© 2024 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.

Listing image: Getty Images

11 Comments