Why Ransomware Could Surge in the Middle East & Africa

Cybercrime — and especially ransomware — traditionally have had an uneven impact across the Middle East and Africa (ME&A), yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions.

South Africa saw a significant surge in attacks, with 78% of companies hit by ransomware in 2023, compared to 51% in 2022, according to the State of Ransomware 2023 report published by Sophos earlier this year.

However, the United Arab Emirates (UAE), for example, saw 70% fewer ransomware attacks in 2022, compared to the previous year, following greater international cooperation, according to statements by UAE government officials.

Cyber operations, including ransomware, will likely expand, as the ongoing conflict between Israel and Palestinians raises tensions in the region, much in the same way that Russia's invasion of Ukraine spurred greater attacks, says Jens Monrad, head of threat intelligence for the Europe, ME&A region at Google Mandiant.

"Cyber is now playing a role in any sort of geopolitical conflict, because it's a domain that ... comes with less cost and brings uncertainty, in terms of attribution," he says, adding that activity will likely continue to escalate. "We haven't really figured out how to draw a clear red line in the cyber domain. The line keeps being pushed, rather than somebody saying, now you've crossed the line."

Ransomware data continues to be scarce in the region. In its Digital Defense Report 2023, Microsoft noted that the top four ransomware families — Magniber, Lockbit, Hive, and Blackcat — accounted for two-thirds (65%) of all ransomware encounters and, of the four groups, only a single one, Blackcat, had extensive targets in a ME&A nation — in this case, Israel, which ranked fifth in that malware's targeted regions.

Two-thirds of attacks target Israel, the UAE, Saudi Arabia, or Jordan. Source: Microsoft Digital Defense Report 2023

The trend in the more general category of cyberattacks is clearer: two-thirds of cyberattacks in ME&A targeted either Israel, United Arab Emirates, Saudi Arabia, or Jordan, according to Microsoft's data collected prior to the current Israeli-Palestinian conflict. More than half of the attacks (52%) targeting the region focused on the education, government, information technology, and communications sectors — typical espionage targets.

Regional Conflicts Spur Cyberattacks

Surges in cyberattacks typically follow geopolitical conflict. The ME&A is experiencing that trend as well: Attacks conducted by Iran-linked actors, for example, focused on Israel between July 2022 and June 2023, a shift from the previous 12 months in which Iranian actors focused on the United States. The shift followed a highly sophisticated campaign of cyberattacks in 2021 and 2022 by an Israel-linked group, dubbed Predatory Sparrow, which had targeted Iran's critical infrastructure, including steel factories, state broadcasters, gas stations, and trains, Microsoft stated in its report.

"Iran's cyber-enabled influence operations have pushed narratives that seek to bolster Palestinian resistance, sow panic among Israeli citizens, foment Shi'ite unrest in Gulf Arab countries, and counter the normalization of Arab-Israeli ties," Microsoft stated in the report. "While specific narratives varied, the underlying goal was often the same. Tehran likely sought to retaliate against what it perceived were efforts by foreign actors to foment unrest in Iran."

Some of Iran's claimed attacks, however, have been exaggerated, according to Microsoft. And, while Iran-linked groups are some of the most active, the Palestinian-linked Molerats group recently used an improved downloader as part of its initial access operations.

Russian interests in ME&A may have a dampening effect on ransomware activity, since many ransomware groups operate out of Russia, says Mandiant's Monrad.

"I think it's a fair argument to say that these groups are also carefully vetting their victims to ensure that they don't endanger or put themselves at risk," he says. "If they engage in extortion schemes in countries where there are stronger diplomatic and trade relations ... you could potentially expect a political response to [the victims] asking Russia to do something."

Manage Devices, Basic Hygiene

Overall, companies in the region need to improve their cybersecurity maturity, says Brian Honan, CEO of BH Consulting, an independent cybersecurity and data-protection consulting firm based in Dublin that has clients in the Middle East.

"Where the Middle Eastern area struggles is their cybersecurity may not be as mature or have as much investment as in other regions," he says. "Many of the bigger organizations will have good cybersecurity in place, but in general, [they are] more vulnerable than their western counterparts."

Overall, 65% of CISOs in the Kingdom of Saudi Arabia and 47% in the UAE had a material loss of sensitive information in the past 12 months, according to the 2023 Voice of the CISO report published by security firm Proofpoint earlier this year.

Companies in the ME&A region are aiming to improve, however. Attacks on connected devices and cloud-related threats are the top cyberthreats for companies in the Middle East, according to a regional survey conducted for PricewaterhouseCoopers' Digital Trust Insights 2024 report. The worries are leading more than three-quarters of firms (77%) to increase their cyber budgets in 2024, according to the consultancy.

"Increasing digitization means companies are exposed to new digital vulnerabilities, making an effective approach to cybersecurity and digital trust more important than ever," PwC stated in the report, adding: "Middle East respondents revealed that loss of revenue — in terms of lost contracts, lost business opportunities — was the top concern for the outcomes of potential cyber attack in the next 12 months."

Companies still have to strive to do the cybersecurity basics. More than 80% of all compromised started with an unmanaged devices, Microsoft stated in its Digital Defense Report 2023.