“If you see the faces of a Board of Directors when they realise they are under attack, you’d swear they’d seen a ghost.” So says Graham Croock, cybersecurity expert, describing the aftermath of the “dreaded call”.
The “dreaded call” is the notification of a ransomware attack, a phenomenon becoming increasingly common in South Africa. In June this year, it was the National Health Laboratory Service. The attack shut down the automated processes, forcing staff to laboriously write out reports by hand. Coming on top of the Monkeypox outbreak, the delays were literally life-threatening. A news outlet reporting on the matter was contacted by a man with an “Eastern European accent” remonstrating about the need for the Service to “negotiate”.
In 2021, South Africa’s state-owned logistics company Transnet was thrown into disarray as a result of a ransomware attack, which forced it to declare force majeure, slamming the entire economy to which its services were essential.
Some background: the entire African continent is undergoing a profound transformation. As more and more of the continent’s population gains access to the online world, ICT systems are becoming an ever-more-important part of life. Given the relative sophistication of its economy, this is especially true for South Africa. While this opens up opportunities for legitimate business, it has equally done so for criminal organisations, taking crime onto virtual platforms. Says Duncan McLeod, editor at TechCentral, “We’re a lot more connected than we were – but that has made us all more vulnerable.”
The analogy with seeing a ghost is quite apposite. Cybercrime, employing computer systems for criminal objectives, takes numerous forms. Ransomware is a form of software that effectively captures a computer or network, locking the user out, and demanding a payment to unlock it. A variant form links the ransom demand to a threat to leak or sell the information to competitors or to other criminals. It is an impersonal, post-modern crime. Where a gang might once have held a kidnap victim in a basement until a briefcase full of banknotes was delivered, today the commodity stolen is information, the thieves perhaps operating through encoded channels on the other side of the world. Rather like a ghost of folklore – or Croock’s boardroom clients – the criminals are elusive, but the impact terrifying. The “dreaded call” signals its arrival.
Floppy disks
The earliest form of ransomware seems to have appeared in 1989, and was spread on floppy disks distributed after a conference on HIV; the disks delivered a demand for a “software lease”, with instructions to send payment to an address in Panama. Relatively crude, it could be removed by experts. Later iterations of digital ransoms began to appear in the 2000s. The phenomenon gained momentum, with growing sophistication, the updating of programmes to evade countermeasures, cooperation between criminals on ransomware products and the establishment of “leak sites” where sensitive information could be published as part of the extortion threat. With the Covid pandemic, criminal groups used the rapid shift to online work and interaction to their advantage; cybercrime spiked. McLeod described ransomware as organised crime’s digital “weapon of choice”.
For every reported instance, there are many that go unnoticed by the public. According to Sophos, a UK-based cybersecurity firm, some 69% of South Africa firms surveyed in early 2024 had been hit by a ransomware attack in the preceding year. Of these, 76% resulted in data being encrypted.
Croock points out that the frequency of attacks – and actual penetration – as well as the inclination to pay ransoms is now a reality of doing business with a significant digital exposure. “Firms are embarrassed, so they don’t admit it publicly, but this is happening across the economy, in some of the most reputable institutions.”
Behind the extortion are a varied set of malign actors. Cybercriminals range from individual computer enthusiasts (more interested in thrills than rewards) through to established syndicates for which the online world is a complement to existing operations. “Cybercrime starts out with IT specialists,” says Croock, “but it has become more organised. The traditional syndicates found in that it wasn’t lucrative to do cash-in-transit heists any more. They had to take things online. It’s the same principle for a greater reward. These are highly competent people.” Some, such as the Nigerian Black Axe gang, employ cybercrime as a complement to terrorism and as a means to raise funds to buy political influence.
“Modern businesses”
Using the Dark Web, the ransomware field parodies everyday business activity. On online forums, services can be sought and offered, collaborations negotiated, and technical solutions purchased. As an exposition by the security company BlackFog notes: “The most formidable ransomware syndicates function like modern businesses with defined corporate structures, marketing, customer service protocols, and common diversification into extortion affiliate models.”
A typical ransomware attack will exploit a vulnerability in an organisation’s computer systems. Often, this relies on the human factor, such as inserting malware through a link in an email sent to an employee, or by breaching the systems of a client or supplier firm. The programmes may lie dormant for months – the proverbial ghost in the machine – before being activated. These invariably target backup systems as well as primary operating systems.
Craig Pedersen, cyber forensic expert at TCG Forensics, explains that a frequent vulnerability lies in outdated software; while systems are constantly being upgraded by their designers, users might choose to remain with obsolete systems – perhaps an industrial process cannot be run off a newer version, or the older one is just comfortably familiar to users. But old systems are inherently penetrable. Indeed, when they are decommissioned in favour of newer versions, designers will publish reports on the flaws, giving invaluable intelligence to cybercriminals.
McLeod reiterates this, noting too that even new systems are vulnerable if they are not continuously updated with current security software. A failure to do so appears to be a reason why state institutions in Africa are a now a major target. They are relatively easy to break into.
Bespoke website
When the target organisation’s data has been seized, contact will be made, perhaps via WhatsApp, or through a bespoke website. A sample of stolen information may be offered as proof that they are in possession of it. Payment is demanded, invariably in Bitcoin (attackers will helpfully instruct their targets in how to do this).
Where the affected company is governed by a Board of Directors, this will demand board consideration and approval. This is a particularly thorny issue in South Africa, which has been a trailblazer in corporate governance thinking – particularly of the responsibility of business to the wider society. The latest iteration of South Africa’s King Report on Corporate Governance recognised the importance of Board oversight of company technology, and the risks it might pose. Says Pedersen: “How do you declare a R10 million ransom in your annual report? And how do you explain to your shareholders that someone got into their data.” A reluctance to make such disclosures represents a corruption of corporate governance in the firms involved.
At this point, the Board will need to decide how to respond – to pay immediately, or attempt to negotiate (the latter process often being outsourced to a professional, and which may succeed in reducing the demand). Ultimately, payments are typically made, relying on insurance against losses from the attack to make up the expenses (Sophos found that 87% of South African ransom payments received assistance from insurance providers). “Yes, they pay,” says Pedersen, “even if they don’t acknowledge it. They don’t really have a choice, since losing the information can be an existential issue.”
What they pay – as individual firms and on what conditions – is shrouded in mystery. Some aggregate figures exist though. The mean ransom demanded in South Africa, Sophos reports, is $975 675 (R17 899 050 at current exchange rates); the mean paid is $958 110 (R17 576 815). Aside from the ransom costs, lost opportunity costs and spending on recovery adds another $1.04 million (R19.08 million) to the bill. (In 2023, the Council for Scientific and Industrial Research said that the cost of cybercrime to South Africa was some R2.2 billion annually.)
Even if ransoms are paid, information is not always recovered. “Firms do this hoping that the criminals will honour the agreement,” says McLeod. A 2023 multi-country survey by Veeam, a software company, found that some 28% of firms attacked with ransomware paid, but could not recover their data. And there is a risk that having successfully extorted an organisation once, a syndicate may be incentivised to do so again. The haunting will continue.
Cybersecurity
The reality is that the ability to defeat a ransomware attack usually lags well behind the abilities of those who perpetrate it. For the former, cybersecurity is but one operational aspect among many; for the latter, breaching it is a singular focus, a lucrative business driving constant innovation.
It should be noted that while ransomware demands may be made on South African firms, the syndicates may have no relationship to South Africa at all. The digital economy is a global one, allowing for effective anonymity for those with appropriate skills. Syndicates (or “gangs”) exist as identifiable online presences with names and reputations, but invariably with the identities of actual members, their present location, or even the country of origin of the syndicates being unknown. This makes taking action to shut them down almost impossible. As Croock says, “we just don’t know where they are.”
Law enforcement responses have been indifferent. Sophos finds that almost all targeted firms report cyberattacks to the authorities, and most reported receiving assistance. Pedersen, however, argues that such findings are misleading and that the capacity of the state to provide meaningful support to victims, or indeed to pursue the criminals. Although he says there is no crime that cannot be combatted, there are few detectives with the necessary skills to deal with it. “When you take a case to the authorities,” he says, “you hope that you find someone who knows what you’re talking about. If you get to court, will the court understand what an IP is, or what cryptocurrency is. Cases typically run for years, and the justice system is just not at a point where it understands it.”
Going forward, artificial intelligence is stands to drive cybercrime more aggressively. AI-based tools like WormGPT enable automated attacks, probing defences and lowering the thresholds to entry to would-be cybercriminals. “AI is revolutionising the cybercrime environment,” warns McLeod, “and also the ability to fight it. We are looking at an AI arms race in the coming years.”
What is then to be done? Pedersen says that the frontline response is technical: keep systems updated, educate staff about the risks, and backup offline and offsite. Much of the immediate damage could be avoided if proper measures were in place.
On a policy level, it is necessary to take a long-term, cross-national view. The scale of the problem must be acknowledged and the appropriate capacitation among specialist law enforcement units be undertaken. This means recruiting (and remunerating) IT forensic specialists, and ensuring their ongoing training throughout their careers. This must be coupled with international cooperation among policing bodies worldwide – cybercrime is, after all, a transnational matter with the associated difficulties of jurisdiction and enforcement.
Illicit flows
Croock adds that a major problem is the failure of banks to identify and act on the illicit flows of funds that cybercrime generates; money laundering is intrinsic to these crimes – they mirror legitimate business – and without the cooperation of financial institutions, it is difficult to see how they can be addressed.
McLeod suggests that the time may have arrived for a debate on a global ban on ransomware payments. If it is possible to cut off the flow of rewards, it may disincentivise the crime. He notes, though, that this holds out a possibility of success only if all jurisdictions agree to follow this course; and it is unclear what to offer companies that suffer damage from the loss of data that would inevitably follow the implementation of such a ban.
Finally, there is a need to educate the public about the dangers of cybercrime, and their vulnerabilities to it. As life is increasingly lived online, people must understand the nature of threats, and how to protect themselves. No less than precautions for physical safety, modern life demands the same for online safety.
For now, the ghost is in the machine – or rather, ghosts are in machines that govern modern life and the systems that make its commerce possible – and the prospect of successfully exorcising it.
*This is an extended version of an article originally published by ENACT, an initiative of the Institute for Security Studies.
[Image: Markus Spiske on Unsplash]
If you like what you have just read, support the Daily Friend