By Caesar Tonkin, Managing Director, Armata Cyber Security
Kidnapping, a crime that has plagued humanity since ancient times, continues to be a significant threat today. Traditionally, kidnappers would abduct individuals and demand a ransom from their families, inflicting emotional trauma and financial hardship. While such physical abductions persist, exemplified by Somali pirates operating off the coast of Northeast Africa, the digital age has introduced a new form of kidnapping: ransomware.
Cybercriminals now ‘kidnap’ data, leveraging it for ransom in a manner that, while less physically violent, still causes considerable distress and financial harm.
The Mechanics of Ransomware
Ransomware is a type of malicious software designed to encrypt a victim’s files, rendering them inaccessible. The attackers then demand a ransom payment in exchange for the decryption key. However, paying the ransom does not guarantee data recovery, often leaving victims doubly affected — losing both their data and the ransom payment.
Phases of a Ransomware Attack
- Encryption of Files: The ransomware infiltrates the victim’s system, encrypting crucial files using complex algorithms that are nearly impossible to reverse without a decryption key.
- Ransom Note: A message appears on the victim’s screen, detailing the ransom amount, payment instructions, and a deadline. The note typically threatens increased ransom demands, deletion of files, or permanent data encryption if the deadline is not met.
Notable Global Ransomware Attacks
DarkSide and the Colonial Pipeline Incident
In May 2021, DarkSide, a Ransomware-as-a-Service (RaaS) operation, launched a significant attack on the Colonial Pipeline, one of the largest oil pipelines in the United States. This attack led to a temporary shutdown of the pipeline, causing fuel shortages, panic buying, and a spike in gasoline prices. DarkSide’s operators had accessed Colonial Pipeline’s network, stolen 100 gigabytes of data, and encrypted several critical systems. To regain control, Colonial Pipeline paid the hackers nearly $5 million, illustrating the severe impact ransomware can have on critical infrastructure.
Petya and NotPetya
- Petya: Discovered in 2016, Petya encrypts the Master File Table (MFT) and the Master Boot Record (MBR), making it impossible for victims to access their drives. Often launched with a companion malware called Mischa, it ensures encryption even if Petya’s access is limited.
- NotPetya: A more destructive variant of Petya, NotPetya surfaced in 2017, rapidly spreading across multiple countries. It employs stealthy techniques to move laterally within networks, encrypting systems swiftly. NotPetya’s ransom notes typically demand $300 per infected machine, though paying the ransom seldom results in data recovery.
Ryuk
Ryuk specifically targets enterprise environments, deriving its code from the Hermes ransomware. Constantly evolving, Ryuk has been used by multiple threat actors to launch highly damaging attacks against large organisations.
Recent Ransomware Attacks in South Africa
City Power Johannesburg Attack
In July 2019, Johannesburg’s City Power utility company fell victim to a ransomware attack that encrypted all its databases, applications, and network. The attack disrupted the company’s ability to provide services, leaving many residents without electricity. The attackers demanded a ransom for the decryption key, highlighting the vulnerability of critical infrastructure to cyber threats.
Transnet Attack
In July 2021, Transnet, South Africa’s state-owned logistics firm, suffered a major ransomware attack that led to the declaration of force majeure at the country’s key container terminals. The attack disrupted operations at ports and significantly affected the supply chain, demonstrating how ransomware can affect national economic activities. The attackers encrypted Transnet’s IT systems, demanding a ransom for decryption.
Department of Justice and Constitutional Development Attack
In September 2021, the South African Department of Justice and Constitutional Development was hit by a ransomware attack that encrypted its entire information system. This attack severely affected the department’s ability to provide services, including issuing court orders, paying child maintenance, and processing legal documents. The department had to resort to manual processes, causing significant delays and operational challenges.
Conclusion
The emergence of ransomware highlights the evolving nature of criminal activity in the digital age. Just as historical gangs had their distinct methods, modern cybercriminals have developed sophisticated techniques to extort payment from their victims. Businesses must recognise that cybersecurity is not merely an IT issue but a fundamental component of operational resilience. Comprehensive visibility into applications, users and devices is crucial to defend against ransomware and other cyber threats.
Armata Cyber Security is excited to announce the upcoming launch of our Ransomware Protection Service, designed to safeguard your business from these modern-day digital kidnappers. Stay tuned for more details on this essential service that aims to fortify your defences against ransomware attacks.